All In One WP Security & Firewall - Version 4.4.4

Version Description

  • Fixed bugs and improved functionality related to "logged in users" functionality.
  • Google recaptha checks for WooCommerce product reviews
  • Replaced use of deprecated hook "wpmu_new_blog" with "wp_insert_site"
  • Fixed a potential XSS issue in the settings menu of the plugin for IE11 or older browsers.
Download this release

Release Info

Developer mra13
Plugin Icon 128x128 All In One WP Security & Firewall
Version 4.4.4
Comparing to
See all releases

Code changes from version 4.4.2 to 4.4.4

Files changed (25) hide show
  1. admin/wp-security-brute-force-menu.php +10 -2
  2. admin/wp-security-filescan-menu.php +17 -11
  3. admin/wp-security-firewall-menu.php +23 -11
  4. admin/wp-security-list-acct-activity.php +2 -2
  5. admin/wp-security-list-comment-spammer-ip.php +1 -1
  6. admin/wp-security-list-locked-ip.php +1 -1
  7. admin/wp-security-list-logged-in-users.php +9 -21
  8. admin/wp-security-list-login-fails.php +1 -1
  9. admin/wp-security-list-permanent-blocked-ip.php +1 -1
  10. admin/wp-security-list-registered-users.php +1 -1
  11. admin/wp-security-settings-menu.php +62 -62
  12. admin/wp-security-spam-menu.php +1 -1
  13. admin/wp-security-user-login-menu.php +1 -1
  14. classes/wp-security-configure-settings.php +2 -0
  15. classes/wp-security-cronjob-handler.php +1 -1
  16. classes/wp-security-file-scan.php +121 -78
  17. classes/wp-security-general-init-tasks.php +28 -91
  18. classes/wp-security-process-renamed-login-page.php +1 -0
  19. classes/wp-security-user-login.php +86 -20
  20. classes/wp-security-utility-htaccess.php +7 -2
  21. classes/wp-security-wp-footer-content.php +62 -19
  22. other-includes/wp-security-rename-login-feature-pre-5-2.php +5 -1
  23. readme.txt +16 -3
  24. wp-security-core.php +32 -30
  25. wp-security.php +10 -7
admin/wp-security-brute-force-menu.php CHANGED
@@ -651,7 +651,11 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
651
  </td>
652
  </tr>
653
  </table>
654
- </div></div>
 
 
 
 
655
  <div class="postbox">
656
  <h3 class="hndle"><label for="title"><?php _e('Woocommerce Forms Captcha Settings', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
657
  <div class="inside">
@@ -695,7 +699,11 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
695
  </td>
696
  </tr>
697
  </table>
698
- </div></div>
 
 
 
 
699
  <input type="submit" name="aiowpsec_save_captcha_settings" value="<?php _e('Save Settings', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
700
  </form>
701
  <?php
651
  </td>
652
  </tr>
653
  </table>
654
+ </div></div>
655
+ <?php
656
+ // Only display woocommerce captcha settings if woo is active
657
+ if ( in_array( 'woocommerce/woocommerce.php', apply_filters( 'active_plugins', get_option( 'active_plugins' ) ) ) ) {
658
+ ?>
659
  <div class="postbox">
660
  <h3 class="hndle"><label for="title"><?php _e('Woocommerce Forms Captcha Settings', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
661
  <div class="inside">
699
  </td>
700
  </tr>
701
  </table>
702
+ </div></div>
703
+ <?php
704
+ }
705
+ ?>
706
+
707
  <input type="submit" name="aiowpsec_save_captcha_settings" value="<?php _e('Save Settings', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
708
  </form>
709
  <?php
admin/wp-security-filescan-menu.php CHANGED
@@ -79,7 +79,6 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
79
  if (isset($_POST['fcd_scan_info']))
80
  {
81
  //Display scan file change info and clear the global alert variable
82
- //TODO: display file change details
83
 
84
  //Clear the global variable
85
  $aio_wp_security->configs->set_value('aiowps_fcds_change_detected', FALSE);
@@ -107,10 +106,15 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
107
  }
108
 
109
  $result = $aio_wp_security->scan_obj->execute_file_change_detection_scan();
 
 
 
 
 
110
  //If this is first scan display special message
111
  if ($result['initial_scan'] == 1)
112
  {
113
- $this->show_msg_updated(__('The plugin has detected that this is your first file change detection scan. The file details from this scan will be used to detect file changes for future scans!','all-in-one-wp-security-and-firewall'));
114
  }else if(!$aio_wp_security->configs->get_value('aiowps_fcds_change_detected')){
115
  $this->show_msg_updated(__('Scan Complete - There were no file changes detected!', 'all-in-one-wp-security-and-firewall'));
116
  }
@@ -398,10 +402,11 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
398
  */
399
  function display_last_scan_results()
400
  {
401
- $scan_results_unserialized = AIOWPSecurity_Scan::get_file_change_data();
402
- if (!$scan_results_unserialized)
403
  {
404
- return FALSE;
 
405
  }
406
  ?>
407
  <div class="postbox">
@@ -411,7 +416,8 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
411
  $files_added_output = "";
412
  $files_removed_output = "";
413
  $files_changed_output = "";
414
- if (!empty($scan_results_unserialized['files_added']))
 
415
  {
416
  //Output table of files added
417
  echo '<div class="aio_info_with_icon aio_spacer_10_tb">'.__('The following files were added to your host.', 'all-in-one-wp-security-and-firewall').'</div>';
@@ -421,7 +427,7 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
421
  $files_added_output .= '<th>'.__('File Size','all-in-one-wp-security-and-firewall').'</th>';
422
  $files_added_output .= '<th>'.__('File Modified','all-in-one-wp-security-and-firewall').'</th>';
423
  $files_added_output .= '</tr>';
424
- foreach ($scan_results_unserialized['files_added'] as $key=>$value) {
425
  $files_added_output .= '<tr>';
426
  $files_added_output .= '<td>'.$key.'</td>';
427
  $files_added_output .= '<td>'.$value['filesize'].'</td>';
@@ -432,7 +438,7 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
432
  echo $files_added_output;
433
  }
434
  echo '<div class="aio_spacer_15"></div>';
435
- if (!empty($scan_results_unserialized['files_removed']))
436
  {
437
  //Output table of files removed
438
  echo '<div class="aio_info_with_icon aio_spacer_10_tb">'.__('The following files were removed from your host.', 'all-in-one-wp-security-and-firewall').'</div>';
@@ -442,7 +448,7 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
442
  $files_removed_output .= '<th>'.__('File Size','all-in-one-wp-security-and-firewall').'</th>';
443
  $files_removed_output .= '<th>'.__('File Modified','all-in-one-wp-security-and-firewall').'</th>';
444
  $files_removed_output .= '</tr>';
445
- foreach ($scan_results_unserialized['files_removed'] as $key=>$value) {
446
  $files_removed_output .= '<tr>';
447
  $files_removed_output .= '<td>'.$key.'</td>';
448
  $files_removed_output .= '<td>'.$value['filesize'].'</td>';
@@ -456,7 +462,7 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
456
 
457
  echo '<div class="aio_spacer_15"></div>';
458
 
459
- if (!empty($scan_results_unserialized['files_changed']))
460
  {
461
  //Output table of files changed
462
  echo '<div class="aio_info_with_icon aio_spacer_10_tb">'.__('The following files were changed on your host.', 'all-in-one-wp-security-and-firewall').'</div>';
@@ -466,7 +472,7 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
466
  $files_changed_output .= '<th>'.__('File Size','all-in-one-wp-security-and-firewall').'</th>';
467
  $files_changed_output .= '<th>'.__('File Modified','all-in-one-wp-security-and-firewall').'</th>';
468
  $files_changed_output .= '</tr>';
469
- foreach ($scan_results_unserialized['files_changed'] as $key=>$value) {
470
  $files_changed_output .= '<tr>';
471
  $files_changed_output .= '<td>'.$key.'</td>';
472
  $files_changed_output .= '<td>'.$value['filesize'].'</td>';
79
  if (isset($_POST['fcd_scan_info']))
80
  {
81
  //Display scan file change info and clear the global alert variable
 
82
 
83
  //Clear the global variable
84
  $aio_wp_security->configs->set_value('aiowps_fcds_change_detected', FALSE);
106
  }
107
 
108
  $result = $aio_wp_security->scan_obj->execute_file_change_detection_scan();
109
+ if ($result === false) {
110
+ // error case
111
+ $this->show_msg_error(__('There was an error during the file change detection scan. Please check the aiowps logs.','all-in-one-wp-security-and-firewall'));
112
+ }
113
+
114
  //If this is first scan display special message
115
  if ($result['initial_scan'] == 1)
116
  {
117
+ $this->show_msg_updated(__('The plugin has detected that this is your first file change detection scan. The file details from this scan will be used to detect file changes for future scans.','all-in-one-wp-security-and-firewall'));
118
  }else if(!$aio_wp_security->configs->get_value('aiowps_fcds_change_detected')){
119
  $this->show_msg_updated(__('Scan Complete - There were no file changes detected!', 'all-in-one-wp-security-and-firewall'));
120
  }
402
  */
403
  function display_last_scan_results()
404
  {
405
+ $fcd_data = AIOWPSecurity_Scan::get_fcd_data();
406
+ if (!$fcd_data || !isset($fcd_data['last_scan_result']))
407
  {
408
+ // no fcd data found
409
+ return false;
410
  }
411
  ?>
412
  <div class="postbox">
416
  $files_added_output = "";
417
  $files_removed_output = "";
418
  $files_changed_output = "";
419
+ $last_scan_results = $fcd_data['last_scan_result'];
420
+ if (!empty($last_scan_results['files_added']))
421
  {
422
  //Output table of files added
423
  echo '<div class="aio_info_with_icon aio_spacer_10_tb">'.__('The following files were added to your host.', 'all-in-one-wp-security-and-firewall').'</div>';
427
  $files_added_output .= '<th>'.__('File Size','all-in-one-wp-security-and-firewall').'</th>';
428
  $files_added_output .= '<th>'.__('File Modified','all-in-one-wp-security-and-firewall').'</th>';
429
  $files_added_output .= '</tr>';
430
+ foreach ($last_scan_results['files_added'] as $key=>$value) {
431
  $files_added_output .= '<tr>';
432
  $files_added_output .= '<td>'.$key.'</td>';
433
  $files_added_output .= '<td>'.$value['filesize'].'</td>';
438
  echo $files_added_output;
439
  }
440
  echo '<div class="aio_spacer_15"></div>';
441
+ if (!empty($last_scan_results['files_removed']))
442
  {
443
  //Output table of files removed
444
  echo '<div class="aio_info_with_icon aio_spacer_10_tb">'.__('The following files were removed from your host.', 'all-in-one-wp-security-and-firewall').'</div>';
448
  $files_removed_output .= '<th>'.__('File Size','all-in-one-wp-security-and-firewall').'</th>';
449
  $files_removed_output .= '<th>'.__('File Modified','all-in-one-wp-security-and-firewall').'</th>';
450
  $files_removed_output .= '</tr>';
451
+ foreach ($last_scan_results['files_removed'] as $key=>$value) {
452
  $files_removed_output .= '<tr>';
453
  $files_removed_output .= '<td>'.$key.'</td>';
454
  $files_removed_output .= '<td>'.$value['filesize'].'</td>';
462
 
463
  echo '<div class="aio_spacer_15"></div>';
464
 
465
+ if (!empty($last_scan_results['files_changed']))
466
  {
467
  //Output table of files changed
468
  echo '<div class="aio_info_with_icon aio_spacer_10_tb">'.__('The following files were changed on your host.', 'all-in-one-wp-security-and-firewall').'</div>';
472
  $files_changed_output .= '<th>'.__('File Size','all-in-one-wp-security-and-firewall').'</th>';
473
  $files_changed_output .= '<th>'.__('File Modified','all-in-one-wp-security-and-firewall').'</th>';
474
  $files_changed_output .= '</tr>';
475
+ foreach ($last_scan_results['files_changed'] as $key=>$value) {
476
  $files_changed_output .= '<tr>';
477
  $files_changed_output .= '<td>'.$key.'</td>';
478
  $files_changed_output .= '<td>'.$value['filesize'].'</td>';
admin/wp-security-firewall-menu.php CHANGED
@@ -91,17 +91,22 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
91
  $aio_wp_security->debug_logger->log_debug("Nonce check failed on enable basic firewall settings!",4);
92
  die("Nonce check failed on enable basic firewall settings!");
93
  }
94
-
95
- //Save settings
96
- if(isset($_POST['aiowps_enable_basic_firewall']))
97
- {
98
- $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','1');
99
- }
100
- else
101
- {
102
- $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');
 
 
103
  }
104
-
 
 
 
105
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall',isset($_POST["aiowps_enable_pingback_firewall"])?'1':''); //this disables all xmlrpc functionality
106
  $aio_wp_security->configs->set_value('aiowps_disable_xmlrpc_pingback_methods',isset($_POST["aiowps_disable_xmlrpc_pingback_methods"])?'1':''); //this disables only pingback methods of xmlrpc but leaves other methods so that Jetpack and other apps will still work
107
  $aio_wp_security->configs->set_value('aiowps_block_debug_log_file_access',isset($_POST["aiowps_block_debug_log_file_access"])?'1':'');
@@ -183,7 +188,14 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
183
  ?>
184
  </div>
185
  </td>
186
- </tr>
 
 
 
 
 
 
 
187
  </table>
188
  </div></div>
189
 
91
  $aio_wp_security->debug_logger->log_debug("Nonce check failed on enable basic firewall settings!",4);
92
  die("Nonce check failed on enable basic firewall settings!");
93
  }
94
+
95
+ // Max file upload size in basic rules
96
+ $upload_size = absint($_POST['aiowps_max_file_upload_size']);
97
+
98
+ $max_allowed = apply_filters( 'aiowps_max_allowed_upload_config', 250 ); // Set a filterable limit of 250MB
99
+ $max_allowed = absint($max_allowed);
100
+
101
+ if($upload_size > $max_allowed) {
102
+ $upload_size = $max_allowed;
103
+ } else if(empty ($upload_size)) {
104
+ $upload_size = 10;
105
  }
106
+
107
+ //Save settings
108
+ $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall',isset($_POST["aiowps_enable_basic_firewall"])?'1':'');
109
+ $aio_wp_security->configs->set_value('aiowps_max_file_upload_size',$upload_size);
110
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall',isset($_POST["aiowps_enable_pingback_firewall"])?'1':''); //this disables all xmlrpc functionality
111
  $aio_wp_security->configs->set_value('aiowps_disable_xmlrpc_pingback_methods',isset($_POST["aiowps_disable_xmlrpc_pingback_methods"])?'1':''); //this disables only pingback methods of xmlrpc but leaves other methods so that Jetpack and other apps will still work
112
  $aio_wp_security->configs->set_value('aiowps_block_debug_log_file_access',isset($_POST["aiowps_block_debug_log_file_access"])?'1':'');
188
  ?>
189
  </div>
190
  </td>
191
+ </tr>
192
+ <tr valign="top">
193
+ <th scope="row"><?php _e('Max File Upload Size (MB)', 'all-in-one-wp-security-and-firewall')?>:</th>
194
+ <td><input type="number" min="0" step="1" name="aiowps_max_file_upload_size" value="<?php echo esc_html($aio_wp_security->configs->get_value('aiowps_max_file_upload_size')); ?>" />
195
+ <span class="description"><?php _e('The value for the maximum file upload size used in the .htaccess file. (Defaults to 10MB if left blank)', 'all-in-one-wp-security-and-firewall'); ?></span>
196
+ </td>
197
+ </tr>
198
+
199
  </table>
200
  </div></div>
201
 
admin/wp-security-list-acct-activity.php CHANGED
@@ -152,7 +152,7 @@ class AIOWPSecurity_List_Account_Activity extends AIOWPSecurity_List_Table {
152
  /**
153
  * First, lets decide how many records per page to show
154
  */
155
- $per_page = 20;
156
  $columns = $this->get_columns();
157
  $hidden = array();
158
  $sortable = $this->get_sortable_columns();
@@ -180,7 +180,7 @@ class AIOWPSecurity_List_Account_Activity extends AIOWPSecurity_List_Table {
180
  if(empty($search)) {
181
  $data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order", ARRAY_A);
182
  } else {
183
- $data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $login_activity_table WHERE `user_login` LIKE '%%%s%%' OR `login_ip` LIKE '%%%s%%' ORDER BY $orderby $order LIMIT %d", $search, $search, 50), ARRAY_A);
184
  }
185
 
186
  if (!$ignore_pagination) {
152
  /**
153
  * First, lets decide how many records per page to show
154
  */
155
+ $per_page = 100;
156
  $columns = $this->get_columns();
157
  $hidden = array();
158
  $sortable = $this->get_sortable_columns();
180
  if(empty($search)) {
181
  $data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order", ARRAY_A);
182
  } else {
183
+ $data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $login_activity_table WHERE `user_login` LIKE '%%%s%%' OR `login_ip` LIKE '%%%s%%' ORDER BY $orderby $order LIMIT %d", $search, $search, 100), ARRAY_A);
184
  }
185
 
186
  if (!$ignore_pagination) {
admin/wp-security-list-comment-spammer-ip.php CHANGED
@@ -218,7 +218,7 @@ class AIOWPSecurity_List_Comment_Spammer_IP extends AIOWPSecurity_List_Table {
218
  function prepare_items()
219
  {
220
  //First, lets decide how many records per page to show
221
- $per_page = 20;
222
  $columns = $this->get_columns();
223
  $hidden = array();
224
  $sortable = $this->get_sortable_columns();
218
  function prepare_items()
219
  {
220
  //First, lets decide how many records per page to show
221
+ $per_page = 100;
222
  $columns = $this->get_columns();
223
  $hidden = array();
224
  $sortable = $this->get_sortable_columns();
admin/wp-security-list-locked-ip.php CHANGED
@@ -196,7 +196,7 @@ class AIOWPSecurity_List_Locked_IP extends AIOWPSecurity_List_Table {
196
  /**
197
  * First, lets decide how many records per page to show
198
  */
199
- $per_page = 20;
200
  $columns = $this->get_columns();
201
  $hidden = array();
202
  $sortable = $this->get_sortable_columns();
196
  /**
197
  * First, lets decide how many records per page to show
198
  */
199
+ $per_page = 100;
200
  $columns = $this->get_columns();
201
  $hidden = array();
202
  $sortable = $this->get_sortable_columns();
admin/wp-security-list-logged-in-users.php CHANGED
@@ -86,26 +86,23 @@ class AIOWPSecurity_List_Logged_In_Users extends AIOWPSecurity_List_Table {
86
  $aio_wp_security->debug_logger->log_debug("Nonce check failed for force user logout operation!",4);
87
  die(__('Nonce check failed for force user logout operation!','all-in-one-wp-security-and-firewall'));
88
  }
89
- //Force single user logout
90
  $user_id = absint($user_id);
91
  $manager = WP_Session_Tokens::get_instance( $user_id );
92
  $manager->destroy_all();
93
- //
94
- $aio_wp_security->user_login_obj->update_user_online_transient($user_id, $ip_addr);
95
- // if($result != NULL)
96
- // {
97
- $success_msg = '<div id="message" class="updated fade"><p><strong>';
98
- $success_msg .= __('The selected user was logged out successfully!','all-in-one-wp-security-and-firewall');
99
- $success_msg .= '</strong></p></div>';
100
- _e($success_msg);
101
- // }
102
  }
103
  }
104
 
105
 
106
  function prepare_items() {
107
  //First, lets decide how many records per page to show
108
- $per_page = 20;
109
  $columns = $this->get_columns();
110
  $hidden = array();
111
  $sortable = $this->get_sortable_columns();
@@ -117,19 +114,10 @@ class AIOWPSecurity_List_Logged_In_Users extends AIOWPSecurity_List_Table {
117
 
118
  if (AIOWPSecurity_Utility::is_multisite_install()) {
119
  $current_blog_id = get_current_blog_id();
120
- $is_main = is_main_site($current_blog_id);
121
- if(empty($is_main)) {
122
- // subsite - only get logged in users for this blog_id
123
- $logged_in_users = AIOWPSecurity_User_Login::get_subsite_logged_in_users($current_blog_id);
124
- } else {
125
- // main site - get sitewide users
126
- $logged_in_users = get_site_transient('users_online');
127
- }
128
-
129
  } else {
130
  $logged_in_users = get_transient('users_online');
131
  }
132
-
133
  if(empty($logged_in_users)){
134
  $logged_in_users = array(); //If no transient found set to empty array
135
  }else{
86
  $aio_wp_security->debug_logger->log_debug("Nonce check failed for force user logout operation!",4);
87
  die(__('Nonce check failed for force user logout operation!','all-in-one-wp-security-and-firewall'));
88
  }
89
+ // Force single user logout
90
  $user_id = absint($user_id);
91
  $manager = WP_Session_Tokens::get_instance( $user_id );
92
  $manager->destroy_all();
93
+
94
+ $aio_wp_security->user_login_obj->cleanup_users_online_transient($user_id, $ip_addr);
95
+ $success_msg = '<div id="message" class="updated fade"><p><strong>';
96
+ $success_msg .= __('The selected user was logged out successfully!','all-in-one-wp-security-and-firewall');
97
+ $success_msg .= '</strong></p></div>';
98
+ _e($success_msg);
 
 
 
99
  }
100
  }
101
 
102
 
103
  function prepare_items() {
104
  //First, lets decide how many records per page to show
105
+ $per_page = 100;
106
  $columns = $this->get_columns();
107
  $hidden = array();
108
  $sortable = $this->get_sortable_columns();
114
 
115
  if (AIOWPSecurity_Utility::is_multisite_install()) {
116
  $current_blog_id = get_current_blog_id();
117
+ $logged_in_users = AIOWPSecurity_User_Login::get_subsite_logged_in_users($current_blog_id);
 
 
 
 
 
 
 
 
118
  } else {
119
  $logged_in_users = get_transient('users_online');
120
  }
 
121
  if(empty($logged_in_users)){
122
  $logged_in_users = array(); //If no transient found set to empty array
123
  }else{
admin/wp-security-list-login-fails.php CHANGED
@@ -151,7 +151,7 @@ class AIOWPSecurity_List_Login_Failed_Attempts extends AIOWPSecurity_List_Table
151
  /**
152
  * First, lets decide how many records per page to show
153
  */
154
- $per_page = 20;
155
  $columns = $this->get_columns();
156
  $hidden = array();
157
  $sortable = $this->get_sortable_columns();
151
  /**
152
  * First, lets decide how many records per page to show
153
  */
154
+ $per_page = 100;
155
  $columns = $this->get_columns();
156
  $hidden = array();
157
  $sortable = $this->get_sortable_columns();
admin/wp-security-list-permanent-blocked-ip.php CHANGED
@@ -149,7 +149,7 @@ class AIOWPSecurity_List_Blocked_IP extends AIOWPSecurity_List_Table
149
  /**
150
  * First, lets decide how many records per page to show
151
  */
152
- $per_page = 20;
153
  $columns = $this->get_columns();
154
  $hidden = array();
155
  $sortable = $this->get_sortable_columns();
149
  /**
150
  * First, lets decide how many records per page to show
151
  */
152
+ $per_page = 100;
153
  $columns = $this->get_columns();
154
  $hidden = array();
155
  $sortable = $this->get_sortable_columns();
admin/wp-security-list-registered-users.php CHANGED
@@ -300,7 +300,7 @@ class AIOWPSecurity_List_Registered_Users extends AIOWPSecurity_List_Table {
300
 
301
  function prepare_items() {
302
  //First, lets decide how many records per page to show
303
- $per_page = 20;
304
  $columns = $this->get_columns();
305
  $hidden = array();
306
  $sortable = $this->get_sortable_columns();
300
 
301
  function prepare_items() {
302
  //First, lets decide how many records per page to show
303
+ $per_page = 100;
304
  $columns = $this->get_columns();
305
  $hidden = array();
306
  $sortable = $this->get_sortable_columns();
admin/wp-security-settings-menu.php CHANGED
@@ -6,12 +6,12 @@ if(!defined('ABSPATH')){
6
  class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
7
  {
8
  var $menu_page_slug = AIOWPSEC_SETTINGS_MENU_SLUG;
9
-
10
  /* Specify all the tabs of this menu in the following array */
11
  var $menu_tabs;
12
 
13
  var $menu_tabs_handler = array(
14
- 'tab1' => 'render_tab1',
15
  'tab2' => 'render_tab2',
16
  'tab3' => 'render_tab3',
17
  'tab4' => 'render_tab4',
@@ -19,12 +19,12 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
19
  'tab6' => 'render_tab6',
20
  );
21
 
22
- function __construct()
23
  {
24
  $this->render_menu_page();
25
  }
26
 
27
- function set_menu_tabs()
28
  {
29
  $this->menu_tabs = array(
30
  'tab1' => __('General Settings', 'all-in-one-wp-security-and-firewall'),
@@ -36,7 +36,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
36
  );
37
  }
38
 
39
- function get_current_tab()
40
  {
41
  $tab_keys = array_keys($this->menu_tabs);
42
  $tab = isset( $_GET['tab'] ) ? sanitize_text_field($_GET['tab']) : $tab_keys[0];
@@ -46,32 +46,32 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
46
  /*
47
  * Renders our tabs of this menu as nav items
48
  */
49
- function render_menu_tabs()
50
  {
51
  $current_tab = $this->get_current_tab();
52
 
53
  echo '<h2 class="nav-tab-wrapper">';
54
- foreach ( $this->menu_tabs as $tab_key => $tab_caption )
55
  {
56
  $active = $current_tab == $tab_key ? 'nav-tab-active' : '';
57
- echo '<a class="nav-tab ' . $active . '" href="?page=' . $this->menu_page_slug . '&tab=' . $tab_key . '">' . $tab_caption . '</a>';
58
  }
59
  echo '</h2>';
60
  }
61
-
62
  /*
63
  * The menu rendering goes here
64
  */
65
- function render_menu_page()
66
  {
67
  echo '<div class="wrap">';
68
  echo '<h2>'.__('Settings','all-in-one-wp-security-and-firewall').'</h2>';//Interface title
69
  $this->set_menu_tabs();
70
  $tab = $this->get_current_tab();
71
  $this->render_menu_tabs();
72
- ?>
73
  <div id="poststuff"><div id="post-body">
74
- <?php
75
  //$tab_keys = array_keys($this->menu_tabs);
76
  call_user_func(array(&$this, $this->menu_tabs_handler[$tab]));
77
  ?>
@@ -79,7 +79,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
79
  </div><!-- end of wrap -->
80
  <?php
81
  }
82
-
83
  function render_tab1()
84
  {
85
  global $aio_wp_security;
@@ -94,7 +94,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
94
  AIOWPSecurity_Configure_Settings::turn_off_all_security_features();
95
  //Now let's clear the applicable rules from the .htaccess file
96
  $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
97
-
98
  //Now let's revert the disable editing setting in the wp-config.php file if necessary
99
  $res2 = AIOWPSecurity_Utility::enable_file_edits();
100
 
@@ -154,7 +154,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
154
  <p><?php _e('For information, updates and documentation, please visit the', 'all-in-one-wp-security-and-firewall'); ?> <a href="https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin" target="_blank">AIO WP Security & Firewall Plugin</a> <?php _e('Page', 'all-in-one-wp-security-and-firewall'); ?>.</p>
155
  <p><a href="https://www.tipsandtricks-hq.com/development-center" target="_blank">Follow us</a> on Twitter, Google+ or via Email to stay upto date about the new security features of this plugin.</p>
156
  </div>
157
-
158
  <div class="postbox">
159
  <h3 class="hndle"><label for="title"><?php _e('WP Security Plugin', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
160
  <div class="inside">
@@ -170,45 +170,45 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
170
  </p>
171
  </div>
172
  </div> <!-- end postbox-->
173
-
174
  <div class="postbox">
175
  <h3 class="hndle"><label for="title"><?php _e('Disable Security Features', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
176
  <div class="inside">
177
- <form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
178
  <?php wp_nonce_field('aiowpsec-disable-all-features'); ?>
179
  <div class="aio_blue_box">
180
  <?php
181
  echo '<p>'.__('If you think that some plugin functionality on your site is broken due to a security feature you enabled in this plugin, then use the following option to turn off all the security features of this plugin.', 'all-in-one-wp-security-and-firewall').'</p>';
182
  ?>
183
- </div>
184
  <div class="submit">
185
  <input type="submit" class="button" name="aiowpsec_disable_all_features" value="<?php _e('Disable All Security Features', 'all-in-one-wp-security-and-firewall'); ?>" />
186
  </div>
187
- </form>
188
  </div>
189
  </div> <!-- end postbox-->
190
 
191
  <div class="postbox">
192
  <h3 class="hndle"><label for="title"><?php _e('Disable All Firewall Rules', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
193
  <div class="inside">
194
- <form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
195
  <?php wp_nonce_field('aiowpsec-disable-all-firewall-rules'); ?>
196
  <div class="aio_blue_box">
197
  <?php
198
  echo '<p>'.__('This feature will disable all firewall rules which are currently active in this plugin and it will also delete these rules from your .htacess file. Use it if you think one of the firewall rules is causing an issue on your site.', 'all-in-one-wp-security-and-firewall').'</p>';
199
  ?>
200
- </div>
201
  <div class="submit">
202
  <input type="submit" class="button" name="aiowpsec_disable_all_firewall_rules" value="<?php _e('Disable All Firewall Rules'); ?>" />
203
  </div>
204
- </form>
205
  </div>
206
  </div> <!-- end postbox-->
207
 
208
  <div class="postbox">
209
  <h3 class="hndle"><label for="title"><?php _e('Debug Settings', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
210
  <div class="inside">
211
- <form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
212
  <?php wp_nonce_field('aiowpsec-save-debug-settings'); ?>
213
  <div class="aio_blue_box">
214
  <?php
@@ -233,7 +233,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
233
  </div> <!-- end postbox-->
234
  <?php
235
  }
236
-
237
  function render_tab2()
238
  {
239
  global $aio_wp_security;
@@ -250,9 +250,9 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
250
  $aio_wp_security->debug_logger->log_debug("Nonce check failed on htaccess file save!",4);
251
  die("Nonce check failed on htaccess file save!");
252
  }
253
-
254
  $result = AIOWPSecurity_Utility_File::backup_and_rename_htaccess($htaccess_path); //Backup the htaccess file
255
-
256
  if ($result)
257
  {
258
  $random_prefix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
@@ -268,14 +268,14 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
268
  $aio_wp_security->debug_logger->log_debug("htaccess file rename failed during backup!",4);
269
  $this->show_msg_error(__('htaccess file rename failed during backup. Please check your root directory for the backup file using FTP.','all-in-one-wp-security-and-firewall'));
270
  }
271
- }
272
  else
273
  {
274
  $aio_wp_security->debug_logger->log_debug("htaccess - Backup operation failed!",4);
275
  $this->show_msg_error(__('htaccess backup failed.','all-in-one-wp-security-and-firewall'));
276
  }
277
  }
278
-
279
  if(isset($_POST['aiowps_restore_htaccess_button']))//Do form submission tasks
280
  {
281
  $nonce=$_REQUEST['_wpnonce'];
@@ -284,7 +284,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
284
  $aio_wp_security->debug_logger->log_debug("Nonce check failed on htaccess file restore!",4);
285
  die("Nonce check failed on htaccess file restore!");
286
  }
287
-
288
  if (empty($_POST['aiowps_htaccess_file']))
289
  {
290
  $this->show_msg_error(__('Please choose a .htaccess to restore from.', 'all-in-one-wp-security-and-firewall'));
@@ -298,7 +298,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
298
  $is_htaccess = AIOWPSecurity_Utility_Htaccess::check_if_htaccess_contents($new_htaccess_file_path);
299
  if ($is_htaccess == 1)
300
  {
301
- if (!copy($new_htaccess_file_path, $htaccess_path))
302
  {
303
  //Failed to make a backup copy
304
  $aio_wp_security->debug_logger->log_debug("htaccess - Restore from .htaccess operation failed!",4);
@@ -316,7 +316,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
316
  }
317
  }
318
  }
319
-
320
  ?>
321
  <h2><?php _e('.htaccess File Operations', 'all-in-one-wp-security-and-firewall')?></h2>
322
  <div class="aio_blue_box">
@@ -328,7 +328,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
328
  ?>
329
  </div>
330
  <?php
331
- $blog_id = get_current_blog_id();
332
  if (AIOWPSecurity_Utility::is_multisite_install() && !is_main_site( $blog_id ))
333
  {
334
  //Hide config settings if MS and not main site
@@ -363,7 +363,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
363
  ?>
364
  </p>
365
  </td>
366
- </tr>
367
  </table>
368
  <input type="submit" name="aiowps_restore_htaccess_button" value="<?php _e('Restore .htaccess File', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
369
  </form>
@@ -375,7 +375,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
375
  function render_tab3()
376
  {
377
  global $aio_wp_security;
378
-
379
  if(isset($_POST['aiowps_restore_wp_config_button']))//Do form submission tasks
380
  {
381
  $nonce=$_REQUEST['_wpnonce'];
@@ -384,7 +384,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
384
  $aio_wp_security->debug_logger->log_debug("Nonce check failed on wp-config file restore!",4);
385
  die("Nonce check failed on wp-config file restore!");
386
  }
387
-
388
  if (empty($_POST['aiowps_wp_config_file']))
389
  {
390
  $this->show_msg_error(__('Please choose a wp-config.php file to restore from.', 'all-in-one-wp-security-and-firewall'));
@@ -393,13 +393,13 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
393
  {
394
  //Let's copy the uploaded wp-config.php file into the active root file
395
  $new_wp_config_file_path = trim($_POST['aiowps_wp_config_file']);
396
-
397
  //Verify that file chosen is a wp-config.file
398
  $is_wp_config = $this->check_if_wp_config_contents($new_wp_config_file_path);
399
  if ($is_wp_config == 1)
400
  {
401
  $active_root_wp_config = AIOWPSecurity_Utility_File::get_wp_config_file_path();
402
- if (!copy($new_wp_config_file_path, $active_root_wp_config))
403
  {
404
  //Failed to make a backup copy
405
  $aio_wp_security->debug_logger->log_debug("wp-config.php - Restore from backed up wp-config operation failed!",4);
@@ -417,7 +417,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
417
  }
418
  }
419
  }
420
-
421
  ?>
422
  <h2><?php _e('wp-config.php File Operations', 'all-in-one-wp-security-and-firewall')?></h2>
423
  <div class="aio_blue_box">
@@ -428,8 +428,8 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
428
  </p>';
429
  ?>
430
  </div>
431
- <?php
432
- $blog_id = get_current_blog_id();
433
  if (AIOWPSecurity_Utility::is_multisite_install() && !is_main_site( $blog_id ))
434
  {
435
  //Hide config settings if MS and not main site
@@ -458,14 +458,14 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
458
  <th scope="row"><?php _e('wp-config file to restore from', 'all-in-one-wp-security-and-firewall')?>:</th>
459
  <td>
460
  <input type="button" id="aiowps_wp_config_file_button" name="aiowps_wp_config_file_button" class="button rbutton" value="<?php _e('Select Your wp-config File', 'all-in-one-wp-security-and-firewall'); ?>" />
461
- <input name="aiowps_wp_config_file" type="text" id="aiowps_wp_config_file" value="" size="80" />
462
  <p class="description">
463
  <?php
464
  _e('After selecting your file click the button below to restore your site using the backed up wp-config file (wp-config.php.backup.txt).', 'all-in-one-wp-security-and-firewall');
465
  ?>
466
  </p>
467
  </td>
468
- </tr>
469
  </table>
470
  <input type="submit" name="aiowps_restore_wp_config_button" value="<?php _e('Restore wp-config File', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
471
  </form>
@@ -483,12 +483,12 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
483
  <?php
484
  } //End if statement
485
  }
486
-
487
  function render_tab4()
488
  {
489
  global $aio_wp_security;
490
  global $aiowps_feature_mgr;
491
-
492
  if(isset($_POST['aiowps_save_remove_wp_meta_info']))//Do form submission tasks
493
  {
494
  $nonce=$_REQUEST['_wpnonce'];
@@ -499,10 +499,10 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
499
  }
500
  $aio_wp_security->configs->set_value('aiowps_remove_wp_generator_meta_info',isset($_POST["aiowps_remove_wp_generator_meta_info"])?'1':'');
501
  $aio_wp_security->configs->save_config();
502
-
503
  //Recalculate points after the feature status/options have been altered
504
  $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
505
-
506
  $this->show_msg_settings_updated();
507
  }
508
  ?>
@@ -529,7 +529,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
529
  ?>
530
 
531
  <form action="" method="POST">
532
- <?php wp_nonce_field('aiowpsec-remove-wp-meta-info-nonce'); ?>
533
  <table class="form-table">
534
  <tr valign="top">
535
  <th scope="row"><?php _e('Remove WP Generator Meta Info', 'all-in-one-wp-security-and-firewall')?>:</th>
@@ -537,7 +537,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
537
  <input name="aiowps_remove_wp_generator_meta_info" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info')=='1') echo ' checked="checked"'; ?> value="1"/>
538
  <span class="description"><?php _e('Check this if you want to remove the version and meta info produced by WP from all pages', 'all-in-one-wp-security-and-firewall'); ?></span>
539
  </td>
540
- </tr>
541
  </table>
542
  <input type="submit" name="aiowps_save_remove_wp_meta_info" value="<?php _e('Save Settings', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
543
  </form>
@@ -545,15 +545,15 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
545
  <?php
546
  }
547
 
548
-
549
  function render_tab5()
550
  {
551
  global $aio_wp_security;
552
-
553
  global $wpdb;
554
 
555
  $events_table_name = AIOWPSEC_TBL_EVENTS;
556
- AIOWPSecurity_Utility::cleanup_table($events_table_name, 500);
557
  if(isset($_POST['aiowps_import_settings']))//Do form submission tasks
558
  {
559
  $nonce=$_REQUEST['_wpnonce'];
@@ -592,7 +592,7 @@ function render_tab5()
592
  //Apply the settings and delete the file (if applicable)
593
  $settings_array = json_decode($aiowps_settings_file_contents, true);
594
  $aiowps_settings_applied = update_option('aio_wp_security_configs', $settings_array);
595
-
596
  if (!$aiowps_settings_applied)
597
  {
598
  //Failed to import settings
@@ -717,7 +717,7 @@ function render_tab5()
717
  function render_tab6()
718
  {
719
  global $aio_wp_security;
720
-
721
  $result = 1;
722
  if (isset($_POST['aiowps_save_advanced_settings']))
723
  {
@@ -727,7 +727,7 @@ function render_tab5()
727
  $aio_wp_security->debug_logger->log_debug("Nonce check failed for save advanced settings!",4);
728
  die(__('Nonce check failed for save advanced settings!','aiowpsecurity'));
729
  }
730
-
731
  $aio_wp_security->configs->set_value('aiowps_ip_retrieve_method', sanitize_text_field($_POST["aiowps_ip_retrieve_method"]));
732
  $aio_wp_security->configs->save_config(); //Save the configuration
733
 
@@ -738,7 +738,7 @@ function render_tab5()
738
  else{
739
  delete_transient('users_online');
740
  }
741
-
742
  $this->show_msg_settings_updated();
743
  }
744
  ?>
@@ -753,9 +753,9 @@ function render_tab5()
753
  '<br />'.__('You can use the settings below to configure which $_SERVER global you would like to use for retrieving the IP address.', 'all-in-one-wp-security-and-firewall').'</p>';
754
  ?>
755
  </div>
756
-
757
  <form action="" method="POST">
758
- <?php wp_nonce_field('aiowpsec-ip-settings-nonce'); ?>
759
  <table class="form-table">
760
  <tr valign="top">
761
  <td>
@@ -771,21 +771,21 @@ function render_tab5()
771
  <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
772
  <div class="aiowps_more_info_body">
773
  <p class="description">
774
- <?php
775
  _e('If your chosen server variable fails the plugin will automatically fall back to retrieving the IP address from $_SERVER["REMOTE_ADDR"]', 'all-in-one-wp-security-and-firewall');
776
  ?>
777
  </p>
778
  </div>
779
- </td>
780
- </tr>
781
  </table>
782
  <input type="submit" name="aiowps_save_advanced_settings" value="<?php _e('Save Settings', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
783
  </form>
784
  </div></div>
785
  <?php
786
-
787
  }
788
-
789
  function check_if_wp_config_contents($wp_file)
790
  {
791
  $is_wp_config = false;
6
  class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
7
  {
8
  var $menu_page_slug = AIOWPSEC_SETTINGS_MENU_SLUG;
9
+
10
  /* Specify all the tabs of this menu in the following array */
11
  var $menu_tabs;
12
 
13
  var $menu_tabs_handler = array(
14
+ 'tab1' => 'render_tab1',
15
  'tab2' => 'render_tab2',
16
  'tab3' => 'render_tab3',
17
  'tab4' => 'render_tab4',
19
  'tab6' => 'render_tab6',
20
  );
21
 
22
+ function __construct()
23
  {
24
  $this->render_menu_page();
25
  }
26
 
27
+ function set_menu_tabs()
28
  {
29
  $this->menu_tabs = array(
30
  'tab1' => __('General Settings', 'all-in-one-wp-security-and-firewall'),
36
  );
37
  }
38
 
39
+ function get_current_tab()
40
  {
41
  $tab_keys = array_keys($this->menu_tabs);
42
  $tab = isset( $_GET['tab'] ) ? sanitize_text_field($_GET['tab']) : $tab_keys[0];
46
  /*
47
  * Renders our tabs of this menu as nav items
48
  */
49
+ function render_menu_tabs()
50
  {
51
  $current_tab = $this->get_current_tab();
52
 
53
  echo '<h2 class="nav-tab-wrapper">';
54
+ foreach ( $this->menu_tabs as $tab_key => $tab_caption )
55
  {
56
  $active = $current_tab == $tab_key ? 'nav-tab-active' : '';
57
+ echo '<a class="nav-tab ' . $active . '" href="?page=' . $this->menu_page_slug . '&tab=' . $tab_key . '">' . $tab_caption . '</a>';
58
  }
59
  echo '</h2>';
60
  }
61
+
62
  /*
63
  * The menu rendering goes here
64
  */
65
+ function render_menu_page()
66
  {
67
  echo '<div class="wrap">';
68
  echo '<h2>'.__('Settings','all-in-one-wp-security-and-firewall').'</h2>';//Interface title
69
  $this->set_menu_tabs();
70
  $tab = $this->get_current_tab();
71
  $this->render_menu_tabs();
72
+ ?>
73
  <div id="poststuff"><div id="post-body">
74
+ <?php
75
  //$tab_keys = array_keys($this->menu_tabs);
76
  call_user_func(array(&$this, $this->menu_tabs_handler[$tab]));
77
  ?>
79
  </div><!-- end of wrap -->
80
  <?php
81
  }
82
+
83
  function render_tab1()
84
  {
85
  global $aio_wp_security;
94
  AIOWPSecurity_Configure_Settings::turn_off_all_security_features();
95
  //Now let's clear the applicable rules from the .htaccess file
96
  $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
97
+
98
  //Now let's revert the disable editing setting in the wp-config.php file if necessary
99
  $res2 = AIOWPSecurity_Utility::enable_file_edits();
100
 
154
  <p><?php _e('For information, updates and documentation, please visit the', 'all-in-one-wp-security-and-firewall'); ?> <a href="https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin" target="_blank">AIO WP Security & Firewall Plugin</a> <?php _e('Page', 'all-in-one-wp-security-and-firewall'); ?>.</p>
155
  <p><a href="https://www.tipsandtricks-hq.com/development-center" target="_blank">Follow us</a> on Twitter, Google+ or via Email to stay upto date about the new security features of this plugin.</p>
156
  </div>
157
+
158
  <div class="postbox">
159
  <h3 class="hndle"><label for="title"><?php _e('WP Security Plugin', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
160
  <div class="inside">
170
  </p>
171
  </div>
172
  </div> <!-- end postbox-->
173
+
174
  <div class="postbox">
175
  <h3 class="hndle"><label for="title"><?php _e('Disable Security Features', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
176
  <div class="inside">
177
+ <form method="post" action="">
178
  <?php wp_nonce_field('aiowpsec-disable-all-features'); ?>
179
  <div class="aio_blue_box">
180
  <?php
181
  echo '<p>'.__('If you think that some plugin functionality on your site is broken due to a security feature you enabled in this plugin, then use the following option to turn off all the security features of this plugin.', 'all-in-one-wp-security-and-firewall').'</p>';
182
  ?>
183
+ </div>
184
  <div class="submit">
185
  <input type="submit" class="button" name="aiowpsec_disable_all_features" value="<?php _e('Disable All Security Features', 'all-in-one-wp-security-and-firewall'); ?>" />
186
  </div>
187
+ </form>
188
  </div>
189
  </div> <!-- end postbox-->
190
 
191
  <div class="postbox">
192
  <h3 class="hndle"><label for="title"><?php _e('Disable All Firewall Rules', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
193
  <div class="inside">
194
+ <form method="post" action="">
195
  <?php wp_nonce_field('aiowpsec-disable-all-firewall-rules'); ?>
196
  <div class="aio_blue_box">
197
  <?php
198
  echo '<p>'.__('This feature will disable all firewall rules which are currently active in this plugin and it will also delete these rules from your .htacess file. Use it if you think one of the firewall rules is causing an issue on your site.', 'all-in-one-wp-security-and-firewall').'</p>';
199
  ?>
200
+ </div>
201
  <div class="submit">
202
  <input type="submit" class="button" name="aiowpsec_disable_all_firewall_rules" value="<?php _e('Disable All Firewall Rules'); ?>" />
203
  </div>
204
+ </form>
205
  </div>
206
  </div> <!-- end postbox-->
207
 
208
  <div class="postbox">
209
  <h3 class="hndle"><label for="title"><?php _e('Debug Settings', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
210
  <div class="inside">
211
+ <form method="post" action="">
212
  <?php wp_nonce_field('aiowpsec-save-debug-settings'); ?>
213
  <div class="aio_blue_box">
214
  <?php
233
  </div> <!-- end postbox-->
234
  <?php
235
  }
236
+
237
  function render_tab2()
238
  {
239
  global $aio_wp_security;
250
  $aio_wp_security->debug_logger->log_debug("Nonce check failed on htaccess file save!",4);
251
  die("Nonce check failed on htaccess file save!");
252
  }
253
+
254
  $result = AIOWPSecurity_Utility_File::backup_and_rename_htaccess($htaccess_path); //Backup the htaccess file
255
+
256
  if ($result)
257
  {
258
  $random_prefix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
268
  $aio_wp_security->debug_logger->log_debug("htaccess file rename failed during backup!",4);
269
  $this->show_msg_error(__('htaccess file rename failed during backup. Please check your root directory for the backup file using FTP.','all-in-one-wp-security-and-firewall'));
270
  }
271
+ }
272
  else
273
  {
274
  $aio_wp_security->debug_logger->log_debug("htaccess - Backup operation failed!",4);
275
  $this->show_msg_error(__('htaccess backup failed.','all-in-one-wp-security-and-firewall'));
276
  }
277
  }
278
+
279
  if(isset($_POST['aiowps_restore_htaccess_button']))//Do form submission tasks
280
  {
281
  $nonce=$_REQUEST['_wpnonce'];
284
  $aio_wp_security->debug_logger->log_debug("Nonce check failed on htaccess file restore!",4);
285
  die("Nonce check failed on htaccess file restore!");
286
  }
287
+
288
  if (empty($_POST['aiowps_htaccess_file']))
289
  {
290
  $this->show_msg_error(__('Please choose a .htaccess to restore from.', 'all-in-one-wp-security-and-firewall'));
298
  $is_htaccess = AIOWPSecurity_Utility_Htaccess::check_if_htaccess_contents($new_htaccess_file_path);
299
  if ($is_htaccess == 1)
300
  {
301
+ if (!copy($new_htaccess_file_path, $htaccess_path))
302
  {
303
  //Failed to make a backup copy
304
  $aio_wp_security->debug_logger->log_debug("htaccess - Restore from .htaccess operation failed!",4);
316
  }
317
  }
318
  }
319
+
320
  ?>
321
  <h2><?php _e('.htaccess File Operations', 'all-in-one-wp-security-and-firewall')?></h2>
322
  <div class="aio_blue_box">
328
  ?>
329
  </div>
330
  <?php
331
+ $blog_id = get_current_blog_id();
332
  if (AIOWPSecurity_Utility::is_multisite_install() && !is_main_site( $blog_id ))
333
  {
334
  //Hide config settings if MS and not main site
363
  ?>
364
  </p>
365
  </td>
366
+ </tr>
367
  </table>
368
  <input type="submit" name="aiowps_restore_htaccess_button" value="<?php _e('Restore .htaccess File', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
369
  </form>
375
  function render_tab3()
376
  {
377
  global $aio_wp_security;
378
+
379
  if(isset($_POST['aiowps_restore_wp_config_button']))//Do form submission tasks
380
  {
381
  $nonce=$_REQUEST['_wpnonce'];
384
  $aio_wp_security->debug_logger->log_debug("Nonce check failed on wp-config file restore!",4);
385
  die("Nonce check failed on wp-config file restore!");
386
  }
387
+
388
  if (empty($_POST['aiowps_wp_config_file']))
389
  {
390
  $this->show_msg_error(__('Please choose a wp-config.php file to restore from.', 'all-in-one-wp-security-and-firewall'));
393
  {
394
  //Let's copy the uploaded wp-config.php file into the active root file
395
  $new_wp_config_file_path = trim($_POST['aiowps_wp_config_file']);
396
+
397
  //Verify that file chosen is a wp-config.file
398
  $is_wp_config = $this->check_if_wp_config_contents($new_wp_config_file_path);
399
  if ($is_wp_config == 1)
400
  {
401
  $active_root_wp_config = AIOWPSecurity_Utility_File::get_wp_config_file_path();
402
+ if (!copy($new_wp_config_file_path, $active_root_wp_config))
403
  {
404
  //Failed to make a backup copy
405
  $aio_wp_security->debug_logger->log_debug("wp-config.php - Restore from backed up wp-config operation failed!",4);
417
  }
418
  }
419
  }
420
+
421
  ?>
422
  <h2><?php _e('wp-config.php File Operations', 'all-in-one-wp-security-and-firewall')?></h2>
423
  <div class="aio_blue_box">
428
  </p>';
429
  ?>
430
  </div>
431
+ <?php
432
+ $blog_id = get_current_blog_id();
433
  if (AIOWPSecurity_Utility::is_multisite_install() && !is_main_site( $blog_id ))
434
  {
435
  //Hide config settings if MS and not main site
458
  <th scope="row"><?php _e('wp-config file to restore from', 'all-in-one-wp-security-and-firewall')?>:</th>
459
  <td>
460
  <input type="button" id="aiowps_wp_config_file_button" name="aiowps_wp_config_file_button" class="button rbutton" value="<?php _e('Select Your wp-config File', 'all-in-one-wp-security-and-firewall'); ?>" />
461
+ <input name="aiowps_wp_config_file" type="text" id="aiowps_wp_config_file" value="" size="80" />
462
  <p class="description">
463
  <?php
464
  _e('After selecting your file click the button below to restore your site using the backed up wp-config file (wp-config.php.backup.txt).', 'all-in-one-wp-security-and-firewall');
465
  ?>
466
  </p>
467
  </td>
468
+ </tr>
469
  </table>
470
  <input type="submit" name="aiowps_restore_wp_config_button" value="<?php _e('Restore wp-config File', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
471
  </form>
483
  <?php
484
  } //End if statement
485
  }
486
+
487
  function render_tab4()
488
  {
489
  global $aio_wp_security;
490
  global $aiowps_feature_mgr;
491
+
492
  if(isset($_POST['aiowps_save_remove_wp_meta_info']))//Do form submission tasks
493
  {
494
  $nonce=$_REQUEST['_wpnonce'];
499
  }
500
  $aio_wp_security->configs->set_value('aiowps_remove_wp_generator_meta_info',isset($_POST["aiowps_remove_wp_generator_meta_info"])?'1':'');
501
  $aio_wp_security->configs->save_config();
502
+
503
  //Recalculate points after the feature status/options have been altered
504
  $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
505
+
506
  $this->show_msg_settings_updated();
507
  }
508
  ?>
529
  ?>
530
 
531
  <form action="" method="POST">
532
+ <?php wp_nonce_field('aiowpsec-remove-wp-meta-info-nonce'); ?>
533
  <table class="form-table">
534
  <tr valign="top">
535
  <th scope="row"><?php _e('Remove WP Generator Meta Info', 'all-in-one-wp-security-and-firewall')?>:</th>
537
  <input name="aiowps_remove_wp_generator_meta_info" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info')=='1') echo ' checked="checked"'; ?> value="1"/>
538
  <span class="description"><?php _e('Check this if you want to remove the version and meta info produced by WP from all pages', 'all-in-one-wp-security-and-firewall'); ?></span>
539
  </td>
540
+ </tr>
541
  </table>
542
  <input type="submit" name="aiowps_save_remove_wp_meta_info" value="<?php _e('Save Settings', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
543
  </form>
545
  <?php
546
  }
547
 
548
+
549
  function render_tab5()
550
  {
551
  global $aio_wp_security;
552
+
553
  global $wpdb;
554
 
555
  $events_table_name = AIOWPSEC_TBL_EVENTS;
556
+ AIOWPSecurity_Utility::cleanup_table($events_table_name, 500);
557
  if(isset($_POST['aiowps_import_settings']))//Do form submission tasks
558
  {
559
  $nonce=$_REQUEST['_wpnonce'];
592
  //Apply the settings and delete the file (if applicable)
593
  $settings_array = json_decode($aiowps_settings_file_contents, true);
594
  $aiowps_settings_applied = update_option('aio_wp_security_configs', $settings_array);
595
+
596
  if (!$aiowps_settings_applied)
597
  {
598
  //Failed to import settings
717
  function render_tab6()
718
  {
719
  global $aio_wp_security;
720
+
721
  $result = 1;
722
  if (isset($_POST['aiowps_save_advanced_settings']))
723
  {
727
  $aio_wp_security->debug_logger->log_debug("Nonce check failed for save advanced settings!",4);
728
  die(__('Nonce check failed for save advanced settings!','aiowpsecurity'));
729
  }
730
+
731
  $aio_wp_security->configs->set_value('aiowps_ip_retrieve_method', sanitize_text_field($_POST["aiowps_ip_retrieve_method"]));
732
  $aio_wp_security->configs->save_config(); //Save the configuration
733
 
738
  else{
739
  delete_transient('users_online');
740
  }
741
+
742
  $this->show_msg_settings_updated();
743
  }
744
  ?>
753
  '<br />'.__('You can use the settings below to configure which $_SERVER global you would like to use for retrieving the IP address.', 'all-in-one-wp-security-and-firewall').'</p>';
754
  ?>
755
  </div>
756
+
757
  <form action="" method="POST">
758
+ <?php wp_nonce_field('aiowpsec-ip-settings-nonce'); ?>
759
  <table class="form-table">
760
  <tr valign="top">
761
  <td>
771
  <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
772
  <div class="aiowps_more_info_body">
773
  <p class="description">
774
+ <?php
775
  _e('If your chosen server variable fails the plugin will automatically fall back to retrieving the IP address from $_SERVER["REMOTE_ADDR"]', 'all-in-one-wp-security-and-firewall');
776
  ?>
777
  </p>
778
  </div>
779
+ </td>
780
+ </tr>
781
  </table>
782
  <input type="submit" name="aiowps_save_advanced_settings" value="<?php _e('Save Settings', 'all-in-one-wp-security-and-firewall')?>" class="button-primary" />
783
  </form>
784
  </div></div>
785
  <?php
786
+
787
  }
788
+
789
  function check_if_wp_config_contents($wp_file)
790
  {
791
  $is_wp_config = false;
admin/wp-security-spam-menu.php CHANGED
@@ -527,7 +527,7 @@ class AIOWPSecurity_Spam_Menu extends AIOWPSecurity_Admin_Menu
527
  <div class="aio_blue_box">
528
  <?php
529
  echo '<p>'.__('This feature will add a simple math captcha field in the BBPress new topic form.', 'all-in-one-wp-security-and-firewall').
530
- '<br />'.__('Adding a captcha field in the this form is a simple way of greatly reducing SPAM submitted from bots.', 'all-in-one-wp-security-and-firewall').'</p>';
531
  ?>
532
  </div>
533
  <?php
527
  <div class="aio_blue_box">
528
  <?php
529
  echo '<p>'.__('This feature will add a simple math captcha field in the BBPress new topic form.', 'all-in-one-wp-security-and-firewall').
530
+ '<br />'.__('Adding a captcha field in this form is a simple way of greatly reducing SPAM submitted from bots.', 'all-in-one-wp-security-and-firewall').'</p>';
531
  ?>
532
  </div>
533
  <?php
admin/wp-security-user-login-menu.php CHANGED
@@ -564,7 +564,7 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
564
  <div class="aio_blue_box">
565
  <?php
566
  echo '<p>'.__('This tab displays the activity for accounts registered with your site that have logged in using the WordPress login form.', 'all-in-one-wp-security-and-firewall').'
567
- <br />'.__('The information below can be handy if you need to do security investigations because it will show you the last 50 recent login events by username, IP address and time/date.', 'all-in-one-wp-security-and-firewall').'
568
  </p>';
569
  ?>
570
  </div>
564
  <div class="aio_blue_box">
565
  <?php
566
  echo '<p>'.__('This tab displays the activity for accounts registered with your site that have logged in using the WordPress login form.', 'all-in-one-wp-security-and-firewall').'
567
+ <br />'.__('The information below can be handy if you need to do security investigations because it will show you the last 100 recent login events by username, IP address and time/date.', 'all-in-one-wp-security-and-firewall').'
568
  </p>';
569
  ?>
570
  </div>
classes/wp-security-configure-settings.php CHANGED
@@ -82,6 +82,7 @@ class AIOWPSecurity_Configure_Settings
82
 
83
  //Firewall features
84
  $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
 
85
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall','');//Checkbox - blocks all access to XMLRPC
86
  $aio_wp_security->configs->set_value('aiowps_disable_xmlrpc_pingback_methods','');//Checkbox - Disables only pingback methods in XMLRPC functionality
87
  $aio_wp_security->configs->set_value('aiowps_block_debug_log_file_access','');//Checkbox
@@ -234,6 +235,7 @@ class AIOWPSecurity_Configure_Settings
234
 
235
  //Firewall features
236
  $aio_wp_security->configs->add_value('aiowps_enable_basic_firewall','');//Checkbox
 
237
  $aio_wp_security->configs->add_value('aiowps_enable_pingback_firewall','');//Checkbox - blocks all access to XMLRPC
238
  $aio_wp_security->configs->add_value('aiowps_disable_xmlrpc_pingback_methods','');//Checkbox - Disables only pingback methods in XMLRPC functionality
239
  $aio_wp_security->configs->add_value('aiowps_block_debug_log_file_access','');//Checkbox
82
 
83
  //Firewall features
84
  $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
85
+ $aio_wp_security->configs->set_value('aiowps_max_file_upload_size','10'); //Default 10MB
86
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall','');//Checkbox - blocks all access to XMLRPC
87
  $aio_wp_security->configs->set_value('aiowps_disable_xmlrpc_pingback_methods','');//Checkbox - Disables only pingback methods in XMLRPC functionality
88
  $aio_wp_security->configs->set_value('aiowps_block_debug_log_file_access','');//Checkbox
235
 
236
  //Firewall features
237
  $aio_wp_security->configs->add_value('aiowps_enable_basic_firewall','');//Checkbox
238
+ $aio_wp_security->configs->add_value('aiowps_max_file_upload_size','10');
239
  $aio_wp_security->configs->add_value('aiowps_enable_pingback_firewall','');//Checkbox - blocks all access to XMLRPC
240
  $aio_wp_security->configs->add_value('aiowps_disable_xmlrpc_pingback_methods','');//Checkbox - Disables only pingback methods in XMLRPC functionality
241
  $aio_wp_security->configs->add_value('aiowps_block_debug_log_file_access','');//Checkbox
classes/wp-security-cronjob-handler.php CHANGED
@@ -12,7 +12,7 @@ class AIOWPSecurity_Cronjob_Handler {
12
 
13
  function aiowps_hourly_cron_event_handler()
14
  {
15
- //Do stuff that needs checking every hours
16
  do_action('aiowps_perform_scheduled_backup_tasks');
17
  do_action('aiowps_perform_fcd_scan_tasks');
18
  do_action('aiowps_perform_db_cleanup_tasks');
12
 
13
  function aiowps_hourly_cron_event_handler()
14
  {
15
+ //Do stuff that needs checking hourly
16
  do_action('aiowps_perform_scheduled_backup_tasks');
17
  do_action('aiowps_perform_fcd_scan_tasks');
18
  do_action('aiowps_perform_db_cleanup_tasks');
classes/wp-security-file-scan.php CHANGED
@@ -15,21 +15,51 @@ class AIOWPSecurity_Scan
15
  * This function will recursively scan through all directories starting from the specified location
16
  * It will store the path/filename, last_modified and filesize values in a multi-dimensional associative array
17
  */
 
 
 
 
 
 
 
18
  function execute_file_change_detection_scan()
19
  {
20
  global $aio_wp_security;
21
  $scan_result = array();
22
- if($this->has_scan_data()){
23
- $scanned_data = $this->do_file_change_scan(); //Scan the filesystem and get details
24
- $last_scan_data = $this->get_last_scan_data();
25
- $scan_result = $this->compare_scan_data($last_scan_data,$scanned_data);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
26
  $scan_result['initial_scan'] = '';
27
- $this->save_scan_data_to_db($scanned_data, 'update', $scan_result);
28
  if (!empty($scan_result['files_added']) || !empty($scan_result['files_removed']) || !empty($scan_result['files_changed'])){
29
  //This means there was a change detected
30
  $aio_wp_security->configs->set_value('aiowps_fcds_change_detected', TRUE);
31
  $aio_wp_security->configs->save_config();
32
- $aio_wp_security->debug_logger->log_debug("File Change Detection Feature: change to filesystem detected!");
33
 
34
  $this->aiowps_send_file_change_alert_email($scan_result); //Send file change scan results via email if applicable
35
  } else {
@@ -39,12 +69,6 @@ class AIOWPSecurity_Scan
39
  }
40
  return $scan_result;
41
  }
42
- else{
43
- $scanned_data = $this->do_file_change_scan();
44
- $this->save_scan_data_to_db($scanned_data);
45
- $scan_result['initial_scan'] = '1';
46
- return $scan_result;
47
- }
48
  }
49
 
50
  /**
@@ -74,7 +98,7 @@ class AIOWPSecurity_Scan
74
  // If no explicit email address(es) are given, send email to site admin.
75
  $to = empty( $addresses ) ? array( get_site_option('admin_email') ) : explode(PHP_EOL, $addresses);
76
  if ( !wp_mail( $to, $subject, $message, $headers ) ) {
77
- $aio_wp_security->debug_logger->log_debug("File change notification email failed to send.",4);
78
  }
79
 
80
  }
@@ -85,7 +109,7 @@ class AIOWPSecurity_Scan
85
  global $aio_wp_security;
86
  if($aio_wp_security->configs->get_value('aiowps_enable_automated_fcd_scan')=='1')
87
  {
88
- $aio_wp_security->debug_logger->log_debug_cron("Filescan - Scheduled fcd_scan is enabled. Checking now to see if scan needs to be done...");
89
  $time_now = current_time( 'mysql' );
90
  $current_time = strtotime($time_now);
91
  $fcd_scan_frequency = $aio_wp_security->configs->get_value('aiowps_fcd_scan_frequency'); //Number of hours or days or months interval
@@ -102,25 +126,24 @@ class AIOWPSecurity_Scan
102
  $interval = 'weeks';
103
  break;
104
  }
105
- $last_fcd_scan_time = $aio_wp_security->configs->get_value('aiowps_last_fcd_scan_time');
106
- if ($last_fcd_scan_time != NULL)
107
  {
108
- $last_fcd_scan_time = strtotime($aio_wp_security->configs->get_value('aiowps_last_fcd_scan_time'));
109
  $next_fcd_scan_time = strtotime("+".abs($fcd_scan_frequency).$interval, $last_fcd_scan_time);
110
  if ($next_fcd_scan_time <= $current_time)
111
  {
112
  //It's time to do a filescan
113
- $result = $this->execute_file_change_detection_scan(ABSPATH);
114
- // if ($result)
115
- // {
 
 
 
 
116
  $aio_wp_security->configs->set_value('aiowps_last_fcd_scan_time', $time_now);
117
  $aio_wp_security->configs->save_config();
118
- $aio_wp_security->debug_logger->log_debug_cron("Filescan - Scheduled filescan was successfully completed.");
119
- // }
120
- // else
121
- // {
122
- // $aio_wp_security->debug_logger->log_debug_cron("Filescan - Scheduled filescan operation failed!",4);
123
- // }
124
  }
125
  }
126
  else
@@ -132,63 +155,53 @@ class AIOWPSecurity_Scan
132
  }
133
  }
134
 
135
- /* Returns true if there is at least one previous scaned data in the DB. False otherwise */
136
- function has_scan_data()
 
 
 
 
137
  {
138
- global $wpdb;
139
- //For scanned data the meta_key1 column valu is 'file_change_detection', meta_value1 column value is 'file_scan_data'. Then the data is stored in meta_value4 column.
140
- $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
141
- $sql = $wpdb->prepare("SELECT * FROM $aiowps_global_meta_tbl_name WHERE meta_key1=%s AND meta_value1=%s", 'file_change_detection', 'file_scan_data');
142
- $resultset = $wpdb->get_row($sql, OBJECT);
143
- if($resultset){
144
- $scan_data = maybe_unserialize($resultset->meta_value4);
145
- if(!empty($scan_data)){
146
- return true;
147
- }
148
  }
149
- return false;
150
- }
151
-
152
- function get_last_scan_data()
153
- {
154
- global $wpdb;
155
- //For scanned data the meta_key1 column valu is 'file_change_detection', meta_value1 column value is 'file_scan_data'. Then the data is stored in meta_value4 column.
156
- $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
157
- $sql = $wpdb->prepare("SELECT * FROM $aiowps_global_meta_tbl_name WHERE meta_key1=%s AND meta_value1=%s", 'file_change_detection', 'file_scan_data');
158
- $resultset = $wpdb->get_row($sql, OBJECT);
159
- if($resultset){
160
- $scan_data = maybe_unserialize($resultset->meta_value4);
161
- return $scan_data;
162
  }
163
- return array(); //return empty array if no old scan data
164
- }
165
-
166
- function save_scan_data_to_db($scanned_data, $save_type = 'insert', $scan_result = array())
167
- {
168
- global $wpdb, $aio_wp_security;
169
- $result = '';
170
- //For scanned data the meta_key1 column value is 'file_change_detection', meta_value1 column value is 'file_scan_data'. Then the data is stored in meta_value4 column.
171
- $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
172
- $payload = maybe_serialize($scanned_data);
173
- $scan_result = maybe_serialize($scan_result);
174
- $date_time = current_time( 'mysql' );
175
- $data = array('date_time' => $date_time, 'meta_key1' => 'file_change_detection', 'meta_value1' => 'file_scan_data', 'meta_value4' => $payload, 'meta_key5' => 'last_scan_result', 'meta_value5' => $scan_result);
176
- if($save_type == 'insert'){
177
- $result = $wpdb->insert($aiowps_global_meta_tbl_name, $data);
178
- }
179
- else{
180
- $where = array('meta_key1' => 'file_change_detection', 'meta_value1' => 'file_scan_data');
181
- $result = $wpdb->update($aiowps_global_meta_tbl_name, $data, $where);
182
-
183
  }
184
- if ($result === false){
185
- $aio_wp_security->debug_logger->log_debug("save_scan_data_to_db() - Error inserting data to DB!",4);
 
 
 
 
186
  return false;
187
- }else{
188
- return true;
 
 
 
 
 
 
 
189
  }
190
  }
191
-
192
  /**
193
  * Recursively scan the entire $start_dir directory and return file size
194
  * and last modified date of every regular file. Ignore files and file
@@ -298,7 +311,7 @@ class AIOWPSecurity_Scan
298
  $scan_db_data = $wpdb->get_row($sql_prep, ARRAY_A);
299
  if ($scan_db_data === NULL)
300
  {
301
- $aio_wp_security->debug_logger->log_debug("display_last_scan_results() - DB query for scan results data from global meta table returned NULL!",4);
302
  return FALSE;
303
  }
304
  $date_last_scan = $scan_db_data['date_time'];
@@ -347,4 +360,34 @@ class AIOWPSecurity_Scan
347
  return $scan_summary;
348
  }
349
 
350
- }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
15
  * This function will recursively scan through all directories starting from the specified location
16
  * It will store the path/filename, last_modified and filesize values in a multi-dimensional associative array
17
  */
18
+
19
+ /**
20
+ * Will recursively scan through all directories starting from ABSPATH.
21
+ * Will return array with the path/filename, last_modified and filesize values
22
+ * @global AIO_WP_Security $aio_wp_security
23
+ * @return boolean|array
24
+ */
25
  function execute_file_change_detection_scan()
26
  {
27
  global $aio_wp_security;
28
  $scan_result = array();
29
+ $fcd_filename = $aio_wp_security->configs->get_value('aiowps_fcd_filename');
30
+ if (empty($fcd_filename)) {
31
+ // means that we haven't done a scan before, or,
32
+ // the fcd file containing the results doesn't exist
33
+ $random_suffix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
34
+ $fcd_filename = 'aiowps_fcd_data_' . $random_suffix;
35
+ $aio_wp_security->configs->set_value('aiowps_fcd_filename', $fcd_filename);
36
+ $aio_wp_security->configs->save_config();
37
+ }
38
+
39
+ $fcd_data = self::get_fcd_data(); // get previous scan data if any
40
+
41
+ if ($fcd_data === false) {
42
+ // an error occurred so return
43
+ return false;
44
+ }
45
+
46
+ $scanned_data = $this->do_file_change_scan();
47
+
48
+ if(empty($fcd_data)){
49
+ $this->save_fcd_data($scanned_data);
50
+ $scan_result['initial_scan'] = '1';
51
+ return $scan_result;
52
+ } else {
53
+
54
+ $scan_result = $this->compare_scan_data($fcd_data['file_scan_data'], $scanned_data);
55
+
56
  $scan_result['initial_scan'] = '';
57
+ $this->save_fcd_data($scanned_data, $scan_result);
58
  if (!empty($scan_result['files_added']) || !empty($scan_result['files_removed']) || !empty($scan_result['files_changed'])){
59
  //This means there was a change detected
60
  $aio_wp_security->configs->set_value('aiowps_fcds_change_detected', TRUE);
61
  $aio_wp_security->configs->save_config();
62
+ $aio_wp_security->debug_logger->log_debug(__METHOD__ . " - change to filesystem detected!");
63
 
64
  $this->aiowps_send_file_change_alert_email($scan_result); //Send file change scan results via email if applicable
65
  } else {
69
  }
70
  return $scan_result;
71
  }
 
 
 
 
 
 
72
  }
73
 
74
  /**
98
  // If no explicit email address(es) are given, send email to site admin.
99
  $to = empty( $addresses ) ? array( get_site_option('admin_email') ) : explode(PHP_EOL, $addresses);
100
  if ( !wp_mail( $to, $subject, $message, $headers ) ) {
101
+ $aio_wp_security->debug_logger->log_debug(__METHOD__ . " - File change notification email failed to send.",4);
102
  }
103
 
104
  }
109
  global $aio_wp_security;
110
  if($aio_wp_security->configs->get_value('aiowps_enable_automated_fcd_scan')=='1')
111
  {
112
+ $aio_wp_security->debug_logger->log_debug_cron(__METHOD__ . " - Scheduled fcd_scan is enabled. Checking now to see if scan needs to be done...");
113
  $time_now = current_time( 'mysql' );
114
  $current_time = strtotime($time_now);
115
  $fcd_scan_frequency = $aio_wp_security->configs->get_value('aiowps_fcd_scan_frequency'); //Number of hours or days or months interval
126
  $interval = 'weeks';
127
  break;
128
  }
129
+ $last_fcd_scan_time_string = $aio_wp_security->configs->get_value('aiowps_last_fcd_scan_time');
130
+ if ($last_fcd_scan_time_string != NULL)
131
  {
132
+ $last_fcd_scan_time = strtotime($last_fcd_scan_time_string);
133
  $next_fcd_scan_time = strtotime("+".abs($fcd_scan_frequency).$interval, $last_fcd_scan_time);
134
  if ($next_fcd_scan_time <= $current_time)
135
  {
136
  //It's time to do a filescan
137
+ $result = $this->execute_file_change_detection_scan();
138
+ if ($result === false)
139
+ {
140
+ $aio_wp_security->debug_logger->log_debug(__METHOD__ . " - Scheduled filescan operation failed!",4);
141
+ }
142
+ else
143
+ {
144
  $aio_wp_security->configs->set_value('aiowps_last_fcd_scan_time', $time_now);
145
  $aio_wp_security->configs->save_config();
146
+ }
 
 
 
 
 
147
  }
148
  }
149
  else
155
  }
156
  }
157
 
158
+ /**
159
+ * Get the last filechange detection data which is stored in the special file.
160
+ * @global AIO_WP_Security $aio_wp_security
161
+ * @return bool|array - false on failure, array on success
162
+ */
163
+ static function get_fcd_data()
164
  {
165
+ global $aio_wp_security;
166
+ $aiowps_backup_dir = WP_CONTENT_DIR.'/'.AIO_WP_SECURITY_BACKUPS_DIR_NAME;
167
+
168
+ $fcd_filename = $aio_wp_security->configs->get_value('aiowps_fcd_filename');
169
+ $results_file = $aiowps_backup_dir. '/'. $fcd_filename;
170
+
171
+ if(!file_exists($results_file)) {
172
+ $fp = @fopen($results_file, 'w'); //open for write - will create file if doesn't exist
173
+ return array();
 
174
  }
175
+
176
+ if(empty(filesize($results_file))) {
177
+ return array(); // if newly created file return empty array
 
 
 
 
 
 
 
 
 
 
178
  }
179
+
180
+ $fp = @fopen($results_file, 'r'); //open for read and write - will create file if doesn't exist
181
+ if($fp === false) {
182
+ // Error
183
+ $aio_wp_security->debug_logger->log_debug(__METHOD__ . " - fopen returned false when opening fcd data file");
184
+ return false;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
185
  }
186
+
187
+ $contents = fread($fp, filesize($results_file));
188
+ fclose($fp);
189
+ if($contents === false){
190
+ // Error
191
+ $aio_wp_security->debug_logger->log_debug(__METHOD__ . " - fread returned false when reading fcd data file");
192
  return false;
193
+ } else {
194
+
195
+ $fcd_file_contents = json_decode($contents, TRUE);
196
+ if(isset($fcd_file_contents['file_scan_data'])) {
197
+ return $fcd_file_contents;
198
+ } else {
199
+ return array();
200
+ }
201
+
202
  }
203
  }
204
+
205
  /**
206
  * Recursively scan the entire $start_dir directory and return file size
207
  * and last modified date of every regular file. Ignore files and file
311
  $scan_db_data = $wpdb->get_row($sql_prep, ARRAY_A);
312
  if ($scan_db_data === NULL)
313
  {
314
+ $aio_wp_security->debug_logger->log_debug(__METHOD__ . " - DB query for scan results data from global meta table returned NULL!",4);
315
  return FALSE;
316
  }
317
  $date_last_scan = $scan_db_data['date_time'];
360
  return $scan_summary;
361
  }
362
 
363
+ /**
364
+ * Saves file change detection data into a special file
365
+ * @global AIO_WP_Security $aio_wp_security
366
+ * @param type $scanned_data
367
+ * @param type $scan_result
368
+ * @return boolean
369
+ */
370
+ function save_fcd_data($scanned_data, $scan_result = array())
371
+ {
372
+ global $aio_wp_security;
373
+
374
+ $date_time = current_time( 'mysql' );
375
+ $data = array('date_time' => $date_time, 'file_scan_data' => $scanned_data, 'last_scan_result' => $scan_result);
376
+
377
+ $fcd_filename = $aio_wp_security->configs->get_value('aiowps_fcd_filename');
378
+ $aiowps_backup_dir = WP_CONTENT_DIR.'/'.AIO_WP_SECURITY_BACKUPS_DIR_NAME;
379
+
380
+ if (!AIOWPSecurity_Utility_File::create_dir($aiowps_backup_dir))
381
+ {
382
+ $aio_wp_security->debug_logger->log_debug(__METHOD__ . " - Creation of DB backup directory failed!",4);
383
+ return false;
384
+ }
385
+ $results_file = $aiowps_backup_dir. '/'. $fcd_filename;
386
+ $fp=fopen($results_file,'w');
387
+ fwrite($fp, json_encode($data));
388
+ fclose($fp);
389
+
390
+ }
391
+
392
+ }
393
+
classes/wp-security-general-init-tasks.php CHANGED
@@ -20,8 +20,6 @@ class AIOWPSecurity_General_Init_Tasks
20
  AIOWPSecurity_Blocking::check_visitor_ip_and_perform_blocking();
21
 
22
  if ($aio_wp_security->configs->get_value('aiowps_enable_autoblock_spam_ip') == '1') {
23
- //add_action( 'spammed_comment', array(&$this, 'process_spammed_comment' )); //this hook gets fired when admin marks comment as spam
24
- //add_action( 'akismet_submit_spam_comment', array(&$this, 'process_akismet_submit_spam_comment' ), 10, 2); //this hook gets fired when akismet marks a comment as spam
25
  add_action( 'comment_post', array(&$this, 'spam_detect_process_comment_post' ), 10, 2); //this hook gets fired just after comment is saved to DB
26
  add_action( 'transition_comment_status', array(&$this, 'process_transition_comment_status' ), 10, 3); //this hook gets fired when a comment's status changes
27
  }
@@ -38,15 +36,15 @@ class AIOWPSecurity_General_Init_Tasks
38
  if(AIOWPSecurity_Installer::reactivation_tasks()){
39
  $aio_wp_security->debug_logger->log_debug("The AIOWPS .htaccess rules were successfully re-inserted!");
40
  $_SESSION['reapply_htaccess_rules_action_result'] = '1';//Success indicator.
41
- //Can't echo to the screen here. It will create an header already sent error.
42
  }else{
43
  $aio_wp_security->debug_logger->log_debug("AIOWPS encountered an error when trying to write to your .htaccess file. Please check the logs.", 5);
44
  $_SESSION['reapply_htaccess_rules_action_result'] = '2';//fail indicator.
45
- //Can't echo to the screen here. It will create an header already sent error.
46
  }
47
 
48
  }elseif(strip_tags($_REQUEST['aiowps_reapply_htaccess']) == 2){
49
- //Don't re-write the rules and just delete the temp config item
50
  delete_option('aiowps_temp_configs');
51
  }
52
  }
@@ -61,27 +59,27 @@ class AIOWPSecurity_General_Init_Tasks
61
  add_filter('script_loader_src', array(&$this,'remove_wp_css_js_meta_info'));
62
  }
63
 
64
- //For the cookie based brute force prevention feature
65
  if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == 1){
66
  $bfcf_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
67
  if(isset($_GET[$bfcf_secret_word])){
68
- //If URL contains secret word in query param then set cookie and then redirect to the login page
69
  AIOWPSecurity_Utility::set_cookie_value($bfcf_secret_word, "1");
70
  AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL."/wp-admin");
71
  }
72
  }
73
 
74
- //Stop users enumeration feature
75
  if( $aio_wp_security->configs->get_value('aiowps_prevent_users_enumeration') == 1) {
76
  include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-stop-users-enumeration.php');
77
  }
78
 
79
- //REST API security
80
  if( $aio_wp_security->configs->get_value('aiowps_disallow_unauthorized_rest_requests') == 1) {
81
  add_action('rest_api_init', array(&$this, 'check_rest_api_requests'), 10 ,1);
82
  }
83
 
84
- //For user unlock request feature
85
  if(isset($_POST['aiowps_unlock_request']) || isset($_POST['aiowps_wp_submit_unlock_request'])){
86
  nocache_headers();
87
  remove_action('wp_head','head_addons',7);
@@ -95,7 +93,7 @@ class AIOWPSecurity_General_Init_Tasks
95
  AIOWPSecurity_User_Login::process_unlock_request($unlock_key);
96
  }
97
 
98
- //For honeypot feature
99
  if(isset($_POST['aio_special_field'])){
100
  $special_field_value = sanitize_text_field($_POST['aio_special_field']);
101
  if(!empty($special_field_value)){
@@ -105,7 +103,7 @@ class AIOWPSecurity_General_Init_Tasks
105
  }
106
  }
107
 
108
- //For 404 IP lockout feature
109
  if($aio_wp_security->configs->get_value('aiowps_enable_404_IP_lockout') == '1'){
110
  if (!is_user_logged_in() || !current_user_can('administrator')) {
111
  $this->do_404_lockout_tasks();
@@ -113,14 +111,14 @@ class AIOWPSecurity_General_Init_Tasks
113
  }
114
 
115
 
116
- //For login captcha feature
117
  if($aio_wp_security->configs->get_value('aiowps_enable_login_captcha') == '1'){
118
  if (!is_user_logged_in()) {
119
  add_action('login_form', array(&$this, 'insert_captcha_question_form'));
120
  }
121
  }
122
 
123
- //For woo form captcha features
124
  if($aio_wp_security->configs->get_value('aiowps_enable_woo_login_captcha') == '1') {
125
  if (!is_user_logged_in()) {
126
  add_action('woocommerce_login_form', array(&$this, 'insert_captcha_question_form'));
@@ -149,35 +147,35 @@ class AIOWPSecurity_General_Init_Tasks
149
  }
150
  }
151
 
152
- //For bbpress new topic form captcha
153
  if($aio_wp_security->configs->get_value('aiowps_enable_bbp_new_topic_captcha') == '1'){
154
  if (!is_user_logged_in()) {
155
  add_action('bbp_theme_before_topic_form_submit_wrapper', array(&$this, 'insert_captcha_question_form'));
156
  }
157
  }
158
 
159
- //For custom login form captcha feature, ie, when wp_login_form() function is used to generate login form
160
  if($aio_wp_security->configs->get_value('aiowps_enable_custom_login_captcha') == '1'){
161
  if (!is_user_logged_in()) {
162
  add_filter( 'login_form_middle', array(&$this, 'insert_captcha_custom_login'), 10, 2); //For cases where the WP wp_login_form() function is used
163
  }
164
  }
165
 
166
- //For honeypot feature
167
  if($aio_wp_security->configs->get_value('aiowps_enable_login_honeypot') == '1'){
168
  if (!is_user_logged_in()) {
169
  add_action('login_form', array(&$this, 'insert_honeypot_hidden_field'));
170
  }
171
  }
172
 
173
- //For registration honeypot feature
174
  if($aio_wp_security->configs->get_value('aiowps_enable_registration_honeypot') == '1'){
175
  if (!is_user_logged_in()) {
176
  add_action('register_form', array(&$this, 'insert_honeypot_hidden_field'));
177
  }
178
  }
179
 
180
- //For lost password captcha feature
181
  if($aio_wp_security->configs->get_value('aiowps_enable_lost_password_captcha') == '1'){
182
  if (!is_user_logged_in()) {
183
  add_action('lostpassword_form', array(&$this, 'insert_captcha_question_form'));
@@ -185,12 +183,12 @@ class AIOWPSecurity_General_Init_Tasks
185
  }
186
  }
187
 
188
- //For registration manual approval feature
189
  if($aio_wp_security->configs->get_value('aiowps_enable_manual_registration_approval') == '1'){
190
  add_filter('wp_login_errors', array(&$this, 'modify_registration_page_messages'),10, 2);
191
  }
192
 
193
- //For registration page captcha feature
194
  if (AIOWPSecurity_Utility::is_multisite_install()){
195
  $blog_id = get_current_blog_id();
196
  switch_to_blog($blog_id);
@@ -210,7 +208,7 @@ class AIOWPSecurity_General_Init_Tasks
210
  }
211
  }
212
 
213
- //For comment captcha feature or custom login form captcha
214
  if (AIOWPSecurity_Utility::is_multisite_install()){
215
  $blog_id = get_current_blog_id();
216
  switch_to_blog($blog_id);
@@ -238,28 +236,28 @@ class AIOWPSecurity_General_Init_Tasks
238
  }
239
  }
240
 
241
- //For buddypress registration captcha feature
242
  if($aio_wp_security->configs->get_value('aiowps_enable_bp_register_captcha') == '1'){
243
  add_action('bp_account_details_fields', array(&$this, 'insert_captcha_question_form'));
244
  add_action('bp_signup_validate', array(&$this, 'buddy_press_signup_validate_captcha'));
245
  }
246
 
247
 
248
- //For feature which displays logged in users
249
- $this->update_logged_in_user_transient();
250
 
251
- //For block fake googlebots feature
252
  if($aio_wp_security->configs->get_value('aiowps_block_fake_googlebots') == '1'){
253
  include_once(AIO_WP_SECURITY_PATH.'/classes/wp-security-bot-protection.php');
254
  AIOWPSecurity_Fake_Bot_Protection::block_fake_googlebots();
255
  }
256
 
257
- //For 404 event logging
258
  if($aio_wp_security->configs->get_value('aiowps_enable_404_logging') == '1'){
259
  add_action('wp_head', array(&$this, 'check_404_event'));
260
  }
261
 
262
- //Add more tasks that need to be executed at init time
263
 
264
  } // end _construct()
265
 
@@ -372,68 +370,6 @@ class AIOWPSecurity_General_Init_Tasks
372
  }
373
  }
374
 
375
- function update_logged_in_user_transient(){
376
- if(is_user_logged_in()){
377
- $current_user_ip = AIOWPSecurity_Utility_IP::get_user_ip_address();
378
- // get the logged in users list from transients entry
379
- $logged_in_users = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('users_online') : get_transient('users_online'));
380
- $current_user = wp_get_current_user();
381
- $current_user = $current_user->ID;
382
- $current_time = current_time('timestamp');
383
-
384
- // Store last activity time and ip address in transient entry
385
- if(AIOWPSecurity_Utility::is_multisite_install()) {
386
- $current_blog_id = get_current_blog_id();
387
- // For multi-sites also store blog_id
388
- $current_user_info = array("user_id" => $current_user, "last_activity" => $current_time, "ip_address" => $current_user_ip, "blog_id" => $current_blog_id);
389
- } else {
390
- $current_user_info = array("user_id" => $current_user, "last_activity" => $current_time, "ip_address" => $current_user_ip); //We will store last activity time and ip address in transient entry
391
- }
392
-
393
-
394
- if($logged_in_users === false || $logged_in_users == NULL){
395
- $logged_in_users = array();
396
- $logged_in_users[] = $current_user_info;
397
- AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
398
- }
399
- else
400
- {
401
- $key = 0;
402
- $do_nothing = false;
403
- $update_existing = false;
404
- $item_index = 0;
405
- foreach ($logged_in_users as $value)
406
- {
407
- if($value['user_id'] == $current_user && strcmp($value['ip_address'], $current_user_ip) == 0)
408
- {
409
- if ($value['last_activity'] < ($current_time - (15 * 60)))
410
- {
411
- $update_existing = true;
412
- $item_index = $key;
413
- break;
414
- }else{
415
- $do_nothing = true;
416
- break;
417
- }
418
- }
419
- $key++;
420
- }
421
-
422
- if($update_existing)
423
- {
424
- //Update transient if the last activity was less than 15 min ago for this user
425
- $logged_in_users[$item_index] = $current_user_info;
426
- AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
427
- }else if($do_nothing){
428
- //Do nothing
429
- }else{
430
- $logged_in_users[] = $current_user_info;
431
- AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
432
- }
433
- }
434
- }
435
- }
436
-
437
  /**
438
  * Renders captcha on form produced by the wp_login_form() function, ie, custom wp login form
439
  * @global type $aio_wp_security
@@ -527,7 +463,7 @@ class AIOWPSecurity_General_Init_Tasks
527
  }
528
 
529
  //Don't do captcha for pingback/trackback
530
- if ($comment['comment_type'] != '' && $comment['comment_type'] != 'comment') {
531
  return $comment;
532
  }
533
 
@@ -677,6 +613,7 @@ class AIOWPSecurity_General_Init_Tasks
677
  // Do NOT enqueue if this is the main woocommerce account login page because for woocommerce page we "explicitly" render the recaptcha widget
678
  $is_woo = false;
679
 
 
680
  if ( function_exists('is_account_page') ) {
681
  // Check if this a woocommerce account page
682
  $is_woo = is_account_page();
20
  AIOWPSecurity_Blocking::check_visitor_ip_and_perform_blocking();
21
 
22
  if ($aio_wp_security->configs->get_value('aiowps_enable_autoblock_spam_ip') == '1') {
 
 
23
  add_action( 'comment_post', array(&$this, 'spam_detect_process_comment_post' ), 10, 2); //this hook gets fired just after comment is saved to DB
24
  add_action( 'transition_comment_status', array(&$this, 'process_transition_comment_status' ), 10, 3); //this hook gets fired when a comment's status changes
25
  }
36
  if(AIOWPSecurity_Installer::reactivation_tasks()){
37
  $aio_wp_security->debug_logger->log_debug("The AIOWPS .htaccess rules were successfully re-inserted!");
38
  $_SESSION['reapply_htaccess_rules_action_result'] = '1';//Success indicator.
39
+ // Can't echo to the screen here. It will create an header already sent error.
40
  }else{
41
  $aio_wp_security->debug_logger->log_debug("AIOWPS encountered an error when trying to write to your .htaccess file. Please check the logs.", 5);
42
  $_SESSION['reapply_htaccess_rules_action_result'] = '2';//fail indicator.
43
+ // Can't echo to the screen here. It will create an header already sent error.
44
  }
45
 
46
  }elseif(strip_tags($_REQUEST['aiowps_reapply_htaccess']) == 2){
47
+ // Don't re-write the rules and just delete the temp config item
48
  delete_option('aiowps_temp_configs');
49
  }
50
  }
59
  add_filter('script_loader_src', array(&$this,'remove_wp_css_js_meta_info'));
60
  }
61
 
62
+ // For the cookie based brute force prevention feature
63
  if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == 1){
64
  $bfcf_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
65
  if(isset($_GET[$bfcf_secret_word])){
66
+ // If URL contains secret word in query param then set cookie and then redirect to the login page
67
  AIOWPSecurity_Utility::set_cookie_value($bfcf_secret_word, "1");
68
  AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL."/wp-admin");
69
  }
70
  }
71
 
72
+ // Stop users enumeration feature
73
  if( $aio_wp_security->configs->get_value('aiowps_prevent_users_enumeration') == 1) {
74
  include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-stop-users-enumeration.php');
75
  }
76
 
77
+ // REST API security
78
  if( $aio_wp_security->configs->get_value('aiowps_disallow_unauthorized_rest_requests') == 1) {
79
  add_action('rest_api_init', array(&$this, 'check_rest_api_requests'), 10 ,1);
80
  }
81
 
82
+ // For user unlock request feature
83
  if(isset($_POST['aiowps_unlock_request']) || isset($_POST['aiowps_wp_submit_unlock_request'])){
84
  nocache_headers();
85
  remove_action('wp_head','head_addons',7);
93
  AIOWPSecurity_User_Login::process_unlock_request($unlock_key);
94
  }
95
 
96
+ // For honeypot feature
97
  if(isset($_POST['aio_special_field'])){
98
  $special_field_value = sanitize_text_field($_POST['aio_special_field']);
99
  if(!empty($special_field_value)){
103
  }
104
  }
105
 
106
+ // For 404 IP lockout feature
107
  if($aio_wp_security->configs->get_value('aiowps_enable_404_IP_lockout') == '1'){
108
  if (!is_user_logged_in() || !current_user_can('administrator')) {
109
  $this->do_404_lockout_tasks();
111
  }
112
 
113
 
114
+ // For login captcha feature
115
  if($aio_wp_security->configs->get_value('aiowps_enable_login_captcha') == '1'){
116
  if (!is_user_logged_in()) {
117
  add_action('login_form', array(&$this, 'insert_captcha_question_form'));
118
  }
119
  }
120
 
121
+ // For woo form captcha features
122
  if($aio_wp_security->configs->get_value('aiowps_enable_woo_login_captcha') == '1') {
123
  if (!is_user_logged_in()) {
124
  add_action('woocommerce_login_form', array(&$this, 'insert_captcha_question_form'));
147
  }
148
  }
149
 
150
+ // For bbpress new topic form captcha
151
  if($aio_wp_security->configs->get_value('aiowps_enable_bbp_new_topic_captcha') == '1'){
152
  if (!is_user_logged_in()) {
153
  add_action('bbp_theme_before_topic_form_submit_wrapper', array(&$this, 'insert_captcha_question_form'));
154
  }
155
  }
156
 
157
+ // For custom login form captcha feature, ie, when wp_login_form() function is used to generate login form
158
  if($aio_wp_security->configs->get_value('aiowps_enable_custom_login_captcha') == '1'){
159
  if (!is_user_logged_in()) {
160
  add_filter( 'login_form_middle', array(&$this, 'insert_captcha_custom_login'), 10, 2); //For cases where the WP wp_login_form() function is used
161
  }
162
  }
163
 
164
+ // For honeypot feature
165
  if($aio_wp_security->configs->get_value('aiowps_enable_login_honeypot') == '1'){
166
  if (!is_user_logged_in()) {
167
  add_action('login_form', array(&$this, 'insert_honeypot_hidden_field'));
168
  }
169
  }
170
 
171
+ // For registration honeypot feature
172
  if($aio_wp_security->configs->get_value('aiowps_enable_registration_honeypot') == '1'){
173
  if (!is_user_logged_in()) {
174
  add_action('register_form', array(&$this, 'insert_honeypot_hidden_field'));
175
  }
176
  }
177
 
178
+ // For lost password captcha feature
179
  if($aio_wp_security->configs->get_value('aiowps_enable_lost_password_captcha') == '1'){
180
  if (!is_user_logged_in()) {
181
  add_action('lostpassword_form', array(&$this, 'insert_captcha_question_form'));
183
  }
184
  }
185
 
186
+ // For registration manual approval feature
187
  if($aio_wp_security->configs->get_value('aiowps_enable_manual_registration_approval') == '1'){
188
  add_filter('wp_login_errors', array(&$this, 'modify_registration_page_messages'),10, 2);
189
  }
190
 
191
+ // For registration page captcha feature
192
  if (AIOWPSecurity_Utility::is_multisite_install()){
193
  $blog_id = get_current_blog_id();
194
  switch_to_blog($blog_id);
208
  }
209
  }
210
 
211
+ // For comment captcha feature or custom login form captcha
212
  if (AIOWPSecurity_Utility::is_multisite_install()){
213
  $blog_id = get_current_blog_id();
214
  switch_to_blog($blog_id);
236
  }
237
  }
238
 
239
+ // For buddypress registration captcha feature
240
  if($aio_wp_security->configs->get_value('aiowps_enable_bp_register_captcha') == '1'){
241
  add_action('bp_account_details_fields', array(&$this, 'insert_captcha_question_form'));
242
  add_action('bp_signup_validate', array(&$this, 'buddy_press_signup_validate_captcha'));
243
  }
244
 
245
 
246
+ // For feature which displays logged in users
247
+ $aio_wp_security->user_login_obj->update_users_online_transient();
248
 
249
+ // For block fake googlebots feature
250
  if($aio_wp_security->configs->get_value('aiowps_block_fake_googlebots') == '1'){
251
  include_once(AIO_WP_SECURITY_PATH.'/classes/wp-security-bot-protection.php');
252
  AIOWPSecurity_Fake_Bot_Protection::block_fake_googlebots();
253
  }
254
 
255
+ // For 404 event logging
256
  if($aio_wp_security->configs->get_value('aiowps_enable_404_logging') == '1'){
257
  add_action('wp_head', array(&$this, 'check_404_event'));
258
  }
259
 
260
+ // Add more tasks that need to be executed at init time
261
 
262
  } // end _construct()
263
 
370
  }
371
  }
372
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
373
  /**
374
  * Renders captcha on form produced by the wp_login_form() function, ie, custom wp login form
375
  * @global type $aio_wp_security
463
  }
464
 
465
  //Don't do captcha for pingback/trackback
466
+ if ($comment['comment_type'] != '' && $comment['comment_type'] != 'comment' && $comment['comment_type'] != 'review') {
467
  return $comment;
468
  }
469
 
613
  // Do NOT enqueue if this is the main woocommerce account login page because for woocommerce page we "explicitly" render the recaptcha widget
614
  $is_woo = false;
615
 
616
+ // We don't want to load for woo account page because we have a special function for this
617
  if ( function_exists('is_account_page') ) {
618
  // Check if this a woocommerce account page
619
  $is_woo = is_account_page();
classes/wp-security-process-renamed-login-page.php CHANGED
@@ -209,6 +209,7 @@ class AIOWPSecurity_Process_Renamed_Login_Page
209
  AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL."/wp-admin");
210
  }else{
211
  global $wp_version;
 
212
  status_header( 200 );
213
  if ( version_compare( $wp_version, '5.2', '>=' ) ) {
214
  require_once(AIO_WP_SECURITY_PATH . '/other-includes/wp-security-rename-login-feature.php' );
209
  AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL."/wp-admin");
210
  }else{
211
  global $wp_version;
212
+ do_action('aiowps_rename_login_load');
213
  status_header( 200 );
214
  if ( version_compare( $wp_version, '5.2', '>=' ) ) {
215
  require_once(AIO_WP_SECURITY_PATH . '/other-includes/wp-security-rename-login-feature.php' );
classes/wp-security-user-login.php CHANGED
@@ -504,7 +504,7 @@ class AIOWPSecurity_User_Login
504
  $ip_addr = AIOWPSecurity_Utility_IP::get_user_ip_address();
505
  $user_id = $current_user->ID;
506
  //Clean up transients table
507
- $this->update_user_online_transient($user_id, $ip_addr);
508
  $login_activity_table = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
509
  $logout_date_time = current_time( 'mysql' );
510
  $data = array('logout_date' => $logout_date_time);
@@ -517,29 +517,93 @@ class AIOWPSecurity_User_Login
517
  $aio_wp_security->debug_logger->log_debug("Error inserting record into ".$login_activity_table,4);//Log the highly unlikely event of DB error
518
  }
519
  }
 
520
  /**
521
- * This will clean up the "users_online" transient entry for the current user.
522
- *
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
523
  */
524
- function update_user_online_transient($user_id, $ip_addr)
525
  {
526
  global $aio_wp_security;
527
  $is_multi_site = AIOWPSecurity_Utility::is_multisite_install();
528
  if ($is_multi_site) {
529
  $current_blog_id = get_current_blog_id();
530
- $is_main = is_main_site($current_blog_id);
531
- if($is_main) {
532
- $logged_in_users = get_site_transient('users_online');
533
- } else {
534
- switch_to_blog($current_blog_id);
535
- $logged_in_users = get_transient('users_online');
536
- }
537
  } else {
538
  $logged_in_users = get_transient('users_online');
539
  }
540
 
541
- //$logged_in_users = get_transient('users_online');
542
- if ($logged_in_users === false || $logged_in_users == NULL)
543
  {
544
  return;
545
  }
@@ -553,11 +617,10 @@ class AIOWPSecurity_User_Login
553
  }
554
  $j++;
555
  }
556
- //Save the transient
557
 
558
- // AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
559
  if ($is_multi_site) {
560
- ($is_main) ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
561
  } else {
562
  set_transient('users_online', $logged_in_users, 30 * 60);
563
  }
@@ -631,7 +694,7 @@ class AIOWPSecurity_User_Login
631
  * Returns all logged in users for specific subsite of multisite installation
632
  * Checks the aiowps transient 'users_online'
633
  * @param type $blog_id
634
- * @return array
635
  */
636
  static function get_subsite_logged_in_users($blog_id=0) {
637
  if(empty($blog_id)) return false;
@@ -640,9 +703,11 @@ class AIOWPSecurity_User_Login
640
  if (AIOWPSecurity_Utility::is_multisite_install()) {
641
  // this contains all logged in users sitewide across subsites
642
  $users_online = get_site_transient('users_online');
643
- $logged_in_users = empty($users_online)?array():$users_online;
644
- // Subsite - extract only logged in users for current blog
645
- foreach($logged_in_users as $user) {
 
 
646
  if (isset($user['blog_id']) && $user['blog_id'] == $blog_id) {
647
  $subsite_logged_in_users[] = $user;
648
  }
@@ -650,4 +715,5 @@ class AIOWPSecurity_User_Login
650
  }
651
  return $subsite_logged_in_users;
652
  }
 
653
  }
504
  $ip_addr = AIOWPSecurity_Utility_IP::get_user_ip_address();
505
  $user_id = $current_user->ID;
506
  //Clean up transients table
507
+ $this->cleanup_users_online_transient($user_id, $ip_addr);
508
  $login_activity_table = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
509
  $logout_date_time = current_time( 'mysql' );
510
  $data = array('logout_date' => $logout_date_time);
517
  $aio_wp_security->debug_logger->log_debug("Error inserting record into ".$login_activity_table,4);//Log the highly unlikely event of DB error
518
  }
519
  }
520
+
521
  /**
522
+ * Update the 'users_online' transient
523
+ * @return void
524
+ */
525
+ function update_users_online_transient()
526
+ {
527
+ if(is_user_logged_in()){
528
+ $is_multi_site = AIOWPSecurity_Utility::is_multisite_install();
529
+ $current_user_ip = AIOWPSecurity_Utility_IP::get_user_ip_address();
530
+ // get the logged in users list from transients entry
531
+ $logged_in_users = ($is_multi_site ? get_site_transient('users_online') : get_transient('users_online'));
532
+ $current_user = wp_get_current_user();
533
+ $current_user = $current_user->ID;
534
+ $current_time = current_time('timestamp');
535
+ $current_user_info = array();
536
+
537
+ // Store last activity time and ip address in transient entry
538
+ if($is_multi_site) {
539
+ $current_blog_id = get_current_blog_id();
540
+ // For multi-sites also store blog_id
541
+ $current_user_info = array("user_id" => $current_user, "last_activity" => $current_time, "ip_address" => $current_user_ip, "blog_id" => $current_blog_id);
542
+ } else {
543
+ $current_user_info = array("user_id" => $current_user, "last_activity" => $current_time, "ip_address" => $current_user_ip, "blog_id" => false);
544
+ }
545
+
546
+ if(empty($logged_in_users))
547
+ {
548
+ // case when "users_online" transient has been deleted after expiry or is empty
549
+ $logged_in_users = array();
550
+ $logged_in_users[] = $current_user_info;
551
+ $is_multi_site ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
552
+ }
553
+ else
554
+ {
555
+ $key = 0;
556
+ $update_existing = false;
557
+ $item_index = 0;
558
+ foreach ($logged_in_users as $value)
559
+ {
560
+ $value_minus_activity = $value;
561
+ unset($value_minus_activity['last_activity']);
562
+ $current_user_minus_activity = $current_user_info;
563
+ unset($current_user_minus_activity['last_activity']);
564
+ // Check if current user we're looking at has an entry in the 'users_online' transient
565
+ if(empty(array_diff($current_user_minus_activity, $value_minus_activity)))
566
+ {
567
+ if ($value['last_activity'] < ($current_time - (15 * 60)))
568
+ {
569
+ $update_existing = true;
570
+ $item_index = $key;
571
+ break;
572
+ }else{
573
+ return; // do nothing and just return
574
+ }
575
+ }
576
+ $key++;
577
+ }
578
+
579
+ if($update_existing) {
580
+ // Update transient if the last activity was over 15 min ago for this user
581
+ $logged_in_users[$item_index] = $current_user_info;
582
+ AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
583
+ } else {
584
+ $logged_in_users[] = $current_user_info;
585
+ AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
586
+ }
587
+ }
588
+ }
589
+ }
590
+
591
+ /**
592
+ * This will clean up the "users_online" transient entry for the current user when a logout occurs
593
+ * @return void
594
  */
595
+ function cleanup_users_online_transient($user_id, $ip_addr)
596
  {
597
  global $aio_wp_security;
598
  $is_multi_site = AIOWPSecurity_Utility::is_multisite_install();
599
  if ($is_multi_site) {
600
  $current_blog_id = get_current_blog_id();
601
+ $logged_in_users = AIOWPSecurity_User_Login::get_subsite_logged_in_users($current_blog_id);
 
 
 
 
 
 
602
  } else {
603
  $logged_in_users = get_transient('users_online');
604
  }
605
 
606
+ if (empty($logged_in_users))
 
607
  {
608
  return;
609
  }
617
  }
618
  $j++;
619
  }
 
620
 
621
+ // Save the transient
622
  if ($is_multi_site) {
623
+ set_site_transient('users_online', $logged_in_users, 30 * 60);
624
  } else {
625
  set_transient('users_online', $logged_in_users, 30 * 60);
626
  }
694
  * Returns all logged in users for specific subsite of multisite installation
695
  * Checks the aiowps transient 'users_online'
696
  * @param type $blog_id
697
+ * @return array|bool
698
  */
699
  static function get_subsite_logged_in_users($blog_id=0) {
700
  if(empty($blog_id)) return false;
703
  if (AIOWPSecurity_Utility::is_multisite_install()) {
704
  // this contains all logged in users sitewide across subsites
705
  $users_online = get_site_transient('users_online');
706
+ if(empty($users_online)) {
707
+ return array();
708
+ }
709
+ // Extract only logged in users for current subsite
710
+ foreach($users_online as $user) {
711
  if (isset($user['blog_id']) && $user['blog_id'] == $blog_id) {
712
  $subsite_logged_in_users[] = $user;
713
  }
715
  }
716
  return $subsite_logged_in_users;
717
  }
718
+
719
  }
classes/wp-security-utility-htaccess.php CHANGED
@@ -360,8 +360,13 @@ class AIOWPSecurity_Utility_Htaccess
360
  //disable the server signature
361
  $rules .= 'ServerSignature Off' . PHP_EOL;
362
 
363
- //limit file uploads to 10mb
364
- $rules .= 'LimitRequestBody 10240000' . PHP_EOL;
 
 
 
 
 
365
 
366
  // protect wpconfig.php.
367
  $rules .= self::create_apache2_access_denied_rule('wp-config.php');
360
  //disable the server signature
361
  $rules .= 'ServerSignature Off' . PHP_EOL;
362
 
363
+ //limit file upload size
364
+ $upload_limit = $aio_wp_security->configs->get_value('aiowps_max_file_upload_size');
365
+ //Shouldn't be empty but just in case
366
+ $upload_limit = empty($upload_limit)?10:$upload_limit;
367
+ $upload_limit = $upload_limit * 1024 * 1024; // Convert from MB to Bytes - approx but close enough
368
+
369
+ $rules .= 'LimitRequestBody '.$upload_limit . PHP_EOL;
370
 
371
  // protect wpconfig.php.
372
  $rules .= self::create_apache2_access_denied_rule('wp-config.php');
classes/wp-security-wp-footer-content.php CHANGED
@@ -9,16 +9,36 @@ class AIOWPSecurity_WP_Footer_Content {
9
  //Add content that need to be outputted in the footer area.
10
 
11
  global $aio_wp_security;
 
 
12
  if($aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
13
- $this->print_google_recaptcha_api();
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
14
  }
15
 
16
  // Activate the copy protection feature for non-admin users
17
  $copy_protection_active = $aio_wp_security->configs->get_value('aiowps_copy_protection') == '1';
18
- if ( $copy_protection_active && !current_user_can(AIOWPSEC_MANAGEMENT_PERMISSION) ) {
 
19
  $this->output_copy_protection_code();
20
  }
21
-
22
  //TODO - add other footer output content here
23
  }
24
 
@@ -26,26 +46,31 @@ class AIOWPSecurity_WP_Footer_Content {
26
  * For Woocommerce my account page - display two separate Google reCaptcha forms "explicitly"
27
  * @global type $aio_wp_security
28
  */
29
- function print_google_recaptcha_api() {
30
  global $aio_wp_security;
 
 
 
 
 
31
  $site_key = esc_html( $aio_wp_security->configs->get_value('aiowps_recaptcha_site_key') );
32
  ?>
33
  <script type="text/javascript">
34
- var verifyCallback = function(response) {
35
- alert(response);
36
- };
37
- var onloadCallback = function() {
38
- if ( jQuery('#woo_recaptcha_1').length ) {
39
- grecaptcha.render('woo_recaptcha_1', {
40
- 'sitekey' : '<?php echo $site_key; ?>',
41
- });
42
- }
43
- if ( jQuery('#woo_recaptcha_2').length ) {
44
- grecaptcha.render('woo_recaptcha_2', {
45
- 'sitekey' : '<?php echo $site_key; ?>',
46
- });
47
- }
48
- };
49
  </script>
50
  <script src='https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit' async defer></script>
51
  <?php
@@ -89,5 +114,23 @@ class AIOWPSecurity_WP_Footer_Content {
89
  <?php
90
  }
91
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
92
  }
93
  //End of class
9
  //Add content that need to be outputted in the footer area.
10
 
11
  global $aio_wp_security;
12
+
13
+ // If Google recaptcha is enabled do relevant tasks
14
  if($aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
15
+ // For Woocommerce forms.
16
+ // Only proceed if woocommerce installed and active
17
+ if ( in_array( 'woocommerce/woocommerce.php', apply_filters( 'active_plugins', get_option( 'active_plugins' ) ) ) )
18
+ {
19
+ if($aio_wp_security->configs->get_value('aiowps_enable_woo_login_captcha') == '1' ||
20
+ $aio_wp_security->configs->get_value('aiowps_enable_woo_register_captcha') == '1' ||
21
+ $aio_wp_security->configs->get_value('aiowps_enable_woo_lostpassword_captcha') == '1')
22
+ {
23
+ $this->print_recaptcha_api_woo();
24
+ }
25
+ }
26
+
27
+ // For custom wp login form
28
+ if($aio_wp_security->configs->get_value('aiowps_enable_custom_login_captcha') == '1')
29
+ {
30
+ $this->print_recaptcha_api_custom_login();
31
+ }
32
+
33
  }
34
 
35
  // Activate the copy protection feature for non-admin users
36
  $copy_protection_active = $aio_wp_security->configs->get_value('aiowps_copy_protection') == '1';
37
+ if ( $copy_protection_active && !current_user_can(AIOWPSEC_MANAGEMENT_PERMISSION) )
38
+ {
39
  $this->output_copy_protection_code();
40
  }
41
+
42
  //TODO - add other footer output content here
43
  }
44
 
46
  * For Woocommerce my account page - display two separate Google reCaptcha forms "explicitly"
47
  * @global type $aio_wp_security
48
  */
49
+ function print_recaptcha_api_woo() {
50
  global $aio_wp_security;
51
+ $is_woo = false;
52
+ $is_woo = is_account_page();
53
+ if(!$is_woo) {
54
+ return; // if current page is not woo account page don't do anything
55
+ }
56
  $site_key = esc_html( $aio_wp_security->configs->get_value('aiowps_recaptcha_site_key') );
57
  ?>
58
  <script type="text/javascript">
59
+ var verifyCallback = function(response) {
60
+ alert(response);
61
+ };
62
+ var onloadCallback = function() {
63
+ if ( jQuery('#woo_recaptcha_1').length ) {
64
+ grecaptcha.render('woo_recaptcha_1', {
65
+ 'sitekey' : '<?php echo $site_key; ?>',
66
+ });
67
+ }
68
+ if ( jQuery('#woo_recaptcha_2').length ) {
69
+ grecaptcha.render('woo_recaptcha_2', {
70
+ 'sitekey' : '<?php echo $site_key; ?>',
71
+ });
72
+ }
73
+ };
74
  </script>
75
  <script src='https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit' async defer></script>
76
  <?php
114
  <?php
115
  }
116
 
117
+ /**
118
+ * For case when a custom wp_login_form() is displayed anywhere on a page.
119
+ * Inserts a script element referencing google recaptcha api v2.
120
+ * Only inserts the recaptcha script element if the wp login form exists.
121
+ */
122
+ function print_recaptcha_api_custom_login()
123
+ {
124
+ ?>
125
+ <script type="text/javascript">
126
+ let cust_login = document.getElementById("loginform");
127
+ if(cust_login !== null) {
128
+ var recaptcha_script = document.createElement('script');
129
+ recaptcha_script.setAttribute('src','https://www.google.com/recaptcha/api.js');
130
+ document.head.appendChild(recaptcha_script);
131
+ }
132
+ </script>
133
+ <?php
134
+ }
135
  }
136
  //End of class
other-includes/wp-security-rename-login-feature-pre-5-2.php CHANGED
@@ -440,7 +440,11 @@ if ( SITECOOKIEPATH != COOKIEPATH )
440
  setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
441
 
442
  $lang = ! empty( $_GET['wp_lang'] ) ? sanitize_text_field( $_GET['wp_lang'] ) : '';
443
- $switched_locale = switch_to_locale( $lang );
 
 
 
 
444
 
445
  /**
446
  * Fires when the login form is initialized.
440
  setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
441
 
442
  $lang = ! empty( $_GET['wp_lang'] ) ? sanitize_text_field( $_GET['wp_lang'] ) : '';
443
+ $switched_locale = false;
444
+
445
+ if ( function_exists( 'switch_to_locale' ) ) {
446
+ $switched_locale = switch_to_locale( $lang );
447
+ }
448
 
449
  /**
450
  * Fires when the login form is initialized.
readme.txt CHANGED
@@ -1,10 +1,10 @@
1
  === All In One WP Security & Firewall ===
2
- Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin, mbrsolution, chesio
3
  Donate link: https://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5
  Requires at least: 4.7
6
- Tested up to: 5.3
7
- Stable tag: trunk
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
@@ -184,6 +184,19 @@ None
184
 
185
  == Changelog ==
186
 
 
 
 
 
 
 
 
 
 
 
 
 
 
187
  = 4.4.2 =
188
  - Fixed vulnerability related to open redirect and exposure of hidden login page for specific case. (Thanks to Erwan (wpscanteam) for letting us know)
189
 
1
  === All In One WP Security & Firewall ===
2
+ Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin, mbrsolution
3
  Donate link: https://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5
  Requires at least: 4.7
6
+ Tested up to: 5.5
7
+ Stable tag: 4.4.4
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
184
 
185
  == Changelog ==
186
 
187
+ = 4.4.4 =
188
+ - Fixed bugs and improved functionality related to "logged in users" functionality.
189
+ - Google recaptha checks for WooCommerce product reviews
190
+ - Replaced use of deprecated hook "wpmu_new_blog" with "wp_insert_site"
191
+ - Fixed a potential XSS issue in the settings menu of the plugin for IE11 or older browsers.
192
+
193
+ = 4.4.3 =
194
+ - Improved file change detection feature to address DB backups failing silently in some cases due to very large serialized data stored in a single row.
195
+ - Added new action hook (aiowps_rename_login_load) just before renamed login page is loaded.
196
+ - Added a check to ensure that woocommerce captcha settings are displayed only if woocommerce plugin is installed/active.
197
+ - Fixed recaptcha bugs.
198
+ - Added configurable item for max file upload size in basic firewall rules.
199
+
200
  = 4.4.2 =
201
  - Fixed vulnerability related to open redirect and exposure of hidden login page for specific case. (Thanks to Erwan (wpscanteam) for letting us know)
202
 
wp-security-core.php CHANGED
@@ -7,7 +7,7 @@ if ( !defined('ABSPATH') ) {
7
  if (!class_exists('AIO_WP_Security')){
8
 
9
  class AIO_WP_Security{
10
- var $version = '4.4.2';
11
  var $db_version = '1.9';
12
  var $plugin_url;
13
  var $plugin_path;
@@ -32,25 +32,25 @@ class AIO_WP_Security{
32
  add_action('wp_loaded',array(&$this, 'aiowps_wp_loaded_handler'));
33
  do_action('aiowpsecurity_loaded');
34
  }
35
-
36
  function plugin_url()
37
- {
38
  if ($this->plugin_url) return $this->plugin_url;
39
  return $this->plugin_url = plugins_url( basename( plugin_dir_path(__FILE__) ), basename( __FILE__ ) );
40
  }
41
 
42
  function plugin_path()
43
- {
44
- if ($this->plugin_path) return $this->plugin_path;
45
  return $this->plugin_path = untrailingslashit( plugin_dir_path( __FILE__ ) );
46
  }
47
-
48
  function load_configs()
49
  {
50
  include_once('classes/wp-security-config.php');
51
  $this->configs = AIOWPSecurity_Config::get_instance();
52
  }
53
-
54
  function define_constants()
55
  {
56
  define('AIO_WP_SECURITY_VERSION', $this->version);
@@ -81,7 +81,7 @@ class AIO_WP_Security{
81
  define('AIOWPSEC_FILESCAN_MENU_SLUG', 'aiowpsec_filescan');
82
  define('AIOWPSEC_BRUTE_FORCE_MENU_SLUG', 'aiowpsec_brute_force');
83
  define('AIOWPSEC_MISC_MENU_SLUG', 'aiowpsec_misc');
84
-
85
  global $wpdb;
86
  define('AIOWPSEC_TBL_LOGIN_LOCKDOWN', $wpdb->prefix . 'aiowps_login_lockdown');
87
  define('AIOWPSEC_TBL_FAILED_LOGINS', $wpdb->prefix . 'aiowps_failed_logins');
@@ -102,7 +102,7 @@ class AIO_WP_Security{
102
  include_once('classes/wp-security-utility-file.php');
103
  include_once('classes/wp-security-general-init-tasks.php');
104
  include_once('classes/wp-security-wp-loaded-tasks.php');
105
-
106
  include_once('classes/wp-security-user-login.php');
107
  include_once('classes/wp-security-user-registration.php');
108
  include_once('classes/wp-security-captcha.php');
@@ -113,12 +113,12 @@ class AIO_WP_Security{
113
  include_once('classes/grade-system/wp-security-feature-item-manager.php');
114
  include_once('classes/wp-security-wp-footer-content.php');
115
  include_once('classes/wp-security-blocking.php');
116
-
117
  if (is_admin()){ //Load admin side only files
118
  include_once('classes/wp-security-configure-settings.php');
119
  include_once('admin/wp-security-admin-init.php');
120
  include_once('admin/general/wp-security-list-table.php');
121
-
122
  }
123
  else{ //Load front end side only files
124
  }
@@ -127,11 +127,11 @@ class AIO_WP_Security{
127
  function loader_operations()
128
  {
129
  add_action('plugins_loaded',array(&$this, 'plugins_loaded_handler'));//plugins loaded hook
130
-
131
  $debug_config = $this->configs->get_value('aiowps_enable_debug');
132
  $debug_enabled = empty($debug_config) ? false : true;
133
  $this->debug_logger = new AIOWPSecurity_Logger($debug_enabled);
134
-
135
  if(is_admin()){
136
  $this->admin_init = new AIOWPSecurity_Admin_Init();
137
  }
@@ -145,7 +145,7 @@ class AIO_WP_Security{
145
  AIOWPSecurity_Installer::run_installer($networkwide);
146
  AIOWPSecurity_Installer::set_cron_tasks_upon_activation($networkwide);
147
  }
148
-
149
  static function deactivate_handler($networkwide)
150
  {
151
  //Only runs with the pluign is deactivated
@@ -153,7 +153,7 @@ class AIO_WP_Security{
153
  AIOWPSecurity_Deactivation::run_deactivation_tasks($networkwide);
154
  do_action('aiowps_deactivation_complete');
155
  }
156
-
157
  function db_upgrade_handler()
158
  {
159
  if(is_admin()){//Check if DB needs to be upgraded
@@ -163,7 +163,7 @@ class AIO_WP_Security{
163
  }
164
  }
165
  }
166
-
167
  function plugins_loaded_handler()
168
  {
169
  //Runs when plugins_loaded action gets fired
@@ -173,7 +173,7 @@ class AIO_WP_Security{
173
  }
174
  $this->do_additional_plugins_loaded_tasks();
175
  }
176
-
177
  function wp_security_plugin_init()
178
  {
179
  //Set up localisation. First loaded overrides strings present in later loaded file
@@ -181,27 +181,27 @@ class AIO_WP_Security{
181
  load_textdomain( 'all-in-one-wp-security-and-firewall', WP_LANG_DIR . "/all-in-one-wp-security-and-firewall-$locale.mo" );
182
  load_plugin_textdomain('all-in-one-wp-security-and-firewall', false, dirname(plugin_basename(__FILE__ )) . '/languages/');
183
 
184
- //Actions, filters, shortcodes goes here
185
  $this->user_login_obj = new AIOWPSecurity_User_Login();//Do the user login operation tasks
186
  $this->user_registration_obj = new AIOWPSecurity_User_Registration();//Do the user login operation tasks
187
  $this->captcha_obj = new AIOWPSecurity_Captcha();//Do the captcha tasks
188
  $this->backup_obj = new AIOWPSecurity_Backup();//Object to handle backup tasks
189
- $this->scan_obj = new AIOWPSecurity_Scan();//Object to handle scan tasks
190
  $this->cron_handler = new AIOWPSecurity_Cronjob_Handler();
191
-
192
  add_action('login_enqueue_scripts',array(&$this, 'aiowps_login_enqueue'));
193
  add_action('wp_footer',array(&$this, 'aiowps_footer_content'));
194
-
195
  add_action('wp_login', array('AIOWPSecurity_User_Login', 'wp_login_action_handler'), 10, 2);
196
  do_action('aiowps_force_logout_check');
197
  new AIOWPSecurity_General_Init_Tasks();
198
  }
199
-
200
  function aiowps_wp_loaded_handler()
201
  {
202
  new AIOWPSecurity_WP_Loaded_Tasks();
203
  }
204
-
205
  /**
206
  * Enqueues the Google recaptcha v2 api URL for the standard WP login page
207
  * @global type $aio_wp_security
@@ -210,9 +210,11 @@ class AIO_WP_Security{
210
  {
211
  global $aio_wp_security;
212
  if($aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
213
- wp_enqueue_script( 'google-recaptcha', 'https://www.google.com/recaptcha/api.js', false );
214
- // below is needed to provide some space for the google reCaptcha form (otherwise it appears partially hidden on RHS)
215
- wp_add_inline_script( 'google-recaptcha', 'document.addEventListener("DOMContentLoaded", ()=>{document.getElementById("login").style.width = "340px";});' );
 
 
216
  }
217
  }
218
 
@@ -220,7 +222,7 @@ class AIO_WP_Security{
220
  {
221
  new AIOWPSecurity_WP_Footer_Content();
222
  }
223
-
224
  function do_additional_plugins_loaded_tasks()
225
  {
226
  global $aio_wp_security;
@@ -228,7 +230,7 @@ class AIO_WP_Security{
228
  {
229
  $nonce = isset($_GET['_wpnonce'])?$_GET['_wpnonce']:'';
230
  if ( !wp_verify_nonce( $nonce, 'aio_logout' ) ) {
231
- return;
232
  }
233
  wp_logout();
234
  if(isset($_GET['after_logout']))//Redirect to the after logout url directly
@@ -265,8 +267,8 @@ class AIO_WP_Security{
265
  }
266
  }
267
  }
268
- }
269
-
270
  }//End of class
271
 
272
  }//End of class not exists check
7
  if (!class_exists('AIO_WP_Security')){
8
 
9
  class AIO_WP_Security{
10
+ var $version = '4.4.4';
11
  var $db_version = '1.9';
12
  var $plugin_url;
13
  var $plugin_path;
32
  add_action('wp_loaded',array(&$this, 'aiowps_wp_loaded_handler'));
33
  do_action('aiowpsecurity_loaded');
34
  }
35
+
36
  function plugin_url()
37
+ {
38
  if ($this->plugin_url) return $this->plugin_url;
39
  return $this->plugin_url = plugins_url( basename( plugin_dir_path(__FILE__) ), basename( __FILE__ ) );
40
  }
41
 
42
  function plugin_path()
43
+ {
44
+ if ($this->plugin_path) return $this->plugin_path;
45
  return $this->plugin_path = untrailingslashit( plugin_dir_path( __FILE__ ) );
46
  }
47
+
48
  function load_configs()
49
  {
50
  include_once('classes/wp-security-config.php');
51
  $this->configs = AIOWPSecurity_Config::get_instance();
52
  }
53
+
54
  function define_constants()
55
  {
56
  define('AIO_WP_SECURITY_VERSION', $this->version);
81
  define('AIOWPSEC_FILESCAN_MENU_SLUG', 'aiowpsec_filescan');
82
  define('AIOWPSEC_BRUTE_FORCE_MENU_SLUG', 'aiowpsec_brute_force');
83
  define('AIOWPSEC_MISC_MENU_SLUG', 'aiowpsec_misc');
84
+
85
  global $wpdb;
86
  define('AIOWPSEC_TBL_LOGIN_LOCKDOWN', $wpdb->prefix . 'aiowps_login_lockdown');
87
  define('AIOWPSEC_TBL_FAILED_LOGINS', $wpdb->prefix . 'aiowps_failed_logins');
102
  include_once('classes/wp-security-utility-file.php');
103
  include_once('classes/wp-security-general-init-tasks.php');
104
  include_once('classes/wp-security-wp-loaded-tasks.php');
105
+
106
  include_once('classes/wp-security-user-login.php');
107
  include_once('classes/wp-security-user-registration.php');
108
  include_once('classes/wp-security-captcha.php');
113
  include_once('classes/grade-system/wp-security-feature-item-manager.php');
114
  include_once('classes/wp-security-wp-footer-content.php');
115
  include_once('classes/wp-security-blocking.php');
116
+
117
  if (is_admin()){ //Load admin side only files
118
  include_once('classes/wp-security-configure-settings.php');
119
  include_once('admin/wp-security-admin-init.php');
120
  include_once('admin/general/wp-security-list-table.php');
121
+
122
  }
123
  else{ //Load front end side only files
124
  }
127
  function loader_operations()
128
  {
129
  add_action('plugins_loaded',array(&$this, 'plugins_loaded_handler'));//plugins loaded hook
130
+
131
  $debug_config = $this->configs->get_value('aiowps_enable_debug');
132
  $debug_enabled = empty($debug_config) ? false : true;
133
  $this->debug_logger = new AIOWPSecurity_Logger($debug_enabled);
134
+
135
  if(is_admin()){
136
  $this->admin_init = new AIOWPSecurity_Admin_Init();
137
  }
145
  AIOWPSecurity_Installer::run_installer($networkwide);
146
  AIOWPSecurity_Installer::set_cron_tasks_upon_activation($networkwide);
147
  }
148
+
149
  static function deactivate_handler($networkwide)
150
  {
151
  //Only runs with the pluign is deactivated
153
  AIOWPSecurity_Deactivation::run_deactivation_tasks($networkwide);
154
  do_action('aiowps_deactivation_complete');
155
  }
156
+
157
  function db_upgrade_handler()
158
  {
159
  if(is_admin()){//Check if DB needs to be upgraded
163
  }
164
  }
165
  }
166
+
167
  function plugins_loaded_handler()
168
  {
169
  //Runs when plugins_loaded action gets fired
173
  }
174
  $this->do_additional_plugins_loaded_tasks();
175
  }
176
+
177
  function wp_security_plugin_init()
178
  {
179
  //Set up localisation. First loaded overrides strings present in later loaded file
181
  load_textdomain( 'all-in-one-wp-security-and-firewall', WP_LANG_DIR . "/all-in-one-wp-security-and-firewall-$locale.mo" );
182
  load_plugin_textdomain('all-in-one-wp-security-and-firewall', false, dirname(plugin_basename(__FILE__ )) . '/languages/');
183
 
184
+ //Actions, filters, shortcodes goes here
185
  $this->user_login_obj = new AIOWPSecurity_User_Login();//Do the user login operation tasks
186
  $this->user_registration_obj = new AIOWPSecurity_User_Registration();//Do the user login operation tasks
187
  $this->captcha_obj = new AIOWPSecurity_Captcha();//Do the captcha tasks
188
  $this->backup_obj = new AIOWPSecurity_Backup();//Object to handle backup tasks
189
+ $this->scan_obj = new AIOWPSecurity_Scan();//Object to handle scan tasks
190
  $this->cron_handler = new AIOWPSecurity_Cronjob_Handler();
191
+
192
  add_action('login_enqueue_scripts',array(&$this, 'aiowps_login_enqueue'));
193
  add_action('wp_footer',array(&$this, 'aiowps_footer_content'));
194
+
195
  add_action('wp_login', array('AIOWPSecurity_User_Login', 'wp_login_action_handler'), 10, 2);
196
  do_action('aiowps_force_logout_check');
197
  new AIOWPSecurity_General_Init_Tasks();
198
  }
199
+
200
  function aiowps_wp_loaded_handler()
201
  {
202
  new AIOWPSecurity_WP_Loaded_Tasks();
203
  }
204
+
205
  /**
206
  * Enqueues the Google recaptcha v2 api URL for the standard WP login page
207
  * @global type $aio_wp_security
210
  {
211
  global $aio_wp_security;
212
  if($aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
213
+ if($aio_wp_security->configs->get_value('aiowps_enable_login_captcha') == '1' || $aio_wp_security->configs->get_value('aiowps_enable_registration_page_captcha') == '1') {
214
+ wp_enqueue_script( 'google-recaptcha', 'https://www.google.com/recaptcha/api.js', false );
215
+ // below is needed to provide some space for the google reCaptcha form (otherwise it appears partially hidden on RHS)
216
+ wp_add_inline_script( 'google-recaptcha', 'document.addEventListener("DOMContentLoaded", ()=>{document.getElementById("login").style.width = "340px";});' );
217
+ }
218
  }
219
  }
220
 
222
  {
223
  new AIOWPSecurity_WP_Footer_Content();
224
  }
225
+
226
  function do_additional_plugins_loaded_tasks()
227
  {
228
  global $aio_wp_security;
230
  {
231
  $nonce = isset($_GET['_wpnonce'])?$_GET['_wpnonce']:'';
232
  if ( !wp_verify_nonce( $nonce, 'aio_logout' ) ) {
233
+ return;
234
  }
235
  wp_logout();
236
  if(isset($_GET['after_logout']))//Redirect to the after logout url directly
267
  }
268
  }
269
  }
270
+ }
271
+
272
  }//End of class
273
 
274
  }//End of class not exists check
wp-security.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
- Version: 4.4.2
5
  Plugin URI: https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6
  Author: Tips and Tricks HQ, Peter Petreski, Ruhul, Ivy
7
  Author URI: https://www.tipsandtricks-hq.com/
@@ -19,7 +19,7 @@ include_once('wp-security-core.php');
19
  register_activation_hook(__FILE__,array('AIO_WP_Security','activate_handler'));//activation hook
20
  register_deactivation_hook(__FILE__,array('AIO_WP_Security','deactivate_handler'));//deactivation hook
21
 
22
- function aiowps_show_plugin_settings_link($links, $file)
23
  {
24
  if ($file == plugin_basename(__FILE__)){
25
  $settings_link = '<a href="admin.php?page=aiowpsec_settings">Settings</a>';
@@ -29,17 +29,20 @@ function aiowps_show_plugin_settings_link($links, $file)
29
  }
30
  add_filter('plugin_action_links', 'aiowps_show_plugin_settings_link', 10, 2 );
31
 
32
- function aiowps_ms_handle_new_blog_creation($blog_id, $user_id, $domain, $path, $site_id, $meta ){
33
- global $wpdb;
34
- if (is_plugin_active_for_network(__FILE__))
 
35
  {
36
  if(!class_exists('AIOWPSecurity_Installer')){
37
  include_once('classes/wp-security-installer.php');
38
  }
39
  $old_blog = $wpdb->blogid;
40
- switch_to_blog($blog_id);
41
  AIOWPSecurity_Installer::create_db_tables();
42
  switch_to_blog($old_blog);
43
  }
 
 
44
  }
45
- add_action('wpmu_new_blog', 'aiowps_ms_handle_new_blog_creation', 10, 6);
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
+ Version: 4.4.4
5
  Plugin URI: https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6
  Author: Tips and Tricks HQ, Peter Petreski, Ruhul, Ivy
7
  Author URI: https://www.tipsandtricks-hq.com/
19
  register_activation_hook(__FILE__,array('AIO_WP_Security','activate_handler'));//activation hook
20
  register_deactivation_hook(__FILE__,array('AIO_WP_Security','deactivate_handler'));//deactivation hook
21
 
22
+ function aiowps_show_plugin_settings_link($links, $file)
23
  {
24
  if ($file == plugin_basename(__FILE__)){
25
  $settings_link = '<a href="admin.php?page=aiowpsec_settings">Settings</a>';
29
  }
30
  add_filter('plugin_action_links', 'aiowps_show_plugin_settings_link', 10, 2 );
31
 
32
+ function aiowps_ms_handle_new_site($new_site){
33
+ global $wpdb;
34
+ $plugin_basename = plugin_basename( __FILE__ );
35
+ if (is_plugin_active_for_network($plugin_basename))
36
  {
37
  if(!class_exists('AIOWPSecurity_Installer')){
38
  include_once('classes/wp-security-installer.php');
39
  }
40
  $old_blog = $wpdb->blogid;
41
+ switch_to_blog($new_site->blog_id);
42
  AIOWPSecurity_Installer::create_db_tables();
43
  switch_to_blog($old_blog);
44
  }
45
+
46
+
47
  }
48
+ add_action('wp_insert_site', 'aiowps_ms_handle_new_site', 10, 1);