All In One WP Security & Firewall - Version 5.0.9

Version Description

  • 06/October/2022 =

  • FIX: PHP Notice: Only variables should be passed by reference in /wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-notices.php on line 202.

  • TWEAK: Auto disable the login whitelisting on upgrade for all server types and shown related notice.

  • TWEAK : 2FA - Warning: Deprecated: Call get_controller('totp'), not get_totp_controller() in /includes/simba-tfa/simba-tfa.php on line 713.

Download this release

Release Info

Developer DavidAnderson
Plugin Icon 128x128 All In One WP Security & Firewall
Version 5.0.9
Comparing to
See all releases

Code changes from version 5.0.8 to 5.0.9

Files changed (27) hide show
  1. admin/wp-security-admin-init.php +3 -2
  2. admin/wp-security-blacklist-menu.php +1 -1
  3. admin/wp-security-firewall-menu.php +1 -1
  4. classes/wp-security-abstract-ids.php +10 -0
  5. classes/wp-security-configure-settings.php +1 -1
  6. classes/wp-security-notices.php +31 -14
  7. classes/wp-security-two-factor-login.php +10 -11
  8. classes/wp-security-utility.php +1 -1
  9. includes/simba-tfa/includes/frontend-settings.js +0 -4
  10. includes/simba-tfa/includes/tfa_frontend.php +2 -2
  11. includes/simba-tfa/includes/totp.js +101 -0
  12. includes/simba-tfa/providers/{totp-hotp → totp}/Base32/Base32.php +0 -0
  13. includes/simba-tfa/providers/{totp-hotp → totp}/hotp-php-master/LICENSE +0 -0
  14. includes/simba-tfa/providers/{totp-hotp → totp}/hotp-php-master/README.markdown +0 -0
  15. includes/simba-tfa/providers/{totp-hotp → totp}/hotp-php-master/example.php +0 -0
  16. includes/simba-tfa/providers/{totp-hotp → totp}/hotp-php-master/hotp.php +0 -0
  17. includes/simba-tfa/providers/{totp-hotp → totp}/loader.php +34 -127
  18. includes/simba-tfa/simba-tfa.php +52 -15
  19. includes/simba-tfa/templates/admin-settings.php +1 -1
  20. includes/simba-tfa/templates/shortcode-tfa-user-settings.php +2 -2
  21. includes/simba-tfa/templates/user-settings.php +1 -1
  22. languages/all-in-one-wp-security-and-firewall.pot +80 -64
  23. readme.txt +8 -2
  24. templates/notices/htaccess-to-php-feature-notice.php +43 -0
  25. vendor/composer/installed.php +2 -2
  26. wp-security-core.php +11 -3
  27. wp-security.php +1 -1
admin/wp-security-admin-init.php CHANGED
@@ -203,7 +203,8 @@ class AIOWPSecurity_Admin_Init {
203
  public function render_admin_notices() {
204
  global $aio_wp_security;
205
 
206
- foreach (AIOS_Abstracted_Ids::custom_admin_notice_ids() as $custom_admin_notice_id) {
 
207
  $aio_wp_security->notices->do_notice($custom_admin_notice_id, $custom_admin_notice_id);
208
  }
209
 
@@ -212,7 +213,7 @@ class AIOWPSecurity_Admin_Init {
212
  return;
213
  }
214
 
215
- $installed_at = $aio_wp_security->notices->get_aiowps_plugin_installed_timestamp();
216
  $time_now = $aio_wp_security->notices->get_time_now();
217
  $installed_for = $time_now - $installed_at;
218
 
203
  public function render_admin_notices() {
204
  global $aio_wp_security;
205
 
206
+ $custom_notice_ids = array_merge(AIOS_Abstracted_Ids::custom_admin_notice_ids(), AIOS_Abstracted_Ids::htaccess_to_php_feature_notice_ids());
207
+ foreach ($custom_notice_ids as $custom_admin_notice_id) {
208
  $aio_wp_security->notices->do_notice($custom_admin_notice_id, $custom_admin_notice_id);
209
  }
210
 
213
  return;
214
  }
215
 
216
+ $installed_at = $aio_wp_security->notices->get_aiowps_plugin_installed_timestamp();
217
  $time_now = $aio_wp_security->notices->get_time_now();
218
  $installed_for = $time_now - $installed_at;
219
 
admin/wp-security-blacklist-menu.php CHANGED
@@ -151,7 +151,7 @@ class AIOWPSecurity_Blacklist_Menu extends AIOWPSecurity_Admin_Menu
151
  */?><!--
152
  <div class="aio_grey_box">
153
  <?php
154
- /* $premium_plugin_link = '<strong><a href="https://aiowpsecurity.com/landing/aiowpsecurity-premium" target="_blank">'.__('All In One WP Security & Firewall Premium', 'all-in-one-wp-security-and-firewall').'</a></strong>';
155
  $info_msg = sprintf( __('You may also be interested in %s.', 'all-in-one-wp-security-and-firewall'), $premium_plugin_link);
156
  $info_msg2 = sprintf(__('This plugin adds a number of extra features including %s and %s.', 'all-in-one-wp-security-and-firewall'), '<strong>'.__('smart 404 blocking', 'all-in-one-wp-security-and-firewall').'</strong>', '<strong>'.__('country IP blocking', 'all-in-one-wp-security-and-firewall').'</strong>');
157
 
151
  */?><!--
152
  <div class="aio_grey_box">
153
  <?php
154
+ /* $premium_plugin_link = '<strong><a href="https://aiosplugin.com/landing/aiowpsecurity-premium" target="_blank">'.__('All In One WP Security & Firewall Premium', 'all-in-one-wp-security-and-firewall').'</a></strong>';
155
  $info_msg = sprintf( __('You may also be interested in %s.', 'all-in-one-wp-security-and-firewall'), $premium_plugin_link);
156
  $info_msg2 = sprintf(__('This plugin adds a number of extra features including %s and %s.', 'all-in-one-wp-security-and-firewall'), '<strong>'.__('smart 404 blocking', 'all-in-one-wp-security-and-firewall').'</strong>', '<strong>'.__('country IP blocking', 'all-in-one-wp-security-and-firewall').'</strong>');
157
 
admin/wp-security-firewall-menu.php CHANGED
@@ -1058,7 +1058,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
1058
  */?><!--
1059
  <div class="aio_grey_box">
1060
  <?php
1061
- /* $premium_plugin_link = '<strong><a href="https://aiowpsecurity.com/landing/aiowpsecurity-premium" target="_blank">'.__('All In One WP Security & Firewall Premium', 'all-in-one-wp-security-and-firewall').'</a></strong>';
1062
  $info_msg = sprintf( __('You may also be interested in %s.', 'all-in-one-wp-security-and-firewall'), $premium_plugin_link);
1063
  $info_msg2 = sprintf(__('This plugin adds a number of extra features including %s and %s.', 'all-in-one-wp-security-and-firewall'), '<strong>'.__('smart 404 blocking', 'all-in-one-wp-security-and-firewall').'</strong>', '<strong>'.__('country IP blocking', 'all-in-one-wp-security-and-firewall').'</strong>');
1064
 
1058
  */?><!--
1059
  <div class="aio_grey_box">
1060
  <?php
1061
+ /* $premium_plugin_link = '<strong><a href="https://aiosplugin.com/landing/aiowpsecurity-premium" target="_blank">'.__('All In One WP Security & Firewall Premium', 'all-in-one-wp-security-and-firewall').'</a></strong>';
1062
  $info_msg = sprintf( __('You may also be interested in %s.', 'all-in-one-wp-security-and-firewall'), $premium_plugin_link);
1063
  $info_msg2 = sprintf(__('This plugin adds a number of extra features including %s and %s.', 'all-in-one-wp-security-and-firewall'), '<strong>'.__('smart 404 blocking', 'all-in-one-wp-security-and-firewall').'</strong>', '<strong>'.__('country IP blocking', 'all-in-one-wp-security-and-firewall').'</strong>');
1064
 
classes/wp-security-abstract-ids.php CHANGED
@@ -44,6 +44,16 @@ class AIOS_Abstracted_Ids {
44
  return array(
45
  'automated-database-backup',
46
  'ip-retrieval-settings',
 
 
 
 
 
 
 
 
 
 
47
  'login-whitelist-disabled-on-upgrade',
48
  );
49
  }
44
  return array(
45
  'automated-database-backup',
46
  'ip-retrieval-settings',
47
+ );
48
+ }
49
+
50
+ /**
51
+ * Get notice ids for notices that have transformed HTACESS rules to PHP.
52
+ *
53
+ * @return array notice ids.
54
+ */
55
+ public static function htaccess_to_php_feature_notice_ids() {
56
+ return array(
57
  'login-whitelist-disabled-on-upgrade',
58
  );
59
  }
classes/wp-security-configure-settings.php CHANGED
@@ -353,7 +353,7 @@ class AIOWPSecurity_Configure_Settings {
353
  }
354
 
355
  // Login whitelisting started to work on non-apache server from db_version 1.9.5
356
- if (is_main_site() && !AIOWPSecurity_Utility::is_apache_server() && version_compare(get_option('aiowpsec_db_version'), '1.9.5', '<') && '1' == $aio_wp_security->configs->get_value('aiowps_enable_whitelisting') && !empty($aio_wp_security->configs->get_value('aiowps_allowed_ip_addresses'))) {
357
  $aio_wp_security->configs->set_value('aiowps_enable_whitelisting', '0');
358
  $aio_wp_security->configs->set_value('aiowps_is_login_whitelist_disabled_on_upgrade', '1');
359
  $aio_wp_security->configs->save_config();
353
  }
354
 
355
  // Login whitelisting started to work on non-apache server from db_version 1.9.5
356
+ if (is_main_site() && version_compare(get_option('aiowpsec_db_version'), '1.9.6', '<') && '1' == $aio_wp_security->configs->get_value('aiowps_enable_whitelisting') && !empty($aio_wp_security->configs->get_value('aiowps_allowed_ip_addresses'))) {
357
  $aio_wp_security->configs->set_value('aiowps_enable_whitelisting', '0');
358
  $aio_wp_security->configs->set_value('aiowps_is_login_whitelist_disabled_on_upgrade', '1');
359
  $aio_wp_security->configs->save_config();
classes/wp-security-notices.php CHANGED
@@ -18,9 +18,30 @@ class AIOWPSecurity_Notices extends Updraft_Notices_1_2 {
18
  * @return Array
19
  */
20
  protected function populate_notices_content() {
21
-
22
  $parent_notice_content = parent::populate_notices_content();
23
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
24
  $child_notice_content = array(
25
  // Upgrade AIOS backup to UDP backup in the 5.0.0 version
26
  'automated-database-backup' => array(
@@ -62,23 +83,16 @@ class AIOWPSecurity_Notices extends Updraft_Notices_1_2 {
62
  ),
63
  'login-whitelist-disabled-on-upgrade' => array(
64
  'title' => htmlspecialchars(__('Important: Disabled login whitelist setting', 'all-in-one-wp-security-and-firewall')),
65
- 'text' => '<p>' .
66
- __('The All in One Security plugin has disabled the login whitelist setting that you have enabled in the past.', 'all-in-one-wp-security-and-firewall') .
67
- '</p>' .
68
- '<p>' .
69
- __('Your website is running on a non-Apache webserver, so the login whitelisting was not functional until the recent update of AIOS (because it relied upon Apache-specific features). It began working with AIOS version 5.0.8.', 'all-in-one-wp-security-and-firewall') . ' ' .
70
- __('We have disabled it so that your login page will not be blocked unexpectedly.', 'all-in-one-wp-security-and-firewall') .
71
- '</p>' .
72
- '<p>' .
73
- __('Would you like to re-enable login whitelisting?', 'all-in-one-wp-security-and-firewall') .
74
- '</p>',
75
  'button_link' => add_query_arg(array(
76
  'page' => AIOWPSEC_BRUTE_FORCE_MENU_SLUG,
77
  'tab' => 'tab4',
78
- ), admin_url('admin.php')) . '#aiowps_enable_whitelisting',
79
- 'button_meta' => __('Setup login whitelist setting', 'all-in-one-wp-security-and-firewall'),
 
80
  'dismiss_time' => 'dismiss_login_whitelist_disabled_on_upgrade_notice',
81
  'supported_positions' => array('login-whitelist-disabled-on-upgrade'),
 
82
  'validity_function' => 'should_show_login_whitelist_disabled_on_upgrade_notice',
83
  ),
84
  'rate_plugin' => array(
@@ -199,7 +213,8 @@ class AIOWPSecurity_Notices extends Updraft_Notices_1_2 {
199
 
200
  if (AIOWPSecurity_Utility_IP::is_server_suitable_ip_methods_give_same_ip_address()) {
201
  if ('' === $configured_ip_method_id) {
202
- $most_suitable_ip_method = reset(AIOWPSecurity_Utility_IP::get_server_suitable_ip_methods());
 
203
  if (!empty($most_suitable_ip_method)) {
204
  $most_suitable_ip_method_id = array_search($most_suitable_ip_method, AIOS_Abstracted_Ids::get_ip_retrieve_methods());
205
  $aio_wp_security->configs->set_value('aiowps_ip_retrieve_method', $most_suitable_ip_method_id);
@@ -467,6 +482,8 @@ class AIOWPSecurity_Notices extends Updraft_Notices_1_2 {
467
  $template_file = 'report-plain.php';
468
  } elseif (in_array($position, AIOS_Abstracted_Ids::custom_admin_notice_ids())) {
469
  $template_file = 'custom-notice.php';
 
 
470
  } else {
471
  $template_file = 'horizontal-notice.php';
472
  }
18
  * @return Array
19
  */
20
  protected function populate_notices_content() {
21
+ global $aio_wp_security;
22
  $parent_notice_content = parent::populate_notices_content();
23
 
24
+ $login_whitelist_notice_text = '<p>' .
25
+ __('The All in One Security plugin has disabled the login whitelist setting that you have enabled in the past.', 'all-in-one-wp-security-and-firewall') .
26
+ '</p>' .
27
+ '<p>';
28
+ if (AIOWPSecurity_Utility::is_apache_server()) {
29
+ $login_whitelist_notice_text .= __('Your website is running on an Apache webserver, the login whitelisting might not be functional until the recent update of AIOS (because it relied upon Apache-specific module features).', 'all-in-one-wp-security-and-firewall');
30
+ } else {
31
+ $login_whitelist_notice_text .= __('Your website is running on a non-Apache webserver, so the login whitelisting was not functional until the recent update of AIOS (because it relied upon Apache-specific features).', 'all-in-one-wp-security-and-firewall');
32
+ }
33
+ $login_whitelist_notice_text .= ' ' . __('It began working with AIOS version 5.0.8.', 'all-in-one-wp-security-and-firewall') . ' ' . __('We have disabled it so that your login page will not be blocked unexpectedly.', 'all-in-one-wp-security-and-firewall') .
34
+ '</p>';
35
+
36
+ $allowed_ip_addresses = explode("\n", $aio_wp_security->configs->get_value('aiowps_allowed_ip_addresses'));
37
+ $allowed_ip_addresses = array_map('trim', $allowed_ip_addresses);
38
+ $login_whitelist_notice_text .= '<p>' .
39
+ __('Whitelisted login IP address(es):') . ' ' . htmlspecialchars(implode(', ', $allowed_ip_addresses)) .
40
+ '</p>' .
41
+ '<p>' .
42
+ __('Would you like to re-enable login whitelisting?', 'all-in-one-wp-security-and-firewall') .
43
+ '</p>';
44
+
45
  $child_notice_content = array(
46
  // Upgrade AIOS backup to UDP backup in the 5.0.0 version
47
  'automated-database-backup' => array(
83
  ),
84
  'login-whitelist-disabled-on-upgrade' => array(
85
  'title' => htmlspecialchars(__('Important: Disabled login whitelist setting', 'all-in-one-wp-security-and-firewall')),
86
+ 'text' => $login_whitelist_notice_text,
 
 
 
 
 
 
 
 
 
87
  'button_link' => add_query_arg(array(
88
  'page' => AIOWPSEC_BRUTE_FORCE_MENU_SLUG,
89
  'tab' => 'tab4',
90
+ ), admin_url('admin.php')) . '#poststuff',
91
+ 'action_button_text' => __('Turn it back on', 'all-in-one-wp-security-and-firewall'),
92
+ 'button_meta' => __('Edit the settings', 'all-in-one-wp-security-and-firewall'),
93
  'dismiss_time' => 'dismiss_login_whitelist_disabled_on_upgrade_notice',
94
  'supported_positions' => array('login-whitelist-disabled-on-upgrade'),
95
+ 'dismiss_text' => __('Keep it off', 'all-in-one-wp-security-and-firewall'),
96
  'validity_function' => 'should_show_login_whitelist_disabled_on_upgrade_notice',
97
  ),
98
  'rate_plugin' => array(
213
 
214
  if (AIOWPSecurity_Utility_IP::is_server_suitable_ip_methods_give_same_ip_address()) {
215
  if ('' === $configured_ip_method_id) {
216
+ $server_suitable_ip_methods = AIOWPSecurity_Utility_IP::get_server_suitable_ip_methods();
217
+ $most_suitable_ip_method = reset($server_suitable_ip_methods);
218
  if (!empty($most_suitable_ip_method)) {
219
  $most_suitable_ip_method_id = array_search($most_suitable_ip_method, AIOS_Abstracted_Ids::get_ip_retrieve_methods());
220
  $aio_wp_security->configs->set_value('aiowps_ip_retrieve_method', $most_suitable_ip_method_id);
482
  $template_file = 'report-plain.php';
483
  } elseif (in_array($position, AIOS_Abstracted_Ids::custom_admin_notice_ids())) {
484
  $template_file = 'custom-notice.php';
485
+ } elseif (in_array($position, AIOS_Abstracted_Ids::htaccess_to_php_feature_notice_ids())) {
486
+ $template_file = 'htaccess-to-php-feature-notice.php';
487
  } else {
488
  $template_file = 'horizontal-notice.php';
489
  }
classes/wp-security-two-factor-login.php CHANGED
@@ -1,19 +1,20 @@
1
  <?php
2
  if (!defined('ABSPATH')) die('No direct access allowed');
3
 
4
- if (!class_exists('Simba_Two_Factor_Authentication')) require AIO_WP_SECURITY_PATH.'/includes/simba-tfa/simba-tfa.php';
5
 
6
  /**
7
  * This parent-child relationship enables the two to be split without affecting backwards compatibility for developers making direct calls
8
  *
9
  * This class is for the plugin encapsulation.
10
  */
11
- class AIO_WP_Security_Simba_Two_Factor_Authentication_Plugin extends Simba_Two_Factor_Authentication {
12
 
13
  /**
14
- * Simba_Two_Factor_Authentication_Plugin Constructor
15
  *
16
  * @uses __FILE__
 
17
  * @return Void
18
  */
19
  public function __construct() {
@@ -34,7 +35,7 @@ class AIO_WP_Security_Simba_Two_Factor_Authentication_Plugin extends Simba_Two_F
34
  $this->set_settings_page_heading($settings_page_heading);
35
  $this->set_plugin_translate_url('https://translate.wordpress.org/projects/wp-plugins/all-in-one-wp-security-and-firewall/');
36
  $this->set_site_wide_administration_url(admin_url('admin.php?page=aiowpsec_settings&tab=two-factor-authentication'));
37
- $this->set_premium_version_url('https://aiowpsecurity.com');
38
  $this->set_faq_url('https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#faq');
39
  parent::__construct();
40
  }
@@ -87,8 +88,6 @@ class AIO_WP_Security_Simba_Two_Factor_Authentication_Plugin extends Simba_Two_F
87
  */
88
  public function menu_entry_for_user() {
89
 
90
- $this->get_totp_controller()->potentially_port_private_keys();
91
-
92
  global $current_user;
93
  if ($this->is_activated_for_user($current_user->ID)) {
94
  if (!current_user_can(AIOWPSEC_MANAGEMENT_PERMISSION)) {
@@ -129,7 +128,6 @@ class AIO_WP_Security_Simba_Two_Factor_Authentication_Plugin extends Simba_Two_F
129
  return;
130
  }
131
 
132
- $this->get_totp_controller()->potentially_port_private_keys();
133
  $this->show_admin_settings_page();
134
  }
135
 
@@ -137,11 +135,12 @@ class AIO_WP_Security_Simba_Two_Factor_Authentication_Plugin extends Simba_Two_F
137
  * Include the admin settings page code.
138
  */
139
  public function show_admin_settings_page() {
140
- $totp_controller = $this->get_totp_controller();
141
- $totp_controller->setUserHMACTypes();
142
  if (!is_admin() || !current_user_can(AIOWPSEC_MANAGEMENT_PERMISSION)) return;
 
 
143
  $this->include_template('admin-settings.php', array(
144
- 'totp_controller' => $totp_controller,
145
  'settings_page_heading' => $this->get_settings_page_heading(),
146
  'admin_settings_links' => array(),
147
  ));
@@ -155,6 +154,6 @@ class AIO_WP_Security_Simba_Two_Factor_Authentication_Plugin extends Simba_Two_F
155
  }
156
  }
157
 
158
- if (false === AIOWPSecurity_Utility::is_incopatible_tfa_premium_version_active() && false === AIOWPSecurity_Utility::is_tfa_or_self_plugin_activating()) {
159
  $GLOBALS['simba_two_factor_authentication'] = new AIO_WP_Security_Simba_Two_Factor_Authentication_Plugin();
160
  }
1
  <?php
2
  if (!defined('ABSPATH')) die('No direct access allowed');
3
 
4
+ if (!class_exists('Simba_Two_Factor_Authentication_1')) require AIO_WP_SECURITY_PATH.'/includes/simba-tfa/simba-tfa.php';
5
 
6
  /**
7
  * This parent-child relationship enables the two to be split without affecting backwards compatibility for developers making direct calls
8
  *
9
  * This class is for the plugin encapsulation.
10
  */
11
+ class AIO_WP_Security_Simba_Two_Factor_Authentication_Plugin extends Simba_Two_Factor_Authentication_1 {
12
 
13
  /**
14
+ * Class constructor
15
  *
16
  * @uses __FILE__
17
+ *
18
  * @return Void
19
  */
20
  public function __construct() {
35
  $this->set_settings_page_heading($settings_page_heading);
36
  $this->set_plugin_translate_url('https://translate.wordpress.org/projects/wp-plugins/all-in-one-wp-security-and-firewall/');
37
  $this->set_site_wide_administration_url(admin_url('admin.php?page=aiowpsec_settings&tab=two-factor-authentication'));
38
+ $this->set_premium_version_url('https://aiosplugin.com');
39
  $this->set_faq_url('https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#faq');
40
  parent::__construct();
41
  }
88
  */
89
  public function menu_entry_for_user() {
90
 
 
 
91
  global $current_user;
92
  if ($this->is_activated_for_user($current_user->ID)) {
93
  if (!current_user_can(AIOWPSEC_MANAGEMENT_PERMISSION)) {
128
  return;
129
  }
130
 
 
131
  $this->show_admin_settings_page();
132
  }
133
 
135
  * Include the admin settings page code.
136
  */
137
  public function show_admin_settings_page() {
138
+
 
139
  if (!is_admin() || !current_user_can(AIOWPSEC_MANAGEMENT_PERMISSION)) return;
140
+
141
+ // The value for totp_controller is already set by versions of the TFA plugin after 3 Oct 2022
142
  $this->include_template('admin-settings.php', array(
143
+ 'totp_controller' => $this->get_controller('totp'),
144
  'settings_page_heading' => $this->get_settings_page_heading(),
145
  'admin_settings_links' => array(),
146
  ));
154
  }
155
  }
156
 
157
+ if (false === AIOWPSecurity_Utility::is_incompatible_tfa_premium_version_active() && false === AIOWPSecurity_Utility::is_tfa_or_self_plugin_activating()) {
158
  $GLOBALS['simba_two_factor_authentication'] = new AIO_WP_Security_Simba_Two_Factor_Authentication_Plugin();
159
  }
classes/wp-security-utility.php CHANGED
@@ -773,7 +773,7 @@ class AIOWPSecurity_Utility {
773
  *
774
  * @return boolean True if the incompatible TFA premium plugin version active, otherwise false.
775
  */
776
- public static function is_incopatible_tfa_premium_version_active() {
777
  if (!function_exists('get_plugins')) {
778
  require_once(ABSPATH.'/wp-admin/includes/plugin.php');
779
  }
773
  *
774
  * @return boolean True if the incompatible TFA premium plugin version active, otherwise false.
775
  */
776
+ public static function is_incompatible_tfa_premium_version_active() {
777
  if (!function_exists('get_plugins')) {
778
  require_once(ABSPATH.'/wp-admin/includes/plugin.php');
779
  }
includes/simba-tfa/includes/frontend-settings.js CHANGED
@@ -14,10 +14,6 @@ jQuery(function($) {
14
  tfa_query_leaving = true;
15
  });
16
 
17
- $(".tfa_settings_form input[name='simbatfa_delivery_type']").on('change', function() {
18
- $(".tfa_third_party_holder").slideToggle();
19
- });
20
-
21
  $(".simbatfa_settings_save").on('click', function() {
22
 
23
  $.blockUI({ message: '<div style="margin: 8px;font-size:150%;">'+simba_tfa_frontend.saving+'</div>' });
14
  tfa_query_leaving = true;
15
  });
16
 
 
 
 
 
17
  $(".simbatfa_settings_save").on('click', function() {
18
 
19
  $.blockUI({ message: '<div style="margin: 8px;font-size:150%;">'+simba_tfa_frontend.saving+'</div>' });
includes/simba-tfa/includes/tfa_frontend.php CHANGED
@@ -23,7 +23,7 @@ class Simba_TFA_Frontend {
23
  * @uses die()
24
  */
25
  public function ajax() {
26
- $totp_controller = $this->mother->get_totp_controller();
27
  global $current_user;
28
 
29
  $return_array = array();
@@ -103,7 +103,7 @@ class Simba_TFA_Frontend {
103
  */
104
  public function tfa_fetch_assort_vars() {
105
  global $current_user;
106
- $totp_controller = $this->mother->get_totp_controller();
107
 
108
  $url = preg_replace('/^https?:\/\//i', '', site_url());
109
 
23
  * @uses die()
24
  */
25
  public function ajax() {
26
+ $totp_controller = $this->mother->get_controller('totp');
27
  global $current_user;
28
 
29
  $return_array = array();
103
  */
104
  public function tfa_fetch_assort_vars() {
105
  global $current_user;
106
+ $totp_controller = $this->mother->get_controller('totp');
107
 
108
  $url = preg_replace('/^https?:\/\//i', '', site_url());
109
 
includes/simba-tfa/includes/totp.js ADDED
@@ -0,0 +1,101 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ jQuery(function($) {
2
+
3
+ // Render any QR codes on the page
4
+ $('.simbaotp_qr_container').qrcode({
5
+ 'render': 'image',
6
+ 'text': $('.simbaotp_qr_container:first').data('qrcode'),
7
+ });
8
+
9
+ function update_otp_code() {
10
+
11
+ $('.simba_current_otp').html('<em>'+simbatfa_totp.updating+'</em>');
12
+
13
+ var got_code = '';
14
+
15
+ $.post(simbatfa_totp.ajax_url, {
16
+ action: 'simbatfa_shared_ajax',
17
+ subaction: 'refreshotp',
18
+ nonce: simbatfa_totp.tfa_shared_nonce
19
+ }, function(response) {
20
+
21
+ try {
22
+ var resp = JSON.parse(response);
23
+ got_code = resp.code;
24
+ } catch(err) {
25
+ if ('' !== simbatfa_totp.also_try) {
26
+ alert(simbatfa_totp.response+" "+response);
27
+ }
28
+ console.log(response);
29
+ console.log(err);
30
+ }
31
+
32
+ if ('' === got_code && '' !== simbatfa_totp.also_try) {
33
+ $.post(simbatfa_totp.also_try, {
34
+ action: 'simbatfa_shared_ajax',
35
+ subaction: 'refreshotp',
36
+ nonce: simbatfa_totp.tfa_shared_nonce
37
+ }, function(response) {
38
+ try {
39
+ var resp = JSON.parse(response);
40
+ if (resp.code) {
41
+ $('.simba_current_otp').html(resp.code);
42
+ } else {
43
+ console.log(response);
44
+ console.log("TFA: no code found");
45
+ }
46
+ } catch(err) {
47
+ alert(simbatfa_totp.response+" "+response);
48
+ console.log(response);
49
+ console.log(err);
50
+ }
51
+ });
52
+ } else if ('' != got_code) {
53
+ $('.simba_current_otp').html(got_code);
54
+ } else {
55
+ console.log("TFA: no code found");
56
+ }
57
+ });
58
+ }
59
+
60
+ var min_refresh_after = 30;
61
+
62
+ if (0 == $('body.settings_page_two-factor-auth').length) {
63
+ $('.simba_current_otp').each(function(ind, obj) {
64
+ var refresh_after = $(obj).data('refresh_after');
65
+ if (refresh_after > 0 && refresh_after < min_refresh_after) {
66
+ min_refresh_after = refresh_after;
67
+ }
68
+ });
69
+
70
+ // Update after the given seconds, and then every 30 seconds
71
+ setTimeout(function() {
72
+ setInterval(update_otp_code, 30000)
73
+ update_otp_code();
74
+ }, min_refresh_after * 1000);
75
+ }
76
+
77
+ // Handle clicks on the 'refresh' link
78
+ $('.simbaotp_refresh').on('click', function(e) {
79
+ e.preventDefault();
80
+ update_otp_code();
81
+ });
82
+
83
+ $('#tfa_trusted_devices_box').on('click', '.simbatfa-trust-remove', function(e) {
84
+ e.preventDefault();
85
+ var device_id = $(this).data('trusted-device-id');
86
+ $(this).parents('.simbatfa_trusted_device').css('opacity', '0.5');
87
+ if ('undefined' !== typeof device_id) {
88
+ $.post(simbatfa_totp.ajax_url, {
89
+ action: 'simbatfa_shared_ajax',
90
+ subaction: 'untrust_device',
91
+ nonce: simbatfa_totp.tfa_shared_nonce,
92
+ device_id: device_id
93
+ }, function(response) {
94
+ var resp = JSON.parse(response);
95
+ if (resp.hasOwnProperty('trusted_list')) {
96
+ $('#tfa_trusted_devices_box_inner').html(resp.trusted_list);
97
+ }
98
+ });
99
+ }
100
+ });
101
+ });
includes/simba-tfa/providers/{totp-hotp → totp}/Base32/Base32.php RENAMED
File without changes
includes/simba-tfa/providers/{totp-hotp → totp}/hotp-php-master/LICENSE RENAMED
File without changes
includes/simba-tfa/providers/{totp-hotp → totp}/hotp-php-master/README.markdown RENAMED
File without changes
includes/simba-tfa/providers/{totp-hotp → totp}/hotp-php-master/example.php RENAMED
File without changes
includes/simba-tfa/providers/{totp-hotp → totp}/hotp-php-master/hotp.php RENAMED
File without changes
includes/simba-tfa/providers/{totp-hotp → totp}/loader.php RENAMED
@@ -5,12 +5,12 @@ if (!defined('ABSPATH')) die('No direct access.');
5
  if (!class_exists('HOTP')) require_once(__DIR__.'/hotp-php-master/hotp.php');
6
  if (!class_exists('Base32')) require_once(__DIR__.'/Base32/Base32.php');
7
 
8
- class Simba_TFA_Provider_TOTP {
9
 
10
  /**
11
  * Simba 2FA object
12
  *
13
- * @var object instance of Simba_Two_Factor_Authentication
14
  */
15
  private $tfa;
16
 
@@ -94,7 +94,7 @@ class Simba_TFA_Provider_TOTP {
94
  /**
95
  * Class constructor
96
  *
97
- * @param Simba_Two_Factor_Authentication main plugin class
98
  */
99
  public function __construct($tfa) {
100
  $this->tfa = $tfa;
@@ -155,7 +155,6 @@ class Simba_TFA_Provider_TOTP {
155
 
156
  /**
157
  * Enqueue adding of JavaScript for footer
158
- *
159
  */
160
  public function add_footer() {
161
 
@@ -163,127 +162,42 @@ class Simba_TFA_Provider_TOTP {
163
  if ($added_footer) return;
164
  $added_footer = true;
165
 
166
- $script_file = (defined('SCRIPT_DEBUG') && SCRIPT_DEBUG) ? 'jquery-qrcode.js' : 'jquery-qrcode.min.js';
167
- $script_ver = (defined('WP_DEBUG') && WP_DEBUG) ? time() : filemtime($this->tfa->includes_dir()."/jquery-qrcode/$script_file");
168
- wp_enqueue_script('jquery-qrcode', $this->tfa->includes_url()."/jquery-qrcode/$script_file", array('jquery'), $script_ver);
169
- add_action(is_admin() ? 'admin_footer' : 'wp_footer', array($this, 'footer'));
 
 
 
170
 
 
 
 
 
 
171
  }
172
 
173
  /**
174
- * Runs upon the WP actions wp_footer and admin_footer. Adds the necessary JavaScript for rendering and updating QR codes, and handling trusted devices removal in the admin area
 
 
175
  */
176
- public function footer() {
177
- $ajax_url = admin_url('admin-ajax.php');
178
  // It's possible that FORCE_ADMIN_SSL will make that SSL, whilst the user is on the front-end having logged in over non-SSL - and as a result, their login cookies won't get sent, and they're not registered as logged in.
 
 
179
  if (!is_admin() && substr(strtolower($ajax_url), 0, 6) == 'https:' && !is_ssl()) {
180
  $also_try = 'http:'.substr($ajax_url, 6);
181
  }
182
- ?>
183
- <script>
184
- jQuery(function($) {
185
-
186
- // Render any QR codes
187
- $('.simbaotp_qr_container').qrcode({
188
- 'render': 'image',
189
- 'text': $('.simbaotp_qr_container:first').data('qrcode'),
190
- });
191
-
192
- function update_otp_code() {
193
- $('.simba_current_otp').html('<em><?php echo esc_attr(__('Updating...', 'all-in-one-wp-security-and-firewall'));?></em>');
194
-
195
- $.post('<?php echo esc_js($ajax_url);?>', {
196
- action: 'simbatfa_shared_ajax',
197
- subaction: 'refreshotp',
198
- nonce: '<?php echo esc_js(wp_create_nonce('tfa_shared_nonce'));?>'
199
- }, function(response) {
200
- var got_code = '';
201
- try {
202
- var resp = JSON.parse(response);
203
- got_code = resp.code;
204
- } catch(err) {
205
- <?php if (!isset($also_try)) { ?>
206
- alert("<?php echo esc_js(__('Response:', 'all-in-one-wp-security-and-firewall')); ?> "+response);
207
- <?php } ?>
208
- console.log(response);
209
- console.log(err);
210
- }
211
- <?php
212
- if (isset($also_try)) {
213
- ?>
214
- $.post('<?php echo esc_js($also_try);?>', {
215
- action: 'simbatfa_shared_ajax',
216
- subaction: 'refreshotp',
217
- nonce: '<?php echo esc_js(wp_create_nonce('tfa_shared_nonce'));?>'
218
- }, function(response) {
219
- try {
220
- var resp = JSON.parse(response);
221
- if (resp.code) {
222
- $('.simba_current_otp').html(resp.code);
223
- } else {
224
- console.log(response);
225
- console.log("TFA: no code found");
226
- }
227
- } catch(err) {
228
- alert("<?php echo esc_js(__('Response:', 'all-in-one-wp-security-and-firewall')); ?> "+response);
229
- console.log(response);
230
- console.log(err);
231
- }
232
- });
233
- <?php } else { ?>
234
- if ('' != got_code) {
235
- $('.simba_current_otp').html(got_code);
236
- } else {
237
- console.log("TFA: no code found");
238
- }
239
- <?php } ?>
240
- });
241
- }
242
-
243
- var min_refresh_after = 30;
244
-
245
- if (0 == $('body.settings_page_two-factor-auth').length) {
246
- $('.simba_current_otp').each(function(ind, obj) {
247
- var refresh_after = $(obj).data('refresh_after');
248
- if (refresh_after > 0 && refresh_after < min_refresh_after) {
249
- min_refresh_after = refresh_after;
250
- }
251
- });
252
-
253
- // Update after the given seconds, and then every 30 seconds
254
- setTimeout(function() {
255
- setInterval(update_otp_code, 30000)
256
- update_otp_code();
257
- }, min_refresh_after * 1000);
258
- }
259
-
260
- // Handle clicks on the 'refresh' link
261
- $('.simbaotp_refresh').on('click', function(e) {
262
- e.preventDefault();
263
- update_otp_code();
264
- });
265
-
266
- $('#tfa_trusted_devices_box').on('click', '.simbatfa-trust-remove', function(e) {
267
- e.preventDefault();
268
- var device_id = $(this).data('trusted-device-id');
269
- $(this).parents('.simbatfa_trusted_device').css('opacity', '0.5');
270
- if ('undefined' !== typeof device_id) {
271
- $.post('<?php echo esc_js($ajax_url);?>', {
272
- action: 'simbatfa_shared_ajax',
273
- subaction: 'untrust_device',
274
- nonce: '<?php echo esc_js(wp_create_nonce('tfa_shared_nonce'));?>',
275
- device_id: device_id
276
- }, function(response) {
277
- var resp = JSON.parse(response);
278
- if (resp.hasOwnProperty('trusted_list')) {
279
- $('#tfa_trusted_devices_box_inner').html(resp.trusted_list);
280
- }
281
- });
282
- }
283
- });
284
- });
285
- </script>
286
- <?php
287
  }
288
 
289
  /**
@@ -943,13 +857,13 @@ class Simba_TFA_Provider_TOTP {
943
  /**
944
  * Whether HOTP or TOTP is being used
945
  *
946
- * @param Integer $user_id - WordPress user ID
947
  *
948
  * @return String - 'hotp' or 'totp'
949
  */
950
- public function get_user_otp_algorithm($user_id) {
951
 
952
- $setting = get_user_meta($user_id, 'tfa_algorithm_type', true);
953
 
954
  $default_hmac = $this->tfa->get_option('tfa_default_hmac');
955
  if (!$default_hmac) $default_hmac = $this->default_hmac;
@@ -1055,14 +969,7 @@ class Simba_TFA_Provider_TOTP {
1055
  }
1056
 
1057
  public function setUserHMACTypes() {
1058
- // We need this because we dont want to change third party apps users algorithm
1059
- $users = get_users(array('meta_key' => 'simbatfa_delivery_type', 'meta_value' => 'third-party-apps'));
1060
- if (empty($users)) return;
1061
- foreach ($users as $user) {
1062
- $tfa_algorithm_type = get_user_meta($user->ID, 'tfa_algorithm_type', true);
1063
- if ($tfa_algorithm_type) continue;
1064
- update_user_meta($user->ID, 'tfa_algorithm_type', $this->get_user_otp_algorithm($user->ID));
1065
- }
1066
  }
1067
 
1068
  }
5
  if (!class_exists('HOTP')) require_once(__DIR__.'/hotp-php-master/hotp.php');
6
  if (!class_exists('Base32')) require_once(__DIR__.'/Base32/Base32.php');
7
 
8
+ class Simba_TFA_Provider_totp {
9
 
10
  /**
11
  * Simba 2FA object
12
  *
13
+ * @var object instance of Simba_Two_Factor_Authentication(_version)
14
  */
15
  private $tfa;
16
 
94
  /**
95
  * Class constructor
96
  *
97
+ * @param Object - main Simba_Two_Factor_Authentication(_version) plugin class
98
  */
99
  public function __construct($tfa) {
100
  $this->tfa = $tfa;
155
 
156
  /**
157
  * Enqueue adding of JavaScript for footer
 
158
  */
159
  public function add_footer() {
160
 
162
  if ($added_footer) return;
163
  $added_footer = true;
164
 
165
+ $qr_script_file = (defined('SCRIPT_DEBUG') && SCRIPT_DEBUG) ? 'jquery-qrcode.js' : 'jquery-qrcode.min.js';
166
+
167
+ $qr_script_ver = (defined('WP_DEBUG') && WP_DEBUG) ? time() : filemtime($this->tfa->includes_dir()."/jquery-qrcode/$qr_script_file");
168
+
169
+ wp_register_script('jquery-qrcode', $this->tfa->includes_url()."/jquery-qrcode/$qr_script_file", array('jquery'), $qr_script_ver);
170
+
171
+ $script_ver = (defined('WP_DEBUG') && WP_DEBUG) ? time() : filemtime($this->tfa->includes_dir()."/totp.js");
172
 
173
+ // Adds the necessary JavaScript for rendering and updating QR codes, and handling trusted devices removal in the admin area
174
+ wp_enqueue_script('simba-tfa-totp', $this->tfa->includes_url()."/totp.js", array('jquery-qrcode'), $script_ver);
175
+
176
+ wp_localize_script('simba-tfa-totp', 'simbatfa_totp', $this->translation_strings());
177
+
178
  }
179
 
180
  /**
181
+ * Get textual strings used from JavaScript
182
+ *
183
+ * @return Array
184
  */
185
+ private function translation_strings() {
186
+
187
  // It's possible that FORCE_ADMIN_SSL will make that SSL, whilst the user is on the front-end having logged in over non-SSL - and as a result, their login cookies won't get sent, and they're not registered as logged in.
188
+ $ajax_url = admin_url('admin-ajax.php');
189
+ $also_try = '';
190
  if (!is_admin() && substr(strtolower($ajax_url), 0, 6) == 'https:' && !is_ssl()) {
191
  $also_try = 'http:'.substr($ajax_url, 6);
192
  }
193
+
194
+ return apply_filters('simba_tfa_totp_translation_strings', array(
195
+ 'ajax_url' => $ajax_url,
196
+ 'updating' => __('Updating...', 'all-in-one-wp-security-and-firewall'),
197
+ 'tfa_shared_nonce' => wp_create_nonce('tfa_shared_nonce'),
198
+ 'also_try' => $also_try,
199
+ 'response' => __('Response:', 'all-in-one-wp-security-and-firewall'),
200
+ ));
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
201
  }
202
 
203
  /**
857
  /**
858
  * Whether HOTP or TOTP is being used
859
  *
860
+ * @param Integer|Boolean $user_id - WordPress user ID, or false for the site-wide default
861
  *
862
  * @return String - 'hotp' or 'totp'
863
  */
864
+ public function get_user_otp_algorithm($user_id = false) {
865
 
866
+ $setting = $user_id ? get_user_meta($user_id, 'tfa_algorithm_type', true) : false;
867
 
868
  $default_hmac = $this->tfa->get_option('tfa_default_hmac');
869
  if (!$default_hmac) $default_hmac = $this->default_hmac;
969
  }
970
 
971
  public function setUserHMACTypes() {
972
+ trigger_error("Deprecated: setUserHMACTypes() does nothing: remove any calls to it");
 
 
 
 
 
 
 
973
  }
974
 
975
  }
includes/simba-tfa/simba-tfa.php CHANGED
@@ -2,7 +2,7 @@
2
 
3
  if (!defined('ABSPATH')) die('Access denied.');
4
 
5
- class Simba_Two_Factor_Authentication {
6
 
7
  /**
8
  * Simba 2FA frontend object
@@ -12,11 +12,11 @@ class Simba_Two_Factor_Authentication {
12
  protected $frontend;
13
 
14
  /**
15
- * Simba 2FA totp object
16
  *
17
  * @var Object
18
  */
19
- protected $totp_controller;
20
 
21
  /**
22
  * Flag for prevent PHP notices in AJAX
@@ -90,9 +90,15 @@ class Simba_Two_Factor_Authentication {
90
  */
91
  public function __construct() {
92
 
93
- require_once(__DIR__.'/providers/totp-hotp/loader.php');
94
-
95
- $this->totp_controller = new Simba_TFA_Provider_TOTP($this);
 
 
 
 
 
 
96
 
97
  // Process login form AJAX events
98
  add_action('wp_ajax_nopriv_simbatfa-init-otp', array($this, 'tfaInitLogin'));
@@ -100,7 +106,7 @@ class Simba_Two_Factor_Authentication {
100
 
101
  add_action('wp_ajax_simbatfa_shared_ajax', array($this, 'shared_ajax'));
102
 
103
- require_once($this->includes_dir().'/login-form-integrations.php');
104
  new Simba_TFA_Login_Form_Integrations($this);
105
 
106
  // Add TFA column on admin users list
@@ -110,6 +116,8 @@ class Simba_Two_Factor_Authentication {
110
 
111
  // CSS for admin users screen
112
  add_action('admin_print_styles-users.php', array($this, 'load_users_css'), 10, 0);
 
 
113
 
114
  add_action('admin_init', array($this, 'register_two_factor_auth_settings'));
115
  add_action('init', array($this, 'init'));
@@ -127,6 +135,13 @@ class Simba_Two_Factor_Authentication {
127
  }
128
  }
129
 
 
 
 
 
 
 
 
130
  /**
131
  * Give the filesystem path to the plugin's includes directory
132
  *
@@ -670,14 +685,35 @@ class Simba_Two_Factor_Authentication {
670
  }
671
 
672
  /**
673
- * Return the Simba_TFA_Provider_TOTP object.
 
 
674
  *
675
- * @returns Simba_TFA_Provider_TOTP
676
  */
677
- public function get_totp_controller() {
678
- return $this->totp_controller;
 
 
 
 
 
 
 
 
 
679
  }
680
 
 
 
 
 
 
 
 
 
 
 
681
  /**
682
  * "Shared" - i.e. could be called from either front-end or back-end
683
  */
@@ -691,7 +727,7 @@ class Simba_Two_Factor_Authentication {
691
 
692
  if ('refreshotp' == $subaction) {
693
 
694
- $code = $this->totp_controller->get_current_code($current_user->ID);
695
 
696
  if (false === $code) die(json_encode(array('code' => '')));
697
 
@@ -912,7 +948,7 @@ class Simba_Two_Factor_Authentication {
912
 
913
  $result = false;
914
 
915
- $totp_controller = $this->totp_controller;
916
 
917
  if ($user) {
918
  $tfa_priv_key = get_user_meta($user->ID, 'tfa_priv_key_64', true);
@@ -968,7 +1004,7 @@ class Simba_Two_Factor_Authentication {
968
  $tfa_enabled_label = $long_label ? __('Enable two-factor authentication', 'all-in-one-wp-security-and-firewall') : __('Enabled', 'all-in-one-wp-security-and-firewall');
969
 
970
  if ('show_current' == $style) {
971
- $tfa_enabled_label .= ' '.sprintf(__('(Current code: %s)', 'all-in-one-wp-security-and-firewall'), $this->get_totp_controller()->current_otp_code($user_id));
972
  } elseif ('require_current' == $style) {
973
  $tfa_enabled_label .= ' '.sprintf(__('(you must enter the current code: %s)', 'all-in-one-wp-security-and-firewall'), '<input type="text" class="tfa_enable_current" name="tfa_enable_current" size="6" style="height">');
974
  }
@@ -1123,7 +1159,7 @@ class Simba_Two_Factor_Authentication {
1123
 
1124
  }
1125
 
1126
- return $this->totp_controller->check_code_for_user($tfa_creds_user_id, $user_code);
1127
 
1128
  }
1129
 
@@ -1268,6 +1304,7 @@ class Simba_Two_Factor_Authentication {
1268
  // They appear as unused, but may be used in the $template_file.
1269
  $wpdb = $GLOBALS['wpdb'];// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- $wpdb might be used in the included template
1270
  $simba_tfa = $this;// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- $wp_optimize might be used in the included template
 
1271
  include $template_file;
1272
  }
1273
 
2
 
3
  if (!defined('ABSPATH')) die('Access denied.');
4
 
5
+ class Simba_Two_Factor_Authentication_1 {
6
 
7
  /**
8
  * Simba 2FA frontend object
12
  protected $frontend;
13
 
14
  /**
15
+ * Simba 2FA TOTP object
16
  *
17
  * @var Object
18
  */
19
+ protected $controllers = array();
20
 
21
  /**
22
  * Flag for prevent PHP notices in AJAX
90
  */
91
  public function __construct() {
92
 
93
+ $load_providers = apply_filters('simbatfa_load_providers', array('totp'));
94
+
95
+ foreach ($load_providers as $provider_id) {
96
+ $class_name = "Simba_TFA_Provider_$provider_id";
97
+ if (!class_exists($class_name)) {
98
+ require_once(__DIR__.'/providers/'.$provider_id.'/loader.php');
99
+ }
100
+ $this->controllers[$provider_id] = new $class_name($this);
101
+ }
102
 
103
  // Process login form AJAX events
104
  add_action('wp_ajax_nopriv_simbatfa-init-otp', array($this, 'tfaInitLogin'));
106
 
107
  add_action('wp_ajax_simbatfa_shared_ajax', array($this, 'shared_ajax'));
108
 
109
+ if (!class_exists('Simba_TFA_Login_Form_Integrations')) require_once($this->includes_dir().'/login-form-integrations.php');
110
  new Simba_TFA_Login_Form_Integrations($this);
111
 
112
  // Add TFA column on admin users list
116
 
117
  // CSS for admin users screen
118
  add_action('admin_print_styles-users.php', array($this, 'load_users_css'), 10, 0);
119
+
120
+ add_action('admin_menu', array($this, 'admin_menu'), 9);
121
 
122
  add_action('admin_init', array($this, 'register_two_factor_auth_settings'));
123
  add_action('init', array($this, 'init'));
135
  }
136
  }
137
 
138
+ /**
139
+ * Runs upon the WP filter admin_menu
140
+ */
141
+ public function admin_menu() {
142
+ $this->get_controller('totp')->potentially_port_private_keys();
143
+ }
144
+
145
  /**
146
  * Give the filesystem path to the plugin's includes directory
147
  *
685
  }
686
 
687
  /**
688
+ * Return the TOTP provider object.
689
+ *
690
+ * @param String $controller_id - which controller
691
  *
692
+ * @return Simba_TFA_Provider_totp
693
  */
694
+ public function get_controller($controller_id = 'totp') {
695
+ return $this->controllers[$controller_id];
696
+ }
697
+
698
+ /**
699
+ * Return all OTP controllers
700
+ *
701
+ * @return Array
702
+ */
703
+ public function get_controllers() {
704
+ return $this->controllers;
705
  }
706
 
707
+ /**
708
+ * Deprecated synonym for get_controller('totp')
709
+ *
710
+ * @return Simba_TFA_Provider_totp
711
+ */
712
+ public function get_totp_controller() {
713
+ trigger_error("Deprecated: Call get_controller('totp'), not get_totp_controller()", E_USER_WARNING);
714
+ return $this->get_controller('totp');
715
+ }
716
+
717
  /**
718
  * "Shared" - i.e. could be called from either front-end or back-end
719
  */
727
 
728
  if ('refreshotp' == $subaction) {
729
 
730
+ $code = $this->get_controller('totp')->get_current_code($current_user->ID);
731
 
732
  if (false === $code) die(json_encode(array('code' => '')));
733
 
948
 
949
  $result = false;
950
 
951
+ $totp_controller = $this->get_controller('totp');
952
 
953
  if ($user) {
954
  $tfa_priv_key = get_user_meta($user->ID, 'tfa_priv_key_64', true);
1004
  $tfa_enabled_label = $long_label ? __('Enable two-factor authentication', 'all-in-one-wp-security-and-firewall') : __('Enabled', 'all-in-one-wp-security-and-firewall');
1005
 
1006
  if ('show_current' == $style) {
1007
+ $tfa_enabled_label .= ' '.sprintf(__('(Current code: %s)', 'all-in-one-wp-security-and-firewall'), $this->get_controller('totp')->current_otp_code($user_id));
1008
  } elseif ('require_current' == $style) {
1009
  $tfa_enabled_label .= ' '.sprintf(__('(you must enter the current code: %s)', 'all-in-one-wp-security-and-firewall'), '<input type="text" class="tfa_enable_current" name="tfa_enable_current" size="6" style="height">');
1010
  }
1159
 
1160
  }
1161
 
1162
+ return $this->get_controller('totp')->check_code_for_user($tfa_creds_user_id, $user_code);
1163
 
1164
  }
1165
 
1304
  // They appear as unused, but may be used in the $template_file.
1305
  $wpdb = $GLOBALS['wpdb'];// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- $wpdb might be used in the included template
1306
  $simba_tfa = $this;// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- $wp_optimize might be used in the included template
1307
+ $totp_controller = $this->get_controller('totp');// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- $wp_optimize might be used in the included template
1308
  include $template_file;
1309
  }
1310
 
includes/simba-tfa/templates/admin-settings.php CHANGED
@@ -110,7 +110,7 @@ if (!defined('ABSPATH')) die('Access denied.');
110
  <hr>
111
  <form method="post" action="options.php" style="margin-top: 40px">
112
  <?php settings_fields('simba_tfa_default_hmac_group'); ?>
113
- <h2><?php _e('Default algorithm', 'all-in-one-wp-security-and-firewall'); ?></h2>
114
  <?php _e('Your users can change this in their own settings if they want.', 'all-in-one-wp-security-and-firewall'); ?>
115
  <p>
116
  <?php
110
  <hr>
111
  <form method="post" action="options.php" style="margin-top: 40px">
112
  <?php settings_fields('simba_tfa_default_hmac_group'); ?>
113
+ <h2><?php _e('Default algorithm for codes generated by user devices', 'all-in-one-wp-security-and-firewall'); ?></h2>
114
  <?php _e('Your users can change this in their own settings if they want.', 'all-in-one-wp-security-and-firewall'); ?>
115
  <p>
116
  <?php
includes/simba-tfa/templates/shortcode-tfa-user-settings.php CHANGED
@@ -14,9 +14,9 @@ if (!$is_activated_for_user) {
14
 
15
  <?php $tfa_frontend->settings_enable_or_disable_output(); ?>
16
 
17
- <?php $simba_tfa->get_totp_controller()->current_codes_box(); ?>
18
 
19
- <?php $simba_tfa->get_totp_controller()->advanced_settings_box(array($tfa_frontend, 'save_settings_button')); ?>
20
 
21
  </div>
22
 
14
 
15
  <?php $tfa_frontend->settings_enable_or_disable_output(); ?>
16
 
17
+ <?php $simba_tfa->get_controller('totp')->current_codes_box(); ?>
18
 
19
+ <?php $simba_tfa->get_controller('totp')->advanced_settings_box(array($tfa_frontend, 'save_settings_button')); ?>
20
 
21
  </div>
22
 
includes/simba-tfa/templates/user-settings.php CHANGED
@@ -3,7 +3,7 @@
3
  if (!defined('ABSPATH')) die('Access denied.');
4
 
5
  global $current_user;
6
- $totp_controller = $simba_tfa->get_totp_controller();
7
 
8
  ?>
9
  <style>
3
  if (!defined('ABSPATH')) die('Access denied.');
4
 
5
  global $current_user;
6
+ $totp_controller = $simba_tfa->get_controller('totp');
7
 
8
  ?>
9
  <style>
languages/all-in-one-wp-security-and-firewall.pot CHANGED
@@ -32,75 +32,75 @@ msgstr ""
32
  msgid "Nonce check failed for export 404 event logs to CSV!"
33
  msgstr ""
34
 
35
- #: src/admin/wp-security-admin-init.php:257
36
  msgid "Unexpected response:"
37
  msgstr ""
38
 
39
- #: src/admin/wp-security-admin-init.php:288
40
  msgid "Enjoyed %1$s? Please leave us a %2$s rating. We really appreciate your support!"
41
  msgstr ""
42
 
43
- #: src/admin/wp-security-admin-init.php:412, src/admin/wp-security-admin-init.php:412, src/classes/wp-security-two-factor-login.php:96, src/classes/wp-security-two-factor-login.php:96
44
  msgid "WP Security"
45
  msgstr ""
46
 
47
- #: src/admin/wp-security-admin-init.php:413, src/admin/wp-security-admin-init.php:413, src/admin/wp-security-dashboard-menu.php:27, src/admin/wp-security-dashboard-menu.php:55
48
  msgid "Dashboard"
49
  msgstr ""
50
 
51
- #: src/admin/wp-security-admin-init.php:414, src/admin/wp-security-admin-init.php:414, src/admin/wp-security-settings-menu.php:95
52
  msgid "Settings"
53
  msgstr ""
54
 
55
- #: src/admin/wp-security-admin-init.php:415, src/admin/wp-security-admin-init.php:415, src/admin/wp-security-user-accounts-menu.php:60
56
  msgid "User Accounts"
57
  msgstr ""
58
 
59
- #: src/admin/wp-security-admin-init.php:416, src/admin/wp-security-admin-init.php:416, src/admin/wp-security-user-login-menu.php:59
60
  msgid "User Login"
61
  msgstr ""
62
 
63
- #: src/admin/wp-security-admin-init.php:417, src/admin/wp-security-admin-init.php:417, src/admin/wp-security-user-registration-menu.php:55
64
  msgid "User Registration"
65
  msgstr ""
66
 
67
- #: src/admin/wp-security-admin-init.php:418, src/admin/wp-security-admin-init.php:418, src/admin/wp-security-database-menu.php:119
68
  msgid "Database Security"
69
  msgstr ""
70
 
71
- #: src/admin/wp-security-admin-init.php:422, src/admin/wp-security-admin-init.php:422, src/admin/wp-security-filesystem-menu.php:55
72
  msgid "Filesystem Security"
73
  msgstr ""
74
 
75
- #: src/admin/wp-security-admin-init.php:427, src/admin/wp-security-admin-init.php:427, src/admin/wp-security-blacklist-menu.php:51
76
  msgid "Blacklist Manager"
77
  msgstr ""
78
 
79
- #: src/admin/wp-security-admin-init.php:432, src/admin/wp-security-admin-init.php:432, src/admin/wp-security-firewall-menu.php:60
80
  msgid "Firewall"
81
  msgstr ""
82
 
83
- #: src/admin/wp-security-admin-init.php:434, src/admin/wp-security-admin-init.php:434, src/admin/wp-security-brute-force-menu.php:68
84
  msgid "Brute Force"
85
  msgstr ""
86
 
87
- #: src/admin/wp-security-admin-init.php:435, src/admin/wp-security-admin-init.php:435, src/admin/wp-security-spam-menu.php:57
88
  msgid "SPAM Prevention"
89
  msgstr ""
90
 
91
- #: src/admin/wp-security-admin-init.php:439, src/admin/wp-security-admin-init.php:439, src/admin/wp-security-filescan-menu.php:53
92
  msgid "Scanner"
93
  msgstr ""
94
 
95
- #: src/admin/wp-security-admin-init.php:441, src/admin/wp-security-admin-init.php:441, src/admin/wp-security-maintenance-menu.php:51
96
  msgid "Maintenance"
97
  msgstr ""
98
 
99
- #: src/admin/wp-security-admin-init.php:442, src/admin/wp-security-admin-init.php:442, src/admin/wp-security-misc-options-menu.php:57
100
  msgid "Miscellaneous"
101
  msgstr ""
102
 
103
- #: src/admin/wp-security-admin-init.php:443, src/admin/wp-security-admin-init.php:443, src/admin/wp-security-tools-menu.php:64
104
  msgid "Tools"
105
  msgstr ""
106
 
@@ -2542,7 +2542,7 @@ msgstr ""
2542
  msgid "Set up now"
2543
  msgstr ""
2544
 
2545
- #: src/admin/wp-security-firewall-setup-notice.php:614, src/templates/notices/custom-notice.php:10, src/templates/notices/custom-notice.php:12, src/templates/notices/horizontal-notice.php:50, src/templates/notices/horizontal-notice.php:52
2546
  msgid "Dismiss"
2547
  msgstr ""
2548
 
@@ -4412,15 +4412,15 @@ msgstr ""
4412
  msgid "Invalid IP retrieve method."
4413
  msgstr ""
4414
 
4415
- #: src/classes/aios-ajax.php:131, src/wp-security-core.php:252
4416
  msgid "The security check failed; try refreshing the page."
4417
  msgstr ""
4418
 
4419
- #: src/classes/aios-ajax.php:152, src/wp-security-core.php:262
4420
  msgid "You are not allowed to run this command."
4421
  msgstr ""
4422
 
4423
- #: src/classes/aios-ajax.php:173, src/wp-security-core.php:276
4424
  msgid "Options can only be saved by network admin"
4425
  msgstr ""
4426
 
@@ -4720,7 +4720,7 @@ msgstr ""
4720
  msgid "Your Google reCAPTCHA site key is wrong. Please fill the correct reCAPTCHA keys %s to use the Google reCAPTCHA feature."
4721
  msgstr ""
4722
 
4723
- #: src/classes/wp-security-general-init-tasks.php:643, src/classes/wp-security-notices.php:85
4724
  msgid "here"
4725
  msgstr ""
4726
 
@@ -4740,95 +4740,111 @@ msgstr ""
4740
  msgid "Your registration is pending approval."
4741
  msgstr ""
4742
 
4743
- #: src/classes/wp-security-notices.php:27
4744
- msgid "Removed database backup feature from the All In One WP Security & Firewall plugin"
4745
  msgstr ""
4746
 
4747
  #: src/classes/wp-security-notices.php:29
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
4748
  msgid "Beginning with version 5.0.0, AIOS has replaced the AIOS backup method with the superior UpdraftPlus method."
4749
  msgstr ""
4750
 
4751
- #: src/classes/wp-security-notices.php:30
4752
  msgid "It remains free and is fully supported by the UpdraftPlus team."
4753
  msgstr ""
4754
 
4755
- #: src/classes/wp-security-notices.php:33
4756
  msgid "You are seeing this notice because you have previously set up automated database backups in AIOS."
4757
  msgstr ""
4758
 
4759
- #: src/classes/wp-security-notices.php:34
4760
  msgid "Would you like to set up scheduled backups with UpdraftPlus?"
4761
  msgstr ""
4762
 
4763
- #: src/classes/wp-security-notices.php:40
4764
  msgid "Setup UpdraftPlus backup plugin"
4765
  msgstr ""
4766
 
4767
- #: src/classes/wp-security-notices.php:46
4768
  msgid "Important: set up your IP address detection settings"
4769
  msgstr ""
4770
 
4771
- #: src/classes/wp-security-notices.php:48
4772
  msgid "The All in One Security plugin couldn't be certain about the correct method to detect the IP address for your site visitors with your currently-configured IP address detection settings."
4773
  msgstr ""
4774
 
4775
- #: src/classes/wp-security-notices.php:49
4776
  msgid "It is important for your security to set the IP address detection settings properly."
4777
  msgstr ""
4778
 
4779
- #: src/classes/wp-security-notices.php:52
4780
  msgid "Please go to the settings and set them now."
4781
  msgstr ""
4782
 
4783
- #: src/classes/wp-security-notices.php:58
4784
  msgid "Setup IP address detection settings"
4785
  msgstr ""
4786
 
4787
- #: src/classes/wp-security-notices.php:64
4788
  msgid "Important: Disabled login whitelist setting"
4789
  msgstr ""
4790
 
4791
- #: src/classes/wp-security-notices.php:66
4792
- msgid "The All in One Security plugin has disabled the login whitelist setting that you have enabled in the past."
4793
  msgstr ""
4794
 
4795
- #: src/classes/wp-security-notices.php:69
4796
- msgid "Your website is running on a non-Apache webserver, so the login whitelisting was not functional until the recent update of AIOS (because it relied upon Apache-specific features). It began working with AIOS version 5.0.8."
4797
- msgstr ""
4798
-
4799
- #: src/classes/wp-security-notices.php:70
4800
- msgid "We have disabled it so that your login page will not be blocked unexpectedly."
4801
  msgstr ""
4802
 
4803
- #: src/classes/wp-security-notices.php:73
4804
- msgid "Would you like to re-enable login whitelisting?"
4805
- msgstr ""
4806
-
4807
- #: src/classes/wp-security-notices.php:79
4808
- msgid "Setup login whitelist setting"
4809
  msgstr ""
4810
 
4811
- #: src/classes/wp-security-notices.php:85
4812
  msgid "Hey - We noticed All In One WP Security & Firewall has kept your site safe for a while. If you like us, please consider leaving a positive review to spread the word. Or if you have any issues or questions please leave us a support message %s."
4813
  msgstr ""
4814
 
4815
- #: src/classes/wp-security-notices.php:85
4816
  msgid "Thank you so much!"
4817
  msgstr ""
4818
 
4819
- #: src/classes/wp-security-notices.php:85
4820
  msgid "Team All In One WP Security & Firewall"
4821
  msgstr ""
4822
 
4823
- #: src/classes/wp-security-notices.php:95
4824
  msgid "Enhance your security even more by backing up your site"
4825
  msgstr ""
4826
 
4827
- #: src/classes/wp-security-notices.php:96
4828
  msgid "UpdraftPlus is the world's most trusted backup plugin from the owners of All In One WP Security & Firewall"
4829
  msgstr ""
4830
 
4831
- #: src/classes/wp-security-notices.php:107
4832
  msgid "After you've secured your site, we recommend you install our WP-Optimize plugin to streamline it for better website performance."
4833
  msgstr ""
4834
 
@@ -4836,19 +4852,19 @@ msgstr ""
4836
  msgid "Not available."
4837
  msgstr ""
4838
 
4839
- #: src/classes/wp-security-two-factor-login.php:33
4840
  msgid "Two Factor Authentication - Admin Settings"
4841
  msgstr ""
4842
 
4843
- #: src/classes/wp-security-two-factor-login.php:98, src/classes/wp-security-two-factor-login.php:98
4844
  msgid "Two Factor Auth"
4845
  msgstr ""
4846
 
4847
- #: src/classes/wp-security-two-factor-login.php:154
4848
  msgid "PHP OpenSSL or mcrypt module required"
4849
  msgstr ""
4850
 
4851
- #: src/classes/wp-security-two-factor-login.php:154
4852
  msgid "The All In One WP Security plugin's Two Factor Authentication module requires either the PHP openssl (preferred) or mcrypt module to be installed. Please ask your web hosting company to install one of them."
4853
  msgstr ""
4854
 
@@ -5256,23 +5272,23 @@ msgstr ""
5256
  msgid "You are using the non-apache server %s, so this feature won't work on your site."
5257
  msgstr ""
5258
 
5259
- #: src/wp-security-core.php:230, src/wp-security.php:45
5260
  msgid "This plugin requires PHP version %s."
5261
  msgstr ""
5262
 
5263
- #: src/wp-security-core.php:231
5264
  msgid "Current site PHP version is %s."
5265
  msgstr ""
5266
 
5267
- #: src/wp-security-core.php:232, src/wp-security.php:47
5268
  msgid "You will need to ask your web hosting company to upgrade."
5269
  msgstr ""
5270
 
5271
- #: src/wp-security-core.php:388
5272
  msgid "Error:"
5273
  msgstr ""
5274
 
5275
- #: src/wp-security-core.php:388
5276
  msgid "template not found"
5277
  msgstr ""
5278
 
32
  msgid "Nonce check failed for export 404 event logs to CSV!"
33
  msgstr ""
34
 
35
+ #: src/admin/wp-security-admin-init.php:258
36
  msgid "Unexpected response:"
37
  msgstr ""
38
 
39
+ #: src/admin/wp-security-admin-init.php:289
40
  msgid "Enjoyed %1$s? Please leave us a %2$s rating. We really appreciate your support!"
41
  msgstr ""
42
 
43
+ #: src/admin/wp-security-admin-init.php:413, src/admin/wp-security-admin-init.php:413, src/classes/wp-security-two-factor-login.php:95, src/classes/wp-security-two-factor-login.php:95
44
  msgid "WP Security"
45
  msgstr ""
46
 
47
+ #: src/admin/wp-security-admin-init.php:414, src/admin/wp-security-admin-init.php:414, src/admin/wp-security-dashboard-menu.php:27, src/admin/wp-security-dashboard-menu.php:55
48
  msgid "Dashboard"
49
  msgstr ""
50
 
51
+ #: src/admin/wp-security-admin-init.php:415, src/admin/wp-security-admin-init.php:415, src/admin/wp-security-settings-menu.php:95
52
  msgid "Settings"
53
  msgstr ""
54
 
55
+ #: src/admin/wp-security-admin-init.php:416, src/admin/wp-security-admin-init.php:416, src/admin/wp-security-user-accounts-menu.php:60
56
  msgid "User Accounts"
57
  msgstr ""
58
 
59
+ #: src/admin/wp-security-admin-init.php:417, src/admin/wp-security-admin-init.php:417, src/admin/wp-security-user-login-menu.php:59
60
  msgid "User Login"
61
  msgstr ""
62
 
63
+ #: src/admin/wp-security-admin-init.php:418, src/admin/wp-security-admin-init.php:418, src/admin/wp-security-user-registration-menu.php:55
64
  msgid "User Registration"
65
  msgstr ""
66
 
67
+ #: src/admin/wp-security-admin-init.php:419, src/admin/wp-security-admin-init.php:419, src/admin/wp-security-database-menu.php:119
68
  msgid "Database Security"
69
  msgstr ""
70
 
71
+ #: src/admin/wp-security-admin-init.php:423, src/admin/wp-security-admin-init.php:423, src/admin/wp-security-filesystem-menu.php:55
72
  msgid "Filesystem Security"
73
  msgstr ""
74
 
75
+ #: src/admin/wp-security-admin-init.php:428, src/admin/wp-security-admin-init.php:428, src/admin/wp-security-blacklist-menu.php:51
76
  msgid "Blacklist Manager"
77
  msgstr ""
78
 
79
+ #: src/admin/wp-security-admin-init.php:433, src/admin/wp-security-admin-init.php:433, src/admin/wp-security-firewall-menu.php:60
80
  msgid "Firewall"
81
  msgstr ""
82
 
83
+ #: src/admin/wp-security-admin-init.php:435, src/admin/wp-security-admin-init.php:435, src/admin/wp-security-brute-force-menu.php:68
84
  msgid "Brute Force"
85
  msgstr ""
86
 
87
+ #: src/admin/wp-security-admin-init.php:436, src/admin/wp-security-admin-init.php:436, src/admin/wp-security-spam-menu.php:57
88
  msgid "SPAM Prevention"
89
  msgstr ""
90
 
91
+ #: src/admin/wp-security-admin-init.php:440, src/admin/wp-security-admin-init.php:440, src/admin/wp-security-filescan-menu.php:53
92
  msgid "Scanner"
93
  msgstr ""
94
 
95
+ #: src/admin/wp-security-admin-init.php:442, src/admin/wp-security-admin-init.php:442, src/admin/wp-security-maintenance-menu.php:51
96
  msgid "Maintenance"
97
  msgstr ""
98
 
99
+ #: src/admin/wp-security-admin-init.php:443, src/admin/wp-security-admin-init.php:443, src/admin/wp-security-misc-options-menu.php:57
100
  msgid "Miscellaneous"
101
  msgstr ""
102
 
103
+ #: src/admin/wp-security-admin-init.php:444, src/admin/wp-security-admin-init.php:444, src/admin/wp-security-tools-menu.php:64
104
  msgid "Tools"
105
  msgstr ""
106
 
2542
  msgid "Set up now"
2543
  msgstr ""
2544
 
2545
+ #: src/admin/wp-security-firewall-setup-notice.php:614, src/templates/notices/custom-notice.php:10, src/templates/notices/custom-notice.php:12, src/templates/notices/horizontal-notice.php:50, src/templates/notices/horizontal-notice.php:52, src/templates/notices/htaccess-to-php-feature-notice.php:10, src/templates/notices/htaccess-to-php-feature-notice.php:12
2546
  msgid "Dismiss"
2547
  msgstr ""
2548
 
4412
  msgid "Invalid IP retrieve method."
4413
  msgstr ""
4414
 
4415
+ #: src/classes/aios-ajax.php:131, src/wp-security-core.php:257
4416
  msgid "The security check failed; try refreshing the page."
4417
  msgstr ""
4418
 
4419
+ #: src/classes/aios-ajax.php:152, src/wp-security-core.php:267
4420
  msgid "You are not allowed to run this command."
4421
  msgstr ""
4422
 
4423
+ #: src/classes/aios-ajax.php:173, src/wp-security-core.php:281
4424
  msgid "Options can only be saved by network admin"
4425
  msgstr ""
4426
 
4720
  msgid "Your Google reCAPTCHA site key is wrong. Please fill the correct reCAPTCHA keys %s to use the Google reCAPTCHA feature."
4721
  msgstr ""
4722
 
4723
+ #: src/classes/wp-security-general-init-tasks.php:643, src/classes/wp-security-notices.php:99
4724
  msgid "here"
4725
  msgstr ""
4726
 
4740
  msgid "Your registration is pending approval."
4741
  msgstr ""
4742
 
4743
+ #: src/classes/wp-security-notices.php:25
4744
+ msgid "The All in One Security plugin has disabled the login whitelist setting that you have enabled in the past."
4745
  msgstr ""
4746
 
4747
  #: src/classes/wp-security-notices.php:29
4748
+ msgid "Your website is running on an Apache webserver, the login whitelisting might not be functional until the recent update of AIOS (because it relied upon Apache-specific module features)."
4749
+ msgstr ""
4750
+
4751
+ #: src/classes/wp-security-notices.php:31
4752
+ msgid "Your website is running on a non-Apache webserver, so the login whitelisting was not functional until the recent update of AIOS (because it relied upon Apache-specific features)."
4753
+ msgstr ""
4754
+
4755
+ #: src/classes/wp-security-notices.php:33
4756
+ msgid "It began working with AIOS version 5.0.8."
4757
+ msgstr ""
4758
+
4759
+ #: src/classes/wp-security-notices.php:33
4760
+ msgid "We have disabled it so that your login page will not be blocked unexpectedly."
4761
+ msgstr ""
4762
+
4763
+ #: src/classes/wp-security-notices.php:42
4764
+ msgid "Would you like to re-enable login whitelisting?"
4765
+ msgstr ""
4766
+
4767
+ #: src/classes/wp-security-notices.php:48
4768
+ msgid "Removed database backup feature from the All In One WP Security & Firewall plugin"
4769
+ msgstr ""
4770
+
4771
+ #: src/classes/wp-security-notices.php:50
4772
  msgid "Beginning with version 5.0.0, AIOS has replaced the AIOS backup method with the superior UpdraftPlus method."
4773
  msgstr ""
4774
 
4775
+ #: src/classes/wp-security-notices.php:51
4776
  msgid "It remains free and is fully supported by the UpdraftPlus team."
4777
  msgstr ""
4778
 
4779
+ #: src/classes/wp-security-notices.php:54
4780
  msgid "You are seeing this notice because you have previously set up automated database backups in AIOS."
4781
  msgstr ""
4782
 
4783
+ #: src/classes/wp-security-notices.php:55
4784
  msgid "Would you like to set up scheduled backups with UpdraftPlus?"
4785
  msgstr ""
4786
 
4787
+ #: src/classes/wp-security-notices.php:61
4788
  msgid "Setup UpdraftPlus backup plugin"
4789
  msgstr ""
4790
 
4791
+ #: src/classes/wp-security-notices.php:67
4792
  msgid "Important: set up your IP address detection settings"
4793
  msgstr ""
4794
 
4795
+ #: src/classes/wp-security-notices.php:69
4796
  msgid "The All in One Security plugin couldn't be certain about the correct method to detect the IP address for your site visitors with your currently-configured IP address detection settings."
4797
  msgstr ""
4798
 
4799
+ #: src/classes/wp-security-notices.php:70
4800
  msgid "It is important for your security to set the IP address detection settings properly."
4801
  msgstr ""
4802
 
4803
+ #: src/classes/wp-security-notices.php:73
4804
  msgid "Please go to the settings and set them now."
4805
  msgstr ""
4806
 
4807
+ #: src/classes/wp-security-notices.php:79
4808
  msgid "Setup IP address detection settings"
4809
  msgstr ""
4810
 
4811
+ #: src/classes/wp-security-notices.php:85
4812
  msgid "Important: Disabled login whitelist setting"
4813
  msgstr ""
4814
 
4815
+ #: src/classes/wp-security-notices.php:91
4816
+ msgid "Turn it back on"
4817
  msgstr ""
4818
 
4819
+ #: src/classes/wp-security-notices.php:92
4820
+ msgid "Edit the settings"
 
 
 
 
4821
  msgstr ""
4822
 
4823
+ #: src/classes/wp-security-notices.php:95
4824
+ msgid "Keep it off"
 
 
 
 
4825
  msgstr ""
4826
 
4827
+ #: src/classes/wp-security-notices.php:99
4828
  msgid "Hey - We noticed All In One WP Security & Firewall has kept your site safe for a while. If you like us, please consider leaving a positive review to spread the word. Or if you have any issues or questions please leave us a support message %s."
4829
  msgstr ""
4830
 
4831
+ #: src/classes/wp-security-notices.php:99
4832
  msgid "Thank you so much!"
4833
  msgstr ""
4834
 
4835
+ #: src/classes/wp-security-notices.php:99
4836
  msgid "Team All In One WP Security & Firewall"
4837
  msgstr ""
4838
 
4839
+ #: src/classes/wp-security-notices.php:109
4840
  msgid "Enhance your security even more by backing up your site"
4841
  msgstr ""
4842
 
4843
+ #: src/classes/wp-security-notices.php:110
4844
  msgid "UpdraftPlus is the world's most trusted backup plugin from the owners of All In One WP Security & Firewall"
4845
  msgstr ""
4846
 
4847
+ #: src/classes/wp-security-notices.php:121
4848
  msgid "After you've secured your site, we recommend you install our WP-Optimize plugin to streamline it for better website performance."
4849
  msgstr ""
4850
 
4852
  msgid "Not available."
4853
  msgstr ""
4854
 
4855
+ #: src/classes/wp-security-two-factor-login.php:34
4856
  msgid "Two Factor Authentication - Admin Settings"
4857
  msgstr ""
4858
 
4859
+ #: src/classes/wp-security-two-factor-login.php:97, src/classes/wp-security-two-factor-login.php:97
4860
  msgid "Two Factor Auth"
4861
  msgstr ""
4862
 
4863
+ #: src/classes/wp-security-two-factor-login.php:153
4864
  msgid "PHP OpenSSL or mcrypt module required"
4865
  msgstr ""
4866
 
4867
+ #: src/classes/wp-security-two-factor-login.php:153
4868
  msgid "The All In One WP Security plugin's Two Factor Authentication module requires either the PHP openssl (preferred) or mcrypt module to be installed. Please ask your web hosting company to install one of them."
4869
  msgstr ""
4870
 
5272
  msgid "You are using the non-apache server %s, so this feature won't work on your site."
5273
  msgstr ""
5274
 
5275
+ #: src/wp-security-core.php:235, src/wp-security.php:45
5276
  msgid "This plugin requires PHP version %s."
5277
  msgstr ""
5278
 
5279
+ #: src/wp-security-core.php:236
5280
  msgid "Current site PHP version is %s."
5281
  msgstr ""
5282
 
5283
+ #: src/wp-security-core.php:237, src/wp-security.php:47
5284
  msgid "You will need to ask your web hosting company to upgrade."
5285
  msgstr ""
5286
 
5287
+ #: src/wp-security-core.php:396
5288
  msgid "Error:"
5289
  msgstr ""
5290
 
5291
+ #: src/wp-security-core.php:396
5292
  msgid "template not found"
5293
  msgstr ""
5294
 
readme.txt CHANGED
@@ -4,8 +4,8 @@ Donate link: https://david.dw-perspective.org.uk/donate
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5
  Requires PHP: 5.6
6
  Requires at least: 5.0
7
- Tested up to: 6.0
8
- Stable tag: 5.0.8
9
  License: GPLv3 or later
10
 
11
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
@@ -179,6 +179,12 @@ https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
179
 
180
  == Changelog ==
181
 
 
 
 
 
 
 
182
  = 5.0.8 - 29/September/2022 =
183
 
184
  * SECURITY/FEATURE: Fix IP address detection, and give IP address detection settings in the Admin Dashboard > WP Security > Settings > Advanced Settings, provide user guidance on how to use them, and notify the user if there any problem is apparent. Versions from 5.0.0 to 5.0.7 had a defect allowing an attacker to spoof their IP address, aiding them to avoid detection or locking out legitimate users. Thanks to Calvin Alkan for the responsible disclosure.
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5
  Requires PHP: 5.6
6
  Requires at least: 5.0
7
+ Tested up to: 6.1
8
+ Stable tag: 5.0.9
9
  License: GPLv3 or later
10
 
11
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
179
 
180
  == Changelog ==
181
 
182
+ = 5.0.9 - 06/October/2022 =
183
+
184
+ * FIX: PHP Notice: Only variables should be passed by reference in /wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-notices.php on line 202.
185
+ * TWEAK: Auto disable the login whitelisting on upgrade for all server types and shown related notice.
186
+ * TWEAK : 2FA - Warning: Deprecated: Call get_controller('totp'), not get_totp_controller() in /includes/simba-tfa/simba-tfa.php on line 713.
187
+
188
  = 5.0.8 - 29/September/2022 =
189
 
190
  * SECURITY/FEATURE: Fix IP address detection, and give IP address detection settings in the Admin Dashboard > WP Security > Settings > Advanced Settings, provide user guidance on how to use them, and notify the user if there any problem is apparent. Versions from 5.0.0 to 5.0.7 had a defect allowing an attacker to spoof their IP address, aiding them to avoid detection or locking out legitimate users. Thanks to Calvin Alkan for the responsible disclosure.
templates/notices/htaccess-to-php-feature-notice.php ADDED
@@ -0,0 +1,43 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php if (!defined('AIO_WP_SECURITY_PATH')) die('No direct access allowed'); ?>
2
+
3
+ <div class="aiowps_ad_container error">
4
+ <div class="aiowps_notice_container">
5
+ <div class="aiowps_advert_content_right">
6
+ <h3 class="aiowps_advert_heading">
7
+ <?php echo $title; ?>
8
+ <div class="aiowps_advert_dismiss">
9
+ <?php if (!empty($dismiss_time)) { ?>
10
+ <a href="#" onclick="jQuery(this).closest('.aiowps_ad_container').slideUp(); jQuery.post(ajaxurl, {action: 'aiowps_ajax', subaction: '<?php echo $dismiss_time;?>', nonce: '<?php echo wp_create_nonce('wp-security-ajax-nonce');?>' });"><?php _e('Dismiss', 'all-in-one-wp-security-and-firewall'); ?></a>
11
+ <?php } else { ?>
12
+ <a href="#" onclick="jQuery(this).closest('.aiowps_ad_container').slideUp();"><?php _e('Dismiss', 'all-in-one-wp-security-and-firewall'); ?></a>
13
+ <?php } ?>
14
+ </div>
15
+ </h3>
16
+ <p>
17
+ <?php echo $text; ?>
18
+ </p>
19
+ <?php
20
+ if (!empty($button_link) && !empty($button_meta)) {
21
+ ?>
22
+ <p>
23
+ <a class="aiowps_notice_link button button-secondary" href="#" onclick="jQuery(this).closest('.aiowps_ad_container').slideUp(); jQuery.post(ajaxurl, {action: 'aiowps_ajax', subaction: '<?php echo $dismiss_time;?>', nonce: '<?php echo wp_create_nonce('wp-security-ajax-nonce');?>', turn_it_back_on: '1' });">
24
+ <?php echo $action_button_text; //Turn it back on ?>
25
+ </a>
26
+ <a class="aiowps_notice_link button button-secondary" style="margin-left: 8px;" href="#" onclick="jQuery(this).closest('.aiowps_ad_container').slideUp(); jQuery.post(ajaxurl, {action: 'aiowps_ajax', subaction: '<?php echo $dismiss_time;?>', nonce: '<?php echo wp_create_nonce('wp-security-ajax-nonce');?>', dismiss_forever: '1' });">
27
+ <?php echo $dismiss_text; // Keep it off ?>
28
+ </a>
29
+ <a style="margin-left: 8px;" class="aiowps_notice_link button button-secondary" href="javascript:void(0);" onclick="jQuery(this).prop('disabled', true ).closest('.aiowps_ad_container').slideUp(); jQuery.post(ajaxurl, {action: 'aiowps_ajax', subaction: '<?php echo $dismiss_time;?>', nonce: '<?php echo wp_create_nonce('wp-security-ajax-nonce');?>', dismiss_forever: '1' }, function(resp) {
30
+ window.location.href = '<?php echo $button_link; ?>';
31
+ return false;
32
+ }).done(function() { jQuery(this).prop('disabled', false); });">
33
+ <?php echo $button_meta; // Edit the settings ?>
34
+ </a>
35
+ </p>
36
+ <?php
37
+ }
38
+ ?>
39
+
40
+ </div>
41
+ </div>
42
+ <div class="clear"></div>
43
+ </div>
vendor/composer/installed.php CHANGED
@@ -5,7 +5,7 @@
5
  'type' => 'project',
6
  'install_path' => __DIR__ . '/../../',
7
  'aliases' => array(),
8
- 'reference' => '61ce6659bdea4d22431826c5d8e6d3e67de9a0c6',
9
  'name' => 'updraftplus/all-in-one-wp-security-and-firewall',
10
  'dev' => false,
11
  ),
@@ -34,7 +34,7 @@
34
  'type' => 'project',
35
  'install_path' => __DIR__ . '/../../',
36
  'aliases' => array(),
37
- 'reference' => '61ce6659bdea4d22431826c5d8e6d3e67de9a0c6',
38
  'dev_requirement' => false,
39
  ),
40
  ),
5
  'type' => 'project',
6
  'install_path' => __DIR__ . '/../../',
7
  'aliases' => array(),
8
+ 'reference' => 'fd513cabb22b0d7678959e2d6cb04f4d22cf5f61',
9
  'name' => 'updraftplus/all-in-one-wp-security-and-firewall',
10
  'dev' => false,
11
  ),
34
  'type' => 'project',
35
  'install_path' => __DIR__ . '/../../',
36
  'aliases' => array(),
37
+ 'reference' => 'fd513cabb22b0d7678959e2d6cb04f4d22cf5f61',
38
  'dev_requirement' => false,
39
  ),
40
  ),
wp-security-core.php CHANGED
@@ -8,9 +8,9 @@ if (!class_exists('AIO_WP_Security')) {
8
 
9
  class AIO_WP_Security {
10
 
11
- public $version = '5.0.8';
12
 
13
- public $db_version = '1.9.5';
14
 
15
  public $plugin_url;
16
 
@@ -95,6 +95,11 @@ if (!class_exists('AIO_WP_Security')) {
95
 
96
  }
97
 
 
 
 
 
 
98
  public function plugin_url() {
99
  if ($this->plugin_url) return $this->plugin_url;
100
  return $this->plugin_url = plugins_url('', __FILE__);
@@ -142,7 +147,7 @@ if (!class_exists('AIO_WP_Security')) {
142
  define('AIOWPSEC_TWO_FACTOR_AUTH_MENU_SLUG', 'aiowpsec_two_factor_auth_user');
143
  define('AIOWPSEC_TOOLS_MENU_SLUG', 'aiowpsec_tools');
144
 
145
- if (!defined('AIOS_TFA_PREMIUM_LATEST_INCOMPATIBLE_VERSION')) define('AIOS_TFA_PREMIUM_LATEST_INCOMPATIBLE_VERSION', '1.14.3');
146
 
147
  if (!defined('AIOWPSEC_PURGE_FAILED_LOGIN_RECORDS_AFTER_DAYS')) define('AIOWPSEC_PURGE_FAILED_LOGIN_RECORDS_AFTER_DAYS', 90);
148
  if (!defined('AIOS_PURGE_EVENTS_RECORDS_AFTER_DAYS')) define('AIOS_PURGE_EVENTS_RECORDS_AFTER_DAYS', 90);
@@ -298,6 +303,9 @@ if (!class_exists('AIO_WP_Security')) {
298
  } elseif ('dismiss_ip_retrieval_settings_notice' == $subaction) {
299
  $this->configs->set_value('aiowps_is_login_whitelist_disabled_on_upgrade', 1);
300
  } elseif ('dismiss_login_whitelist_disabled_on_upgrade_notice' == $subaction) {
 
 
 
301
  $this->configs->delete_value('aiowps_is_login_whitelist_disabled_on_upgrade');
302
  } else {
303
  // Other commands, available for any remote method.
8
 
9
  class AIO_WP_Security {
10
 
11
+ public $version = '5.0.9';
12
 
13
+ public $db_version = '1.9.6';
14
 
15
  public $plugin_url;
16
 
95
 
96
  }
97
 
98
+ /**
99
+ * Return the URL for the plugin directory
100
+ *
101
+ * @return String
102
+ */
103
  public function plugin_url() {
104
  if ($this->plugin_url) return $this->plugin_url;
105
  return $this->plugin_url = plugins_url('', __FILE__);
147
  define('AIOWPSEC_TWO_FACTOR_AUTH_MENU_SLUG', 'aiowpsec_two_factor_auth_user');
148
  define('AIOWPSEC_TOOLS_MENU_SLUG', 'aiowpsec_tools');
149
 
150
+ if (!defined('AIOS_TFA_PREMIUM_LATEST_INCOMPATIBLE_VERSION')) define('AIOS_TFA_PREMIUM_LATEST_INCOMPATIBLE_VERSION', '1.14.7');
151
 
152
  if (!defined('AIOWPSEC_PURGE_FAILED_LOGIN_RECORDS_AFTER_DAYS')) define('AIOWPSEC_PURGE_FAILED_LOGIN_RECORDS_AFTER_DAYS', 90);
153
  if (!defined('AIOS_PURGE_EVENTS_RECORDS_AFTER_DAYS')) define('AIOS_PURGE_EVENTS_RECORDS_AFTER_DAYS', 90);
303
  } elseif ('dismiss_ip_retrieval_settings_notice' == $subaction) {
304
  $this->configs->set_value('aiowps_is_login_whitelist_disabled_on_upgrade', 1);
305
  } elseif ('dismiss_login_whitelist_disabled_on_upgrade_notice' == $subaction) {
306
+ if (isset($_POST['turn_it_back_on']) && '1' == $_POST['turn_it_back_on']) {
307
+ $this->configs->set_value('aiowps_enable_whitelisting', '1');
308
+ }
309
  $this->configs->delete_value('aiowps_is_login_whitelist_disabled_on_upgrade');
310
  } else {
311
  // Other commands, available for any remote method.
wp-security.php CHANGED
@@ -2,7 +2,7 @@
2
  // @codingStandardsIgnoreStart
3
  /*
4
  Plugin Name: All In One WP Security
5
- Version: 5.0.8
6
  Plugin URI: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
7
  Update URI: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
8
  Author: All In One WP Security & Firewall Team
2
  // @codingStandardsIgnoreStart
3
  /*
4
  Plugin Name: All In One WP Security
5
+ Version: 5.0.9
6
  Plugin URI: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
7
  Update URI: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
8
  Author: All In One WP Security & Firewall Team