iThemes Security (formerly Better WP Security)

Version Description

Security Fix: Fixed issue where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
- Security Fix: Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue.
- Bug Fix: The Security > Security Check link now works as expected in multisite.
- Bug Fix: Fixed bug that could prevent the "Filter Long URL Strings" feature from working properly.
- Bug Fix: Removed restrictions in the "Filter Long URL Strings" feature that were unrelated to request length.
- Bug Fix: Corrected a settings description typo in Global Settings.
- Bug Fix: Fixed bug that could result in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is set to "Block".
- Misc: Added placeholder for the Version Management module of iThemes Security Pro.
- Misc: Updated build number to trigger some updates.

Release Info

Developer	chrisjean
Plugin	iThemes Security (formerly Better WP Security)
Version	5.6.2
Comparing to
See all releases

Code changes from version 5.6.1 to 5.6.2

Files changed (15) hide show

better-wp-security.php +1 -1
core/admin-pages/css/style.css +29 -0
core/class-itsec-core.php +2 -2
core/class-itsec-lockout.php +13 -0
core/class-itsec-logger-all-logs.php +2 -2
core/class-itsec-logger.php +15 -15
core/history.txt +13 -0
core/lib/class-itsec-lib-user-activity.php +1 -0
core/modules/file-change/class-itsec-file-change-log.php +4 -4
core/modules/global/settings-page.php +1 -1
core/modules/pro/settings-page.php +16 -0
core/modules/system-tweaks/class-itsec-system-tweaks.php +35 -38
core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php +29 -29
history.txt +10 -0
readme.txt +17 -3

better-wp-security.php CHANGED Viewed

	@@ -6,7 +6,7 @@
6	* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7	* Author: iThemes
8	* Author URI: https://ithemes.com
9	- * Version: 5.6.1
10	* Text Domain: better-wp-security
11	* Network: True
12	* License: GPLv2


6	* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7	* Author: iThemes
8	* Author URI: https://ithemes.com
9	+ * Version: 5.6.2
10	* Text Domain: better-wp-security
11	* Network: True
12	* License: GPLv2

core/admin-pages/css/style.css CHANGED Viewed

@@ -644,3 +644,32 @@ body.itsec-modal-open {
             .itsec-two-factor .dashicons.dashicons-unlock {
             	color: #dc3232;
+            }


644	.itsec-two-factor .dashicons.dashicons-unlock {
645	color: #dc3232;
646	}
647	+ .itsec-password-age {
648	+ display:inline-block;
649	+ }
650	+ .itsec-password-strength {
651	+ background: #ddd;
652	+ border: 1px solid #aaa;
653	+ border-radius: 3px;
654	+ color: #23282d;
655	+ display: inline-block;
656	+ font-size: 11px;
657	+ line-height: 1.5;
658	+ padding: 0px 4px;
659	+ }
660	+ .itsec-password-strength.short {
661	+ background: #f1adad;
662	+ border-color: #e35b5b;
663	+ }
664	+ .itsec-password-strength.bad {
665	+ background-color: #fbc5a9;
666	+ border-color: #f78b53;
667	+ }
668	+ .itsec-password-strength.good {
669	+ background-color: #ffe399;
670	+ border-color: #ffc733;
671	+ }
672	+ .itsec-password-strength.strong {
673	+ background-color: #c1e1b9;
674	+ border-color: #83c373;
675	+ }

core/class-itsec-core.php CHANGED Viewed

	@@ -74,7 +74,7 @@ if ( ! class_exists( 'ITSEC_Core' ) ) {
74	public function init( $plugin_file, $plugin_name ) {
75	global $itsec_globals, $itsec_logger, $itsec_lockout;
76
77	- $this->plugin_build = ~~4041~~; // used to trigger updates
78	$this->plugin_file = $plugin_file;
79	$this->plugin_dir = dirname( $plugin_file ) . '/';
80	$this->current_time = current_time( 'timestamp' );
	@@ -621,7 +621,7 @@ if ( ! class_exists( 'ITSEC_Core' ) ) {
621	}
622
623	public static function get_security_check_page_url() {
624	- return ~~admin_url~~( 'admin.php?page=itsec&module=security-check' );
625	}
626
627	public static function set_interactive( $interactive ) {


74	public function init( $plugin_file, $plugin_name ) {
75	global $itsec_globals, $itsec_logger, $itsec_lockout;
76
77	+ $this->plugin_build = 4043; // used to trigger updates
78	$this->plugin_file = $plugin_file;
79	$this->plugin_dir = dirname( $plugin_file ) . '/';
80	$this->current_time = current_time( 'timestamp' );

621	}
622
623	public static function get_security_check_page_url() {
624	+ return network_admin_url( 'admin.php?page=itsec&module=security-check' );
625	}
626
627	public static function set_interactive( $interactive ) {

core/class-itsec-lockout.php CHANGED Viewed

	@@ -27,6 +27,9 @@ final class ITSEC_Lockout {
27	//Check for host lockouts
28	add_action( 'init', array( $this, 'check_lockout' ) );
29



30	// Updated temp whitelist to ensure that admin users are automatically added.
31	add_action( 'init', array( $this, 'update_temp_whitelist' ), 0 );
32
	@@ -53,6 +56,16 @@ final class ITSEC_Lockout {
53	require_once( dirname( __FILE__ ) . '/sidebar-widget-active-lockouts.php' );
54	}
55










56	/**
57	* Checks if the host or user is locked out and executes lockout
58	*


27	//Check for host lockouts
28	add_action( 'init', array( $this, 'check_lockout' ) );
29
30	+ // Ensure that locked out users are prevented from checking logins.
31	+ add_filter( 'authenticate', array( $this, 'check_authenticate_lockout' ), 30 );
32	+
33	// Updated temp whitelist to ensure that admin users are automatically added.
34	add_action( 'init', array( $this, 'update_temp_whitelist' ), 0 );
35

56	require_once( dirname( __FILE__ ) . '/sidebar-widget-active-lockouts.php' );
57	}
58
59	+ public function check_authenticate_lockout( $user ) {
60	+ if ( ! ( $user instanceof WP_User ) ) {
61	+ return $user;
62	+ }
63	+
64	+ $this->check_lockout( $user->ID );
65	+
66	+ return $user;
67	+ }
68	+
69	/**
70	* Checks if the host or user is locked out and executes lockout
71	*

core/class-itsec-logger-all-logs.php CHANGED Viewed

	@@ -148,9 +148,9 @@ final class ITSEC_Logger_All_Logs extends ITSEC_WP_List_Table {
148	global $itsec_logger;
149
150	$raw_data = maybe_unserialize( $item['data'] );
151	-
152	$data = apply_filters( "itsec_logger_filter_{$item['type']}_data_column_details", '', $raw_data );
153	-
154	if ( empty( $data ) ) {
155	if ( is_array( $raw_data ) && sizeof( $raw_data ) > 0 ) {
156


148	global $itsec_logger;
149
150	$raw_data = maybe_unserialize( $item['data'] );
151	+
152	$data = apply_filters( "itsec_logger_filter_{$item['type']}_data_column_details", '', $raw_data );
153	+
154	if ( empty( $data ) ) {
155	if ( is_array( $raw_data ) && sizeof( $raw_data ) > 0 ) {
156

core/class-itsec-logger.php CHANGED Viewed

	@@ -155,7 +155,7 @@ final class ITSEC_Logger {
155
156	if ( isset( $this->logger_modules[ $module ] ) ) {
157	$type = ITSEC_Modules::get_setting( 'global', 'log_type' );
158	-
159	if ( 'database' === $type \|\| 'both' === $type ) {
160	$this->_log_event_to_db( $module, $priority, $data, $host, $username, $user, $url, $referrer );
161	}
	@@ -320,7 +320,7 @@ final class ITSEC_Logger {
320	$items .= '<li>';
321
322	if ( ! is_numeric( $key ) ) {
323	- $items .= '<h3>' . $key . '</h3>';
324	}
325
326	$items .= $this->print_array( $item, true ) . PHP_EOL;
	@@ -330,7 +330,7 @@ final class ITSEC_Logger {
330	} else {
331
332	if ( strlen( trim( $item ) ) > 0 ) {
333	- $items .= '<li><h3>' . $key . ' = ' . $item . '</h3></li>' . PHP_EOL;
334	}
335
336	}
	@@ -366,7 +366,7 @@ final class ITSEC_Logger {
366
367	//Clean up the database log first
368	$type = ITSEC_Modules::get_setting( 'global', 'log_type' );
369	-
370	if ( 'database' === $type \|\| 'both' === $type ) {
371
372	$wpdb->query( "DELETE FROM `" . $wpdb->base_prefix . "itsec_log` WHERE `log_date_gmt` < '" . date( 'Y-m-d H:i:s', $itsec_globals['current_time_gmt'] - ( ITSEC_Modules::get_setting( 'global', 'log_rotation' ) * DAY_IN_SECONDS ) ) . "';" );
	@@ -404,7 +404,7 @@ final class ITSEC_Logger {
404	*/
405	private function rotate_log() {
406	$log_file = $this->get_log_file();
407	-
408	if ( ! @file_exists( $log_file ) \|\| @filesize( $log_file ) < 10485760 ) { // 10485760 is 1 mebibyte
409	return;
410	}
	@@ -496,24 +496,24 @@ final class ITSEC_Logger {
496	return $this->log_file;
497	$this->rotate_log();
498	}
499	-
500	$log_location = ITSEC_Modules::get_setting( 'global', 'log_location' );
501	$log_info = ITSEC_Modules::get_setting( 'global', 'log_info' );
502	-
503	if ( empty( $log_info ) ) {
504	// We need wp_generate_password() to create a cryptographically secure file name
505	if ( ! function_exists( 'wp_generate_password' ) ) {
506	$this->log_file = false;
507	return false;
508	}
509	-
510	$log_info = substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . wp_generate_password( 30, false );
511	-
512	ITSEC_Modules::set_setting( 'global', 'log_info', $log_info );
513	}
514	-
515	$this->log_file = "$log_location/event-log-$log_info.log";
516	-
517	return $this->log_file;
518	}
519
	@@ -524,7 +524,7 @@ final class ITSEC_Logger {
524	*/
525	private function _prepare_log_file() {
526	$log_file = $this->get_log_file();
527	-
528	// We can't prepare a file if we can't get the file name
529	if ( false === $log_file ) {
530	return false;
	@@ -544,13 +544,13 @@ final class ITSEC_Logger {
544
545	private function add_to_log_file( $details ) {
546	$log_file = $this->get_log_file();
547	-
548	if ( false === $log_file ) {
549	return false;
550	}
551	-
552	@error_log( $details . PHP_EOL, 3, $log_file );
553	-
554	return true;
555	}
556	}


155
156	if ( isset( $this->logger_modules[ $module ] ) ) {
157	$type = ITSEC_Modules::get_setting( 'global', 'log_type' );
158	+
159	if ( 'database' === $type \|\| 'both' === $type ) {
160	$this->_log_event_to_db( $module, $priority, $data, $host, $username, $user, $url, $referrer );
161	}

320	$items .= '<li>';
321
322	if ( ! is_numeric( $key ) ) {
323	+ $items .= '<h3>' . esc_html( $key ) . '</h3>';
324	}
325
326	$items .= $this->print_array( $item, true ) . PHP_EOL;

330	} else {
331
332	if ( strlen( trim( $item ) ) > 0 ) {
333	+ $items .= '<li><h3>' . esc_html( $key ) . ' = ' . esc_html( $item ) . '</h3></li>' . PHP_EOL;
334	}
335
336	}

366
367	//Clean up the database log first
368	$type = ITSEC_Modules::get_setting( 'global', 'log_type' );
369	+
370	if ( 'database' === $type \|\| 'both' === $type ) {
371
372	$wpdb->query( "DELETE FROM `" . $wpdb->base_prefix . "itsec_log` WHERE `log_date_gmt` < '" . date( 'Y-m-d H:i:s', $itsec_globals['current_time_gmt'] - ( ITSEC_Modules::get_setting( 'global', 'log_rotation' ) * DAY_IN_SECONDS ) ) . "';" );

404	*/
405	private function rotate_log() {
406	$log_file = $this->get_log_file();
407	+
408	if ( ! @file_exists( $log_file ) \|\| @filesize( $log_file ) < 10485760 ) { // 10485760 is 1 mebibyte
409	return;
410	}

496	return $this->log_file;
497	$this->rotate_log();
498	}
499	+
500	$log_location = ITSEC_Modules::get_setting( 'global', 'log_location' );
501	$log_info = ITSEC_Modules::get_setting( 'global', 'log_info' );
502	+
503	if ( empty( $log_info ) ) {
504	// We need wp_generate_password() to create a cryptographically secure file name
505	if ( ! function_exists( 'wp_generate_password' ) ) {
506	$this->log_file = false;
507	return false;
508	}
509	+
510	$log_info = substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . wp_generate_password( 30, false );
511	+
512	ITSEC_Modules::set_setting( 'global', 'log_info', $log_info );
513	}
514	+
515	$this->log_file = "$log_location/event-log-$log_info.log";
516	+
517	return $this->log_file;
518	}
519

524	*/
525	private function _prepare_log_file() {
526	$log_file = $this->get_log_file();
527	+
528	// We can't prepare a file if we can't get the file name
529	if ( false === $log_file ) {
530	return false;

544
545	private function add_to_log_file( $details ) {
546	$log_file = $this->get_log_file();
547	+
548	if ( false === $log_file ) {
549	return false;
550	}
551	+
552	@error_log( $details . PHP_EOL, 3, $log_file );
553	+
554	return true;
555	}
556	}

core/history.txt CHANGED Viewed

@@ -416,3 +416,16 @@
             	Bug Fix: Limited notices to only display on specific pages on the dashboard.
             	Compatibility Fix: Changed name of the $HTTP_RAW_POST_DATA variable to avoid erroneously tripping PHP 7 compatibility checks.
             	Code Cleanup: Removed legacy code that is no longer needed.


416	Bug Fix: Limited notices to only display on specific pages on the dashboard.
417	Compatibility Fix: Changed name of the $HTTP_RAW_POST_DATA variable to avoid erroneously tripping PHP 7 compatibility checks.
418	Code Cleanup: Removed legacy code that is no longer needed.
419	+ 2.5.3 - 2016-08-25 - Chris Jean & Aaron D. Campbell
420	+ Bug Fix: The Security > Security Check link now works as expected in multisite.
421	+ 2.5.4 - 2016-08-29 - Chris Jean & Aaron D. Campbell
422	+ Misc: Added placeholder for the Version Management module of iThemes Security Pro.
423	+ 2.5.5 - 2016-09-13 - Chris Jean
424	+ Bug Fix: Fixed bug that could prevent the "Filter Long URL Strings" feature from working properly.
425	+ Bug Fix: Removed restrictions in the "Filter Long URL Strings" feature that were unrelated to request length.
426	+ Misc: Updated build number to trigger some updates.
427	+ 2.5.6 - 2016-09-27 - Chris Jean
428	+ Security Fix: Fixed issue where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
429	+ Security Fix: Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue.
430	+ Bug Fix: Corrected a settings description typo in Global Settings.
431	+ Bug Fix: Fixed bug that could result in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is set to "Block".

core/lib/class-itsec-lib-user-activity.php CHANGED Viewed

	@@ -46,6 +46,7 @@ final class ITSEC_Lib_User_Activity {
46
47	if ( $last_seen < time() - HOUR_IN_SECONDS ) {
48	update_user_meta( $this->user_id, 'itsec_user_activity_last_seen', time() );

49	}
50	}
51	}


46
47	if ( $last_seen < time() - HOUR_IN_SECONDS ) {
48	update_user_meta( $this->user_id, 'itsec_user_activity_last_seen', time() );
49	+ delete_user_meta( $this->user_id, 'itsec_user_activity_last_seen_notification_sent' );
50	}
51	}
52	}

core/modules/file-change/class-itsec-file-change-log.php CHANGED Viewed

	@@ -114,7 +114,7 @@ final class ITSEC_File_Change_Log extends ITSEC_WP_List_Table {
114	if ( sizeof( $item['added_detail'] ) > 0 ) {
115
116	foreach ( $item['added_detail'] as $file => $details ) {
117	- echo '<li class="file_change_detail"><strong>' . __( 'File', 'better-wp-security' ) . '</strong>: ' . $file . '<br /><strong>' . __( 'Date', 'better-wp-security' ) . '</strong>: ' . date( 'l F jS, Y \a\t g:i a e', ( isset( $details['mod_date'] ) ? $details['mod_date'] : $details['d'] ) ) . '</li>';
118	}
119
120	} else {
	@@ -132,7 +132,7 @@ final class ITSEC_File_Change_Log extends ITSEC_WP_List_Table {
132	if ( sizeof( $item['removed_detail'] ) > 0 ) {
133
134	foreach ( $item['removed_detail'] as $file => $details ) {
135	- echo '<li class="file_change_detail"><strong>' . __( 'File', 'better-wp-security' ) . '</strong>:' . $file . '<br /><strong>' . __( 'Date', 'better-wp-security' ) . '</strong>: ' . date( 'l F jS, Y \a\t g:i a e', ( isset( $details['mod_date'] ) ? $details['mod_date'] : $details['d'] ) ) . '</li>';
136	}
137
138	} else {
	@@ -150,7 +150,7 @@ final class ITSEC_File_Change_Log extends ITSEC_WP_List_Table {
150	if ( sizeof( $item['changed_detail'] ) > 0 ) {
151
152	foreach ( $item['changed_detail'] as $file => $details ) {
153	- echo '<li class="file_change_detail"><strong>' . __( 'File', 'better-wp-security' ) . '</strong>: ' . $file . '<br /><strong>' . __( 'Date', 'better-wp-security' ) . '</strong>: ' . date( 'l F jS, Y \a\t g:i a e', ( isset( $details['mod_date'] ) ? $details['mod_date'] : $details['d'] ) ) . '</li>';
154	}
155
156	} else {
	@@ -252,4 +252,4 @@ final class ITSEC_File_Change_Log extends ITSEC_WP_List_Table {
252
253	}
254
255	- }


114	if ( sizeof( $item['added_detail'] ) > 0 ) {
115
116	foreach ( $item['added_detail'] as $file => $details ) {
117	+ echo '<li class="file_change_detail"><strong>' . __( 'File', 'better-wp-security' ) . '</strong>: ' . esc_html( $file ) . '<br /><strong>' . __( 'Date', 'better-wp-security' ) . '</strong>: ' . date( 'l F jS, Y \a\t g:i a e', ( isset( $details['mod_date'] ) ? $details['mod_date'] : $details['d'] ) ) . '</li>';
118	}
119
120	} else {

132	if ( sizeof( $item['removed_detail'] ) > 0 ) {
133
134	foreach ( $item['removed_detail'] as $file => $details ) {
135	+ echo '<li class="file_change_detail"><strong>' . __( 'File', 'better-wp-security' ) . '</strong>:' . esc_html( $file ) . '<br /><strong>' . __( 'Date', 'better-wp-security' ) . '</strong>: ' . date( 'l F jS, Y \a\t g:i a e', ( isset( $details['mod_date'] ) ? $details['mod_date'] : $details['d'] ) ) . '</li>';
136	}
137
138	} else {

150	if ( sizeof( $item['changed_detail'] ) > 0 ) {
151
152	foreach ( $item['changed_detail'] as $file => $details ) {
153	+ echo '<li class="file_change_detail"><strong>' . __( 'File', 'better-wp-security' ) . '</strong>: ' . esc_html( $file ) . '<br /><strong>' . __( 'Date', 'better-wp-security' ) . '</strong>: ' . date( 'l F jS, Y \a\t g:i a e', ( isset( $details['mod_date'] ) ? $details['mod_date'] : $details['d'] ) ) . '</li>';
154	}
155
156	} else {

252
253	}
254
255	+ }

core/modules/global/settings-page.php CHANGED Viewed

	@@ -195,7 +195,7 @@ final class ITSEC_Global_Settings_Page extends ITSEC_Module_Settings_Page {
195	<th scope="row"><label for="itsec-global-log_type"><?php _e( 'Log Type', 'better-wp-security' ); ?></label></th>
196	<td>
197	<?php $form->add_select( 'log_type', $log_types ); ?>
198	- <label for="itsec-global-log_type"><?php _e( 'How should ~~even~~ logs be kept', 'better-wp-security' ); ?></label>
199	<p class="description"><?php _e( 'iThemes Security can log events in multiple ways, each with advantages and disadvantages. Database Only puts all events in the database with your posts and other WordPress data. This makes it easy to retrieve and process but can be slower if the database table gets very large. File Only is very fast but the plugin does not process the logs itself as that would take far more resources. For most users or smaller sites Database Only should be fine. If you have a very large site or a log processing software then File Only might be a better option.', 'better-wp-security' ); ?></p>
200	</td>
201	</tr>


195	<th scope="row"><label for="itsec-global-log_type"><?php _e( 'Log Type', 'better-wp-security' ); ?></label></th>
196	<td>
197	<?php $form->add_select( 'log_type', $log_types ); ?>
198	+ <label for="itsec-global-log_type"><?php _e( 'How should event logs be kept', 'better-wp-security' ); ?></label>
199	<p class="description"><?php _e( 'iThemes Security can log events in multiple ways, each with advantages and disadvantages. Database Only puts all events in the database with your posts and other WordPress data. This makes it easy to retrieve and process but can be slower if the database table gets very large. File Only is very fast but the plugin does not process the logs itself as that would take far more resources. For most users or smaller sites Database Only should be fine. If you have a very large site or a log processing software then File Only might be a better option.', 'better-wp-security' ); ?></p>
200	</td>
201	</tr>

core/modules/pro/settings-page.php CHANGED Viewed

@@ -133,3 +133,19 @@ final class ITSEC_User_Security_Check_Settings_Page extends ITSEC_Module_Setting
+            	}
+            }
             new ITSEC_User_Security_Check_Settings_Page();


133	}
134	}
135	new ITSEC_User_Security_Check_Settings_Page();
136	+
137	+
138	+ final class ITSEC_Version_Management_Settings_Page extends ITSEC_Module_Settings_Page {
139	+ public function __construct() {
140	+ $this->id = 'version-management';
141	+ $this->title = __( 'Version Management', 'better-wp-security' );
142	+ $this->description = __( 'Protect your site when outdated software is not updated quickly enough.', 'better-wp-security' );
143	+ $this->type = 'recommended';
144	+ $this->pro = true;
145	+ $this->upsell = true;
146	+ $this->upsell_url = 'https://ithemes.com/wordpress-version-management-ithemes-security-pro/?utm_source=wordpressadmin&utm_medium=widget&utm_campaign=itsecfreecta';
147	+
148	+ parent::__construct();
149	+ }
150	+ }
151	+ new ITSEC_Version_Management_Settings_Page();

core/modules/system-tweaks/class-itsec-system-tweaks.php CHANGED Viewed

	@@ -2,110 +2,107 @@
2
3	final class ITSEC_System_Tweaks {
4	private static $instance = false;
5	-
6	private $hooks_added = false;
7	-
8	-
9	private function __construct() {
10	$this->add_hooks();
11	}
12	-
13	public static function get_instance() {
14	if ( ! self::$instance ) {
15	self::$instance = new self;
16	}
17	-
18	return self::$instance;
19	}
20	-
21	public static function activate() {
22	$self = self::get_instance();
23	-
24	$self->add_hooks();
25	ITSEC_Response::regenerate_server_config();
26	}
27	-
28	public static function deactivate() {
29	$self = self::get_instance();
30	-
31	$self->remove_hooks();
32	ITSEC_Response::regenerate_server_config();
33	}
34	-
35	public function add_hooks() {
36	if ( $this->hooks_added ) {
37	return;
38	}
39	-
40	add_filter( 'itsec_filter_apache_server_config_modification', array( $this, 'filter_apache_server_config_modification' ) );
41	add_filter( 'itsec_filter_nginx_server_config_modification', array( $this, 'filter_nginx_server_config_modification' ) );
42	add_filter( 'itsec_filter_litespeed_server_config_modification', array( $this, 'filter_litespeed_server_config_modification' ) );
43	-
44	- if ( ITSEC_Modules::get_setting( 'system-tweaks',' ~~long_url_string~~' ) ) {
45	add_action( 'itsec_initialized', array( $this, 'block_long_urls' ) );
46	}
47	-
48	$this->hooks_added = true;
49	}
50	-
51	public function remove_hooks() {
52	remove_filter( 'itsec_filter_apache_server_config_modification', array( $this, 'filter_apache_server_config_modification' ) );
53	remove_filter( 'itsec_filter_nginx_server_config_modification', array( $this, 'filter_nginx_server_config_modification' ) );
54	remove_filter( 'itsec_filter_litespeed_server_config_modification', array( $this, 'filter_litespeed_server_config_modification' ) );
55	-
56	remove_action( 'itsec_initialized', array( $this, 'block_long_urls' ) );
57	-
58	$this->hooks_added = false;
59	}
60	-
61	public function filter_apache_server_config_modification( $modification ) {
62	require_once( dirname( __FILE__ ) . '/config-generators.php' );
63	-
64	return ITSEC_System_Tweaks_Config_Generators::filter_apache_server_config_modification( $modification );
65	}
66	-
67	public function filter_nginx_server_config_modification( $modification ) {
68	require_once( dirname( __FILE__ ) . '/config-generators.php' );
69	-
70	return ITSEC_System_Tweaks_Config_Generators::filter_nginx_server_config_modification( $modification );
71	}
72	-
73	public function filter_litespeed_server_config_modification( $modification ) {
74	require_once( dirname( __FILE__ ) . '/config-generators.php' );
75	-
76	return ITSEC_System_Tweaks_Config_Generators::filter_litespeed_server_config_modification( $modification );
77	}
78	-
79	public function block_long_urls() {
80	if ( strlen( $_SERVER['REQUEST_URI'] ) <= 255 ) {
81	return;
82	}
83	-
84	if ( is_admin() ) {
85	return;
86	}
87	-
88	if ( defined( 'WP_CLI' ) && WP_CLI ) {
89	return;
90	}
91	-
92	if ( ITSEC_Core::is_iwp_call() ) {
93	return;
94	}
95	-
96	if ( strpos( $_SERVER['REQUEST_URI'], 'infinity=scrolling&action=infinite_scroll' ) ) {
97	return;
98	}
99	-
100	- // ~~TODO:~~ ~~These~~ ~~checks~~ ~~should~~ ~~not be part of the "Filter~~ Long ~~URL Strings" feature.~~
101	- if ( ~~strpos( $_SERVER[~~'~~REQUEST_URI'],~~ ~~'eval('~~ ) \|\| ~~strpos( $_SERVER[~~'~~REQUEST_URI'],~~ ~~'CONCAT'~~ ) ~~\|\| strpos( $_SERVER['REQUEST_URI'], 'UNION+SELECT' ) \|\| strpos( $_SERVER['REQUEST_URI'], 'base64' ) ) {~~
102	- @header( '~~HTTP/1.1~~ ~~414~~ ~~Request~~-~~URI Too Long~~' );
103	- @header( '~~Status~~: ~~414~~ ~~Request-URI~~ ~~Too~~ ~~Long~~' );
104	- @header( '~~Cache-Control~~: ~~no-cache, must-revalidate~~' );
105	- @~~header( 'Expires: Thu, 22 Jun 1978 00:28:00 GMT' )~~;
106	- @header( 'Connection: Close' );
107	- @exit;
108	- }
109	}
110	}
111


2
3	final class ITSEC_System_Tweaks {
4	private static $instance = false;
5	+
6	private $hooks_added = false;
7	+
8	+
9	private function __construct() {
10	$this->add_hooks();
11	}
12	+
13	public static function get_instance() {
14	if ( ! self::$instance ) {
15	self::$instance = new self;
16	}
17	+
18	return self::$instance;
19	}
20	+
21	public static function activate() {
22	$self = self::get_instance();
23	+
24	$self->add_hooks();
25	ITSEC_Response::regenerate_server_config();
26	}
27	+
28	public static function deactivate() {
29	$self = self::get_instance();
30	+
31	$self->remove_hooks();
32	ITSEC_Response::regenerate_server_config();
33	}
34	+
35	public function add_hooks() {
36	if ( $this->hooks_added ) {
37	return;
38	}
39	+
40	add_filter( 'itsec_filter_apache_server_config_modification', array( $this, 'filter_apache_server_config_modification' ) );
41	add_filter( 'itsec_filter_nginx_server_config_modification', array( $this, 'filter_nginx_server_config_modification' ) );
42	add_filter( 'itsec_filter_litespeed_server_config_modification', array( $this, 'filter_litespeed_server_config_modification' ) );
43	+
44	+ if ( ITSEC_Modules::get_setting( 'system-tweaks', 'long_url_strings' ) ) {
45	add_action( 'itsec_initialized', array( $this, 'block_long_urls' ) );
46	}
47	+
48	$this->hooks_added = true;
49	}
50	+
51	public function remove_hooks() {
52	remove_filter( 'itsec_filter_apache_server_config_modification', array( $this, 'filter_apache_server_config_modification' ) );
53	remove_filter( 'itsec_filter_nginx_server_config_modification', array( $this, 'filter_nginx_server_config_modification' ) );
54	remove_filter( 'itsec_filter_litespeed_server_config_modification', array( $this, 'filter_litespeed_server_config_modification' ) );
55	+
56	remove_action( 'itsec_initialized', array( $this, 'block_long_urls' ) );
57	+
58	$this->hooks_added = false;
59	}
60	+
61	public function filter_apache_server_config_modification( $modification ) {
62	require_once( dirname( __FILE__ ) . '/config-generators.php' );
63	+
64	return ITSEC_System_Tweaks_Config_Generators::filter_apache_server_config_modification( $modification );
65	}
66	+
67	public function filter_nginx_server_config_modification( $modification ) {
68	require_once( dirname( __FILE__ ) . '/config-generators.php' );
69	+
70	return ITSEC_System_Tweaks_Config_Generators::filter_nginx_server_config_modification( $modification );
71	}
72	+
73	public function filter_litespeed_server_config_modification( $modification ) {
74	require_once( dirname( __FILE__ ) . '/config-generators.php' );
75	+
76	return ITSEC_System_Tweaks_Config_Generators::filter_litespeed_server_config_modification( $modification );
77	}
78	+
79	public function block_long_urls() {
80	if ( strlen( $_SERVER['REQUEST_URI'] ) <= 255 ) {
81	return;
82	}
83	+
84	if ( is_admin() ) {
85	return;
86	}
87	+
88	if ( defined( 'WP_CLI' ) && WP_CLI ) {
89	return;
90	}
91	+
92	if ( ITSEC_Core::is_iwp_call() ) {
93	return;
94	}
95	+
96	if ( strpos( $_SERVER['REQUEST_URI'], 'infinity=scrolling&action=infinite_scroll' ) ) {
97	return;
98	}
99	+
100	+ @header( 'HTTP/1.1 414 Request-URI Too Long' );
101	+ @header( 'Status: 414 Request-URI Too Long' );
102	+ @header( 'Cache-Control: no-cache, must-revalidate' );
103	+ @header( 'Expires: Thu, 22 Jun 1978 00:28:00 GMT' );
104	+ @header( 'Connection: Close' );
105	+ @exit;



106	}
107	}
108

core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php CHANGED Viewed

	@@ -2,62 +2,62 @@
2
3	final class ITSEC_WordPress_Tweaks {
4	private static $instance = false;
5	-
6	private $config_hooks_added = false;
7	private $settings;
8	private $first_xmlrpc_credentials;
9	-
10	-
11	private function __construct() {
12	$this->init();
13	}
14	-
15	public static function get_instance() {
16	if ( ! self::$instance ) {
17	self::$instance = new self;
18	}
19	-
20	return self::$instance;
21	}
22	-
23	public static function activate() {
24	$self = self::get_instance();
25	-
26	$self->add_config_hooks();
27	ITSEC_Response::regenerate_server_config();
28	ITSEC_Response::regenerate_wp_config();
29	}
30	-
31	public static function deactivate() {
32	$self = self::get_instance();
33	-
34	$self->remove_config_hooks();
35	ITSEC_Response::regenerate_server_config();
36	ITSEC_Response::regenerate_wp_config();
37	}
38	-
39	public function add_config_hooks() {
40	if ( $this->config_hooks_added ) {
41	return;
42	}
43	-
44	add_filter( 'itsec_filter_apache_server_config_modification', array( $this, 'filter_apache_server_config_modification' ) );
45	add_filter( 'itsec_filter_nginx_server_config_modification', array( $this, 'filter_nginx_server_config_modification' ) );
46	add_filter( 'itsec_filter_litespeed_server_config_modification', array( $this, 'filter_litespeed_server_config_modification' ) );
47	add_filter( 'itsec_filter_wp_config_modification', array( $this, 'filter_wp_config_modification' ) );
48	-
49	$this->config_hooks_added = true;
50	}
51	-
52	public function remove_config_hooks() {
53	remove_filter( 'itsec_filter_apache_server_config_modification', array( $this, 'filter_apache_server_config_modification' ) );
54	remove_filter( 'itsec_filter_nginx_server_config_modification', array( $this, 'filter_nginx_server_config_modification' ) );
55	remove_filter( 'itsec_filter_litespeed_server_config_modification', array( $this, 'filter_litespeed_server_config_modification' ) );
56	remove_filter( 'itsec_filter_wp_config_modification', array( $this, 'filter_wp_config_modification' ) );
57	-
58	$this->config_hooks_added = false;
59	}
60	-
61	public function init() {
62	$this->add_config_hooks();
63
	@@ -122,14 +122,14 @@ final class ITSEC_WordPress_Tweaks {
122	$username,
123	$password
124	);
125	-
126	- return $~~filter_var~~;
127	}
128	-
129	if ( $username === $this->first_xmlrpc_credentials[0] && $password === $this->first_xmlrpc_credentials[1] ) {
130	- return $~~filter_var~~;
131	}
132	-
133	status_header( 405 );
134	header( 'Content-Type: text/plain' );
135	die( __( 'XML-RPC services are disabled on this site.' ) );
	@@ -217,11 +217,11 @@ final class ITSEC_WordPress_Tweaks {
217	*/
218	function store_jquery_version() {
219	global $wp_scripts;
220	-
221	if ( ( is_home() \|\| is_front_page() ) && is_user_logged_in() ) {
222	$stored_jquery_version = ITSEC_Modules::get_setting( 'wordpress-tweaks', 'jquery_version' );
223	$current_jquery_version = $wp_scripts->registered['jquery']->ver;
224	-
225	if ( $current_jquery_version !== $stored_jquery_version ) {
226	ITSEC_Modules::set_setting( 'wordpress-tweaks', 'jquery_version', $current_jquery_version );
227	}
	@@ -288,25 +288,25 @@ final class ITSEC_WordPress_Tweaks {
288
289	public function filter_wp_config_modification( $modification ) {
290	require_once( dirname( __FILE__ ) . '/config-generators.php' );
291	-
292	return ITSEC_WordPress_Tweaks_Config_Generators::filter_wp_config_modification( $modification );
293	}
294	-
295	public function filter_apache_server_config_modification( $modification ) {
296	require_once( dirname( __FILE__ ) . '/config-generators.php' );
297	-
298	return ITSEC_WordPress_Tweaks_Config_Generators::filter_apache_server_config_modification( $modification );
299	}
300	-
301	public function filter_nginx_server_config_modification( $modification ) {
302	require_once( dirname( __FILE__ ) . '/config-generators.php' );
303	-
304	return ITSEC_WordPress_Tweaks_Config_Generators::filter_nginx_server_config_modification( $modification );
305	}
306	-
307	public function filter_litespeed_server_config_modification( $modification ) {
308	require_once( dirname( __FILE__ ) . '/config-generators.php' );
309	-
310	return ITSEC_WordPress_Tweaks_Config_Generators::filter_litespeed_server_config_modification( $modification );
311	}
312	}


2
3	final class ITSEC_WordPress_Tweaks {
4	private static $instance = false;
5	+
6	private $config_hooks_added = false;
7	private $settings;
8	private $first_xmlrpc_credentials;
9	+
10	+
11	private function __construct() {
12	$this->init();
13	}
14	+
15	public static function get_instance() {
16	if ( ! self::$instance ) {
17	self::$instance = new self;
18	}
19	+
20	return self::$instance;
21	}
22	+
23	public static function activate() {
24	$self = self::get_instance();
25	+
26	$self->add_config_hooks();
27	ITSEC_Response::regenerate_server_config();
28	ITSEC_Response::regenerate_wp_config();
29	}
30	+
31	public static function deactivate() {
32	$self = self::get_instance();
33	+
34	$self->remove_config_hooks();
35	ITSEC_Response::regenerate_server_config();
36	ITSEC_Response::regenerate_wp_config();
37	}
38	+
39	public function add_config_hooks() {
40	if ( $this->config_hooks_added ) {
41	return;
42	}
43	+
44	add_filter( 'itsec_filter_apache_server_config_modification', array( $this, 'filter_apache_server_config_modification' ) );
45	add_filter( 'itsec_filter_nginx_server_config_modification', array( $this, 'filter_nginx_server_config_modification' ) );
46	add_filter( 'itsec_filter_litespeed_server_config_modification', array( $this, 'filter_litespeed_server_config_modification' ) );
47	add_filter( 'itsec_filter_wp_config_modification', array( $this, 'filter_wp_config_modification' ) );
48	+
49	$this->config_hooks_added = true;
50	}
51	+
52	public function remove_config_hooks() {
53	remove_filter( 'itsec_filter_apache_server_config_modification', array( $this, 'filter_apache_server_config_modification' ) );
54	remove_filter( 'itsec_filter_nginx_server_config_modification', array( $this, 'filter_nginx_server_config_modification' ) );
55	remove_filter( 'itsec_filter_litespeed_server_config_modification', array( $this, 'filter_litespeed_server_config_modification' ) );
56	remove_filter( 'itsec_filter_wp_config_modification', array( $this, 'filter_wp_config_modification' ) );
57	+
58	$this->config_hooks_added = false;
59	}
60	+
61	public function init() {
62	$this->add_config_hooks();
63

122	$username,
123	$password
124	);
125	+
126	+ return $filter_val;
127	}
128	+
129	if ( $username === $this->first_xmlrpc_credentials[0] && $password === $this->first_xmlrpc_credentials[1] ) {
130	+ return $filter_val;
131	}
132	+
133	status_header( 405 );
134	header( 'Content-Type: text/plain' );
135	die( __( 'XML-RPC services are disabled on this site.' ) );

217	*/
218	function store_jquery_version() {
219	global $wp_scripts;
220	+
221	if ( ( is_home() \|\| is_front_page() ) && is_user_logged_in() ) {
222	$stored_jquery_version = ITSEC_Modules::get_setting( 'wordpress-tweaks', 'jquery_version' );
223	$current_jquery_version = $wp_scripts->registered['jquery']->ver;
224	+
225	if ( $current_jquery_version !== $stored_jquery_version ) {
226	ITSEC_Modules::set_setting( 'wordpress-tweaks', 'jquery_version', $current_jquery_version );
227	}

288
289	public function filter_wp_config_modification( $modification ) {
290	require_once( dirname( __FILE__ ) . '/config-generators.php' );
291	+
292	return ITSEC_WordPress_Tweaks_Config_Generators::filter_wp_config_modification( $modification );
293	}
294	+
295	public function filter_apache_server_config_modification( $modification ) {
296	require_once( dirname( __FILE__ ) . '/config-generators.php' );
297	+
298	return ITSEC_WordPress_Tweaks_Config_Generators::filter_apache_server_config_modification( $modification );
299	}
300	+
301	public function filter_nginx_server_config_modification( $modification ) {
302	require_once( dirname( __FILE__ ) . '/config-generators.php' );
303	+
304	return ITSEC_WordPress_Tweaks_Config_Generators::filter_nginx_server_config_modification( $modification );
305	}
306	+
307	public function filter_litespeed_server_config_modification( $modification ) {
308	require_once( dirname( __FILE__ ) . '/config-generators.php' );
309	+
310	return ITSEC_WordPress_Tweaks_Config_Generators::filter_litespeed_server_config_modification( $modification );
311	}
312	}

history.txt CHANGED Viewed

@@ -542,3 +542,13 @@
             	Code Cleanup: Removed legacy code that is no longer needed.
             	Enhancement: Started tracking when a user was last seen as logged in and active for future use.
             	Misc: Added a placeholder for the Pro feature "User Security Check".


542	Code Cleanup: Removed legacy code that is no longer needed.
543	Enhancement: Started tracking when a user was last seen as logged in and active for future use.
544	Misc: Added a placeholder for the Pro feature "User Security Check".
545	+ 5.6.2 - 2016-09-27 - Chris Jean
546	+ Security Fix: Fixed issue where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
547	+ Security Fix: Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue.
548	+ Bug Fix: The Security > Security Check link now works as expected in multisite.
549	+ Bug Fix: Fixed bug that could prevent the "Filter Long URL Strings" feature from working properly.
550	+ Bug Fix: Removed restrictions in the "Filter Long URL Strings" feature that were unrelated to request length.
551	+ Bug Fix: Corrected a settings description typo in Global Settings.
552	+ Bug Fix: Fixed bug that could result in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is set to "Block".
553	+ Misc: Added placeholder for the Version Management module of iThemes Security Pro.
554	+ Misc: Updated build number to trigger some updates.

readme.txt CHANGED Viewed

	@@ -1,9 +1,9 @@
1	=== iThemes Security (formerly Better WP Security) ===
2	- Contributors: ithemes, chrisjean, ~~aaroncampbell,~~ gerroald, mattdanner
3	Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4	Requires at least: 4.1
5	- Tested up to: 4.6
6	- Stable tag: 5.6.1
7	License: GPLv2 or later
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
	@@ -188,6 +188,17 @@ Free support may be available with the help of the community in the <a href="htt
188
189	== Changelog ==
190











191	= 5.6.1 =
192	* Bug Fix: Fixed a potential logging issue that could prevent some lockout notices from being properly logged on non-English sites.
193	* Bug Fix: Prevented some notices from displaying to users who do not need to see them.
	@@ -1568,6 +1579,9 @@ This release is a complete rewrite from the ground up. Special thanks to Cory Mi
1568
1569	== Upgrade Notice ==
1570



1571	= 5.6.1 =
1572	Version 5.6.1 contains bug fixes and PHP 7 compatibility changes. It is recommended for all users.
1573


1	=== iThemes Security (formerly Better WP Security) ===
2	+ Contributors: ithemes, chrisjean, gerroald, mattdanner
3	Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4	Requires at least: 4.1
5	+ Tested up to: 4.6.1
6	+ Stable tag: 5.6.2
7	License: GPLv2 or later
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9

188
189	== Changelog ==
190
191	+ = 5.6.2 =
192	+ * Security Fix: Fixed issue where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
193	+ * Security Fix: Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue.
194	+ * Bug Fix: The Security > Security Check link now works as expected in multisite.
195	+ * Bug Fix: Fixed bug that could prevent the "Filter Long URL Strings" feature from working properly.
196	+ * Bug Fix: Removed restrictions in the "Filter Long URL Strings" feature that were unrelated to request length.
197	+ * Bug Fix: Corrected a settings description typo in Global Settings.
198	+ * Bug Fix: Fixed bug that could result in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is set to "Block".
199	+ * Misc: Added placeholder for the Version Management module of iThemes Security Pro.
200	+ * Misc: Updated build number to trigger some updates.
201	+
202	= 5.6.1 =
203	* Bug Fix: Fixed a potential logging issue that could prevent some lockout notices from being properly logged on non-English sites.
204	* Bug Fix: Prevented some notices from displaying to users who do not need to see them.

1579
1580	== Upgrade Notice ==
1581
1582	+ = 5.6.2 =
1583	+ Version 5.6.2 contains important security updates and bug fixes. It is important to update immediately.
1584	+
1585	= 5.6.1 =
1586	Version 5.6.1 contains bug fixes and PHP 7 compatibility changes. It is recommended for all users.
1587

iThemes Security (formerly Better WP Security) - Version 5.6.2

Version Description

Release Info

Code changes from version 5.6.1 to 5.6.2