iThemes Security (formerly Better WP Security)

Version Description

Bug Fix: When a requesting IP address cannot be found, default to 127.0.0.1. This fixes issues with some alternate cron setups.
- Bug Fix: Having more than one iThemes Security modification in a .htaccess, nginx.conf, or wp-config.php file will no longer result in having all the file content between each section removed when updating the file.
- Bug Fix: Modifications to the wp-config.php file added by W3 Total Cache now have their Windows-style newlines preserved when iThemes Security updates the file.

Release Info

Developer	chrisjean
Plugin	iThemes Security (formerly Better WP Security)
Version	6.2.1
Comparing to
See all releases

Code changes from version 6.2.0 to 6.2.1

Files changed (8) hide show

better-wp-security.php +1 -1
core/class-itsec-core.php +49 -0
core/class-itsec-lib.php +6 -0
core/history.txt +4 -0
core/lib/class-itsec-lib-config-file.php +15 -20
core/lock.php +47 -0
history.txt +4 -0
readme.txt +8 -3

better-wp-security.php CHANGED Viewed

	@@ -6,7 +6,7 @@
6	* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7	* Author: iThemes
8	* Author URI: https://ithemes.com
9	- * Version: 6.2.0
10	* Text Domain: better-wp-security
11	* Network: True
12	* License: GPLv2


6	* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7	* Author: iThemes
8	* Author URI: https://ithemes.com
9	+ * Version: 6.2.1
10	* Text Domain: better-wp-security
11	* Network: True
12	* License: GPLv2

core/class-itsec-core.php CHANGED Viewed

@@ -547,5 +547,54 @@ if ( ! class_exists( 'ITSEC_Core' ) ) {
             			return $self->doing_data_upgrade;
+            		}
+            	}
+            }


547
548	return $self->doing_data_upgrade;
549	}
550	+
551	+ public static function is_ajax_request() {
552	+ return defined( 'DOING_AJAX' ) && DOING_AJAX;
553	+ }
554	+
555	+ public static function is_xmlrpc_request() {
556	+ return defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST;
557	+ }
558	+
559	+ public static function is_rest_api_request() {
560	+ if ( isset( $GLOBALS['__itsec_core_is_rest_api_request'] ) ) {
561	+ return $GLOBALS['__itsec_core_is_rest_api_request'];
562	+ }
563	+
564	+ if ( ! function_exists( 'rest_get_url_prefix' ) ) {
565	+ $GLOBALS['__itsec_core_is_rest_api_request'] = false;
566	+ return false;
567	+ }
568	+
569	+ if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
570	+ $GLOBALS['__itsec_core_is_rest_api_request'] = true;
571	+ return true;
572	+ }
573	+
574	+ $home_path = parse_url( get_option( 'home' ), PHP_URL_PATH );
575	+ $home_path = trim( $home_path, '/' );
576	+
577	+ $rest_api_path = "/$home_path/" . rest_get_url_prefix() . '/';
578	+
579	+ if ( 0 === strpos( $_SERVER['REQUEST_URI'], $rest_api_path ) ) {
580	+ $GLOBALS['__itsec_core_is_rest_api_request'] = true;
581	+ return true;
582	+ }
583	+
584	+ $GLOBALS['__itsec_core_is_rest_api_request'] = false;
585	+ return false;
586	+ }
587	+
588	+ public static function is_api_request( $include_ajax = true ) {
589	+ if ( $include_ajax && self::is_ajax_request() ) {
590	+ return true;
591	+ }
592	+
593	+ if ( self::is_rest_api_request() \|\| self::is_xmlrpc_request() ) {
594	+ return true;
595	+ }
596	+
597	+ return false;
598	+ }
599	}
600	}

core/class-itsec-lib.php CHANGED Viewed

	@@ -369,6 +369,12 @@ final class ITSEC_Lib {
369	}
370	}
371






372	$GLOBALS['__itsec_remote_ip'] = (string) $ip;
373
374	return $GLOBALS['__itsec_remote_ip'];


369	}
370	}
371
372	+ if ( empty( $ip ) ) {
373	+ // If an IP is not found, force it to a localhost IP that would not be blacklisted as this typically
374	+ // indicates a local request that does not provide the localhost IP.
375	+ $ip = '127.0.0.1';
376	+ }
377	+
378	$GLOBALS['__itsec_remote_ip'] = (string) $ip;
379
380	return $GLOBALS['__itsec_remote_ip'];

core/history.txt CHANGED Viewed

	@@ -505,3 +505,7 @@
505	Bug Fix: Fixed issue that could cause improper database table creation on multisite sites.
506	3.1.1 - 2017-03-14 - Chris Jean
507	Bug Fix: Fixed a bug that could prevent settings from saving properly if the site was migrated to a new server or a new home path on the server.


505	Bug Fix: Fixed issue that could cause improper database table creation on multisite sites.
506	3.1.1 - 2017-03-14 - Chris Jean
507	Bug Fix: Fixed a bug that could prevent settings from saving properly if the site was migrated to a new server or a new home path on the server.
508	+ 3.1.2 - 2017-03-23 - Chris Jean
509	+ Bug Fix: When a requesting IP address cannot be found, default to 127.0.0.1. This fixes issues with some alternate cron setups.
510	+ Bug Fix: Having more than one iThemes Security modification in a .htaccess, nginx.conf, or wp-config.php file will no longer result in having all the file content between each section removed when updating the file.
511	+ Bug Fix: Modifications to the wp-config.php file added by W3 Total Cache now have their Windows-style newlines preserved when iThemes Security updates the file.

core/lib/class-itsec-lib-config-file.php CHANGED Viewed

@@ -367,26 +367,7 @@ class ITSEC_Lib_Config_File {
             		// Remove matched content.
             		foreach ( $patterns as $pattern ) {
-            -
            			// Look for the first beginning tag
-            -
            			preg_match( "/\s*{$pattern['begin']}/i", $contents, $matches, PREG_OFFSET_CAPTURE );
-            -
-            -
            			// If the BEGIN string was matched
-            -
            			if ( ! empty( $matches ) && ! empty( $matches[0] ) ) {
-            -
            				$begin = $matches[0][1];
-            -
-            -
            				// Look for ALL end tags that occur after the BEGIN tag
-            -
            				preg_match_all( "/\s*{$pattern['end']}[^\r\n]*\s*/i", $contents, $matches, PREG_OFFSET_CAPTURE, $begin );
-            -
-            -
            				// If the END string was matched
-            -
            				if ( ! empty( $matches ) && ! empty( $matches[0] ) ) {
-            -
            					// We want the last occurrence of the END tag
-            -
            					$last_match = array_pop( $matches[0] );
-            -
            					// The end position should be the location of the end tag + the length of the end tag
-            -
            					$end = $last_match[1] + strlen( $last_match[0] );
-            -
            					// We have a start and end, so let's replace with our placeholder
-            -
            					$contents = substr_replace( $contents, "$line_ending$placeholder", $begin, $end - $begin );
-            -
            				}
-            -
            			}
+            		}
@@ -428,6 +409,20 @@ class ITSEC_Lib_Config_File {
             		$contents = preg_replace( "/$placeholder/", "$line_ending$line_ending", $contents );
             		return $contents;
+            	}


367
368	// Remove matched content.
369	foreach ( $patterns as $pattern ) {
370	+ $contents = preg_replace( "/\s{$pattern['begin']}.+?{$pattern['end']}[^\r\n]\s*/is", "$line_ending$placeholder", $contents );



















371	}
372
373

409	$contents = preg_replace( "/$placeholder/", "$line_ending$line_ending", $contents );
410
411
412	+ // Fix potentially damaged Windows-style newlines for W3 Total Cache modifications
413	+ $translated_w3tc_comment = __( 'Added by W3 Total Cache', 'w3-total-cache' );
414	+
415	+ if ( preg_match_all( '/[^\r\n]+(?:W3 Total Cache\|' . preg_quote( $translated_w3tc_comment, '/' ) . ').*?(?:\r\n\|\r\|\n)/', $contents, $matches ) ) {
416	+ foreach ( $matches[0] as $match ) {
417	+ $new_line = rtrim( $match ) . "\r\n";
418	+
419	+ if ( $new_line !== $match ) {
420	+ $contents = str_replace( $match, $new_line, $contents );
421	+ }
422	+ }
423	+ }
424	+
425	+
426	return $contents;
427	}
428

core/lock.php ADDED Viewed

	@@ -0,0 +1,47 @@


1	+ <?php
2	+
3	+ final class ITSEC_Lock {
4	+ public static function get( $name, $expiration = HOUR_IN_SECONDS, $allow_api_request = false ) {
5	+ global $wpdb;
6	+
7	+ if ( ! $allow_api_request && ITSEC_Core::is_api_request() ) {
8	+ return false;
9	+ }
10	+
11	+ $lock = "itsec-lock-$name";
12	+ $now = time();
13	+
14	+ if ( ! empty( $wpdb->sitemeta ) ) {
15	+ $result = $wpdb->query( $wpdb->prepare( "INSERT IGNORE INTO `$wpdb->sitemeta` (`site_id`, `meta_key`, `meta_value`) VALUES (%d, %s, %s) /* LOCK */", $wpdb->siteid, $lock, $now ) );
16	+ } else {
17	+ $result = $wpdb->query( $wpdb->prepare( "INSERT IGNORE INTO `$wpdb->options` (`option_name`, `option_value`, `autoload`) VALUES (%s, %s, 'no') /* LOCK */", $lock, $now ) );
18	+ }
19	+
20	+ if ( ! $result ) {
21	+ // The lock exists. See if it has expired.
22	+
23	+ $locked = get_site_option( $lock );
24	+
25	+ if ( ! $locked ) {
26	+ // Can't write or read the lock. Bail due to an unknown and hopefully temporary error.
27	+ return false;
28	+ }
29	+
30	+ if ( $locked > $now - $expiration ) {
31	+ // The lock still exists and has not expired.
32	+ return false;
33	+ }
34	+ }
35	+
36	+ // Ensure that the lock is set properly by triggering all the regular actions and filters.
37	+ update_site_option( $lock, $now );
38	+
39	+ return true;
40	+ }
41	+
42	+ public static function remove( $name ) {
43	+ $lock = "itsec-lock-$name";
44	+
45	+ delete_site_option( $lock );
46	+ }
47	+ }

history.txt CHANGED Viewed

	@@ -623,3 +623,7 @@
623	Bug Fix: Enabling or disabling the Hide Backend feature now properly updates the .htaccess/nginx.conf file on enable and disable rather than at some future point.
624	Bug Fix: Fixed issue that could cause improper database table creation on multisite sites.
625	Bug Fix: Fixed a bug that could prevent settings from saving properly if the site was migrated to a new server or a new home path on the server.


623	Bug Fix: Enabling or disabling the Hide Backend feature now properly updates the .htaccess/nginx.conf file on enable and disable rather than at some future point.
624	Bug Fix: Fixed issue that could cause improper database table creation on multisite sites.
625	Bug Fix: Fixed a bug that could prevent settings from saving properly if the site was migrated to a new server or a new home path on the server.
626	+ 6.2.1 - 2017-03-23 - Chris Jean
627	+ Bug Fix: When a requesting IP address cannot be found, default to 127.0.0.1. This fixes issues with some alternate cron setups.
628	+ Bug Fix: Having more than one iThemes Security modification in a .htaccess, nginx.conf, or wp-config.php file will no longer result in having all the file content between each section removed when updating the file.
629	+ Bug Fix: Modifications to the wp-config.php file added by W3 Total Cache now have their Windows-style newlines preserved when iThemes Security updates the file.

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: ithemes, chrisjean, gerroald, mattdanner
3	Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4	Requires at least: 4.5
5	Tested up to: 4.7.3
6	- Stable tag: 6.2.0
7	License: GPLv2 or later
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
	@@ -188,6 +188,11 @@ Free support may be available with the help of the community in the <a href="htt
188
189	== Changelog ==
190





191	= 6.2.0 =
192	* Enhancement: Improved plugin performance by reducing the number of queries made on each page.
193	* Enhancement: Reduced memory and CPU usage due to various code improvements.
	@@ -1661,5 +1666,5 @@ This release is a complete rewrite from the ground up. Special thanks to Cory Mi
1661
1662	== Upgrade Notice ==
1663
1664	- = 6.2.0 =
1665	- Version 6.2.0 ~~greatly~~ ~~improves~~ ~~performance~~ ~~and~~ fixes ~~numerous bugs~~. It is recommended for all users.


3	Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4	Requires at least: 4.5
5	Tested up to: 4.7.3
6	+ Stable tag: 6.2.1
7	License: GPLv2 or later
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9

188
189	== Changelog ==
190
191	+ = 6.2.1 =
192	+ * Bug Fix: When a requesting IP address cannot be found, default to 127.0.0.1. This fixes issues with some alternate cron setups.
193	+ * Bug Fix: Having more than one iThemes Security modification in a .htaccess, nginx.conf, or wp-config.php file will no longer result in having all the file content between each section removed when updating the file.
194	+ * Bug Fix: Modifications to the wp-config.php file added by W3 Total Cache now have their Windows-style newlines preserved when iThemes Security updates the file.
195	+
196	= 6.2.0 =
197	* Enhancement: Improved plugin performance by reducing the number of queries made on each page.
198	* Enhancement: Reduced memory and CPU usage due to various code improvements.

1666
1667	== Upgrade Notice ==
1668
1669	+ = 6.2.1 =
1670	+ Version 6.2.1 contains important bug fixes. It is recommended for all users.

iThemes Security (formerly Better WP Security) - Version 6.2.1

Version Description

Release Info

Code changes from version 6.2.0 to 6.2.1