Version Description
- Bug Fix: Fixed situation that could cause lockout notifications being sent for whitelisted IPs.
- Bug Fix: Fixed issue where saving Global Settings would be blocked by an unwritable "Path to Log Files" path when the "Log Type" is set to "Database Only".
- Bug Fix: Fixed issue that prevented log database entries from purging and log file entries from rotating on a schedule.
Download this release
Release Info
| Developer | chrisjean |
| Plugin |  iThemes Security (formerly Better WP Security) |
| Version | 6.9.2 |
| Comparing to | |
| See all releases | |
Code changes from version 6.9.1 to 6.9.2
- better-wp-security.php +1 -1
- core/core.php +1 -1
- core/history.txt +5 -1
- core/lib/log.php +72 -0
- core/lockout.php +1 -0
- core/modules/global/validator.php +5 -4
- core/setup.php +1 -1
- history.txt +5 -1
- readme.txt +9 -4
better-wp-security.php
CHANGED
|
@@ -6,7 +6,7 @@
|
|
| 6 |
* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
|
| 7 |
* Author: iThemes
|
| 8 |
* Author URI: https://ithemes.com
|
| 9 |
-
* Version: 6.9.
|
| 10 |
* Text Domain: better-wp-security
|
| 11 |
* Network: True
|
| 12 |
* License: GPLv2
|
| 6 |
* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
|
| 7 |
* Author: iThemes
|
| 8 |
* Author URI: https://ithemes.com
|
| 9 |
+
* Version: 6.9.2
|
| 10 |
* Text Domain: better-wp-security
|
| 11 |
* Network: True
|
| 12 |
* License: GPLv2
|
core/core.php
CHANGED
|
@@ -24,7 +24,7 @@ if ( ! class_exists( 'ITSEC_Core' ) ) {
|
|
| 24 |
*
|
| 25 |
* @access private
|
| 26 |
*/
|
| 27 |
-
private $plugin_build =
|
| 28 |
|
| 29 |
/**
|
| 30 |
* Used to distinguish between a user modifying settings and the API modifying settings (such as from Sync
|
| 24 |
*
|
| 25 |
* @access private
|
| 26 |
*/
|
| 27 |
+
private $plugin_build = 4087;
|
| 28 |
|
| 29 |
/**
|
| 30 |
* Used to distinguish between a user modifying settings and the API modifying settings (such as from Sync
|
core/history.txt
CHANGED
|
@@ -645,6 +645,10 @@
|
|
| 645 |
Bug Fix: Cannot use object of type WP_Error as array in Malware Scanner.
|
| 646 |
Bug Fix: Reordered loading of logging class to allow for logging earlier.
|
| 647 |
4.1.4 - 2018-03-01 - Chris Jean & Timothy Jacobs
|
| 648 |
-
Security Fix: Fixed display of unescaped data on logs page.
|
| 649 |
Enhancement: The logging system now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests.
|
| 650 |
Bug Fix: Fixed the File Change scanner in that it previously could fail to exclude selected directories on some systems.
|
|
|
|
|
|
|
|
|
|
|
|
| 645 |
Bug Fix: Cannot use object of type WP_Error as array in Malware Scanner.
|
| 646 |
Bug Fix: Reordered loading of logging class to allow for logging earlier.
|
| 647 |
4.1.4 - 2018-03-01 - Chris Jean & Timothy Jacobs
|
| 648 |
+
Security Fix: Fixed display of unescaped data on logs page. Thanks to Paweł Kuryłowicz from SecuRing for finding and reporting this issue.
|
| 649 |
Enhancement: The logging system now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests.
|
| 650 |
Bug Fix: Fixed the File Change scanner in that it previously could fail to exclude selected directories on some systems.
|
| 651 |
+
4.1.5 - 2018-03-06 - Chris Jean & Timothy Jacobs
|
| 652 |
+
Bug Fix: Fixed situation that could cause lockout notifications being sent for whitelisted IPs.
|
| 653 |
+
Bug Fix: Fixed issue where saving Global Settings would be blocked by an unwritable "Path to Log Files" path when the "Log Type" is set to "Database Only".
|
| 654 |
+
Bug Fix: Fixed issue that prevented log database entries from purging and log file entries from rotating on a schedule.
|
core/lib/log.php
CHANGED
|
@@ -107,6 +107,8 @@ final class ITSEC_Log {
|
|
| 107 |
self::add_to_file( $data, $id );
|
| 108 |
}
|
| 109 |
|
|
|
|
|
|
|
| 110 |
return $id;
|
| 111 |
}
|
| 112 |
|
|
@@ -245,4 +247,74 @@ final class ITSEC_Log {
|
|
| 245 |
'process-start' => esc_html__( 'Process', 'better-wp-security' ),
|
| 246 |
);
|
| 247 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 248 |
}
|
|
|
|
|
|
|
|
|
| 107 |
self::add_to_file( $data, $id );
|
| 108 |
}
|
| 109 |
|
| 110 |
+
do_action( 'itsec_log_add', $data, $id, $log_type );
|
| 111 |
+
|
| 112 |
return $id;
|
| 113 |
}
|
| 114 |
|
| 247 |
'process-start' => esc_html__( 'Process', 'better-wp-security' ),
|
| 248 |
);
|
| 249 |
}
|
| 250 |
+
|
| 251 |
+
public static function register_events( $scheduler ) {
|
| 252 |
+
$scheduler->schedule( ITSEC_Scheduler::S_DAILY, 'purge-log-entries' );
|
| 253 |
+
}
|
| 254 |
+
|
| 255 |
+
public static function purge_entries() {
|
| 256 |
+
global $wpdb;
|
| 257 |
+
|
| 258 |
+
$database_entry_expiration = date( 'Y-m-d H:i:s', ITSEC_Core::get_current_time_gmt() - ( ITSEC_Modules::get_setting( 'global', 'log_rotation' ) * DAY_IN_SECONDS ) );
|
| 259 |
+
$query = $wpdb->prepare( "DELETE FROM `{$wpdb->base_prefix}itsec_logs` WHERE timestamp<%s", $database_entry_expiration );
|
| 260 |
+
$wpdb->query( $query );
|
| 261 |
+
|
| 262 |
+
|
| 263 |
+
$log_type = ITSEC_Modules::get_setting( 'global', 'log_type' );
|
| 264 |
+
|
| 265 |
+
if ( 'database' !== $log_type ) {
|
| 266 |
+
self::rotate_log_files();
|
| 267 |
+
}
|
| 268 |
+
}
|
| 269 |
+
|
| 270 |
+
public static function rotate_log_files() {
|
| 271 |
+
$log = self::get_log_file_path();
|
| 272 |
+
$max_file_size = 10 * 1024 * 1024; // 10MiB
|
| 273 |
+
|
| 274 |
+
if ( ! file_exists( $log ) || filesize( $log ) < $max_file_size ) {
|
| 275 |
+
return;
|
| 276 |
+
}
|
| 277 |
+
|
| 278 |
+
|
| 279 |
+
$files = glob( "$log.*" );
|
| 280 |
+
|
| 281 |
+
foreach ( $files as $index => $file ) {
|
| 282 |
+
if ( ! preg_match( '/^' . preg_quote( $log, '/' ) . '\.\d+$/', $file ) ) {
|
| 283 |
+
unset( $files[$index] );
|
| 284 |
+
}
|
| 285 |
+
}
|
| 286 |
+
|
| 287 |
+
natsort( $files );
|
| 288 |
+
$files = array_values( $files );
|
| 289 |
+
|
| 290 |
+
$files_to_delete = array();
|
| 291 |
+
$files_to_rotate = array();
|
| 292 |
+
$max_files = apply_filters( 'itsec_log_max_log_files', 100 );
|
| 293 |
+
|
| 294 |
+
foreach ( $files as $index => $file ) {
|
| 295 |
+
$number = intval( pathinfo( $file, PATHINFO_EXTENSION ) );
|
| 296 |
+
|
| 297 |
+
if ( $number > $max_files ) {
|
| 298 |
+
$files_to_delete[] = $file;
|
| 299 |
+
} else if ( $number === $index + 1 && $number !== $max_files ) {
|
| 300 |
+
$files_to_rotate[] = $file;
|
| 301 |
+
}
|
| 302 |
+
}
|
| 303 |
+
|
| 304 |
+
array_unshift( $files_to_rotate, $log );
|
| 305 |
+
krsort( $files_to_rotate );
|
| 306 |
+
|
| 307 |
+
foreach ( $files_to_rotate as $index => $file ) {
|
| 308 |
+
rename( $file, "$log." . ( $index + 1 ) );
|
| 309 |
+
}
|
| 310 |
+
|
| 311 |
+
touch( $log );
|
| 312 |
+
|
| 313 |
+
foreach ( $files_to_delete as $file ) {
|
| 314 |
+
unlink( $file );
|
| 315 |
+
}
|
| 316 |
+
}
|
| 317 |
}
|
| 318 |
+
|
| 319 |
+
add_action( 'itsec_scheduler_register_events', array( 'ITSEC_Log', 'register_events' ) );
|
| 320 |
+
add_action( 'itsec_scheduled_purge-log-entries', array( 'ITSEC_Log', 'purge_entries' ) );
|
core/lockout.php
CHANGED
|
@@ -836,6 +836,7 @@ final class ITSEC_Lockout {
|
|
| 836 |
if ( $whitelisted ) {
|
| 837 |
// No need to send an email notice when the host is whitelisted.
|
| 838 |
ITSEC_Lib::release_lock( $lock );
|
|
|
|
| 839 |
}
|
| 840 |
|
| 841 |
|
| 836 |
if ( $whitelisted ) {
|
| 837 |
// No need to send an email notice when the host is whitelisted.
|
| 838 |
ITSEC_Lib::release_lock( $lock );
|
| 839 |
+
return;
|
| 840 |
}
|
| 841 |
|
| 842 |
|
core/modules/global/validator.php
CHANGED
|
@@ -36,18 +36,19 @@ class ITSEC_Global_Validator extends ITSEC_Validator {
|
|
| 36 |
$this->sanitize_setting( 'string', 'user_lockout_message', __( 'User Lockout Message', 'better-wp-security' ) );
|
| 37 |
$this->sanitize_setting( 'string', 'community_lockout_message', __( 'Community Lockout Message', 'better-wp-security' ) );
|
| 38 |
|
| 39 |
-
$this->sanitize_setting( 'writable-directory', 'log_location', __( 'Path to Log Files', 'better-wp-security' ) );
|
| 40 |
-
|
| 41 |
$this->sanitize_setting( 'positive-int', 'blacklist_count', __( 'Blacklist Threshold', 'better-wp-security' ) );
|
| 42 |
$this->sanitize_setting( 'positive-int', 'blacklist_period', __( 'Blacklist Lockout Period', 'better-wp-security' ) );
|
| 43 |
$this->sanitize_setting( 'positive-int', 'lockout_period', __( 'Lockout Period', 'better-wp-security' ) );
|
| 44 |
$this->sanitize_setting( 'positive-int', 'log_rotation', __( 'Days to Keep Database Logs', 'better-wp-security' ) );
|
| 45 |
|
|
|
|
|
|
|
| 46 |
$log_types = array_keys( $this->get_valid_log_types() );
|
| 47 |
$this->sanitize_setting( $log_types, 'log_type', __( 'Log Type', 'better-wp-security' ) );
|
| 48 |
|
| 49 |
-
|
| 50 |
-
|
|
|
|
| 51 |
|
| 52 |
$allowed_tags = $this->get_allowed_tags();
|
| 53 |
|
| 36 |
$this->sanitize_setting( 'string', 'user_lockout_message', __( 'User Lockout Message', 'better-wp-security' ) );
|
| 37 |
$this->sanitize_setting( 'string', 'community_lockout_message', __( 'Community Lockout Message', 'better-wp-security' ) );
|
| 38 |
|
|
|
|
|
|
|
| 39 |
$this->sanitize_setting( 'positive-int', 'blacklist_count', __( 'Blacklist Threshold', 'better-wp-security' ) );
|
| 40 |
$this->sanitize_setting( 'positive-int', 'blacklist_period', __( 'Blacklist Lockout Period', 'better-wp-security' ) );
|
| 41 |
$this->sanitize_setting( 'positive-int', 'lockout_period', __( 'Lockout Period', 'better-wp-security' ) );
|
| 42 |
$this->sanitize_setting( 'positive-int', 'log_rotation', __( 'Days to Keep Database Logs', 'better-wp-security' ) );
|
| 43 |
|
| 44 |
+
$this->sanitize_setting( 'newline-separated-ips', 'lockout_white_list', __( 'Lockout White List', 'better-wp-security' ) );
|
| 45 |
+
|
| 46 |
$log_types = array_keys( $this->get_valid_log_types() );
|
| 47 |
$this->sanitize_setting( $log_types, 'log_type', __( 'Log Type', 'better-wp-security' ) );
|
| 48 |
|
| 49 |
+
if ( 'database' !== $this->settings['log_type'] ) {
|
| 50 |
+
$this->sanitize_setting( 'writable-directory', 'log_location', __( 'Path to Log Files', 'better-wp-security' ) );
|
| 51 |
+
}
|
| 52 |
|
| 53 |
$allowed_tags = $this->get_allowed_tags();
|
| 54 |
|
core/setup.php
CHANGED
|
@@ -143,7 +143,7 @@ final class ITSEC_Setup {
|
|
| 143 |
ITSEC_Lib::schedule_cron_test();
|
| 144 |
}
|
| 145 |
|
| 146 |
-
if ( $build <
|
| 147 |
ITSEC_Core::get_scheduler()->register_events();
|
| 148 |
}
|
| 149 |
|
| 143 |
ITSEC_Lib::schedule_cron_test();
|
| 144 |
}
|
| 145 |
|
| 146 |
+
if ( $build < 4087 ) {
|
| 147 |
ITSEC_Core::get_scheduler()->register_events();
|
| 148 |
}
|
| 149 |
|
history.txt
CHANGED
|
@@ -722,6 +722,10 @@
|
|
| 722 |
Enhancement: Improved efficiency of File Change Detection scanning.
|
| 723 |
Bug Fix: Fixed issue that could register loading the logging page as a failed login attempt on some sites.
|
| 724 |
6.9.1 - 2018-03-01 - Chris Jean & Timothy Jacobs
|
| 725 |
-
Security Fix: Fixed display of unescaped data on logs page.
|
| 726 |
Enhancement: The logging system now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests.
|
| 727 |
Bug Fix: Fixed the File Change scanner in that it previously could fail to exclude selected directories on some systems.
|
|
|
|
|
|
|
|
|
|
|
|
| 722 |
Enhancement: Improved efficiency of File Change Detection scanning.
|
| 723 |
Bug Fix: Fixed issue that could register loading the logging page as a failed login attempt on some sites.
|
| 724 |
6.9.1 - 2018-03-01 - Chris Jean & Timothy Jacobs
|
| 725 |
+
Security Fix: Fixed display of unescaped data on logs page.
|
| 726 |
Enhancement: The logging system now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests.
|
| 727 |
Bug Fix: Fixed the File Change scanner in that it previously could fail to exclude selected directories on some systems.
|
| 728 |
+
6.9.2 - 2018-03-08 - Chris Jean & Timothy Jacobs
|
| 729 |
+
Bug Fix: Fixed situation that could cause lockout notifications being sent for whitelisted IPs.
|
| 730 |
+
Bug Fix: Fixed issue where saving Global Settings would be blocked by an unwritable "Path to Log Files" path when the "Log Type" is set to "Database Only".
|
| 731 |
+
Bug Fix: Fixed issue that prevented log database entries from purging and log file entries from rotating on a schedule.
|
readme.txt
CHANGED
|
@@ -3,7 +3,7 @@ Contributors: ithemes, chrisjean, gerroald, mattdanner, timothyblynjacobs
|
|
| 3 |
Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
|
| 4 |
Requires at least: 4.7
|
| 5 |
Tested up to: 4.9.4
|
| 6 |
-
Stable tag: 6.9.
|
| 7 |
Requires PHP: 5.2
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
|
@@ -189,8 +189,13 @@ Free support may be available with the help of the community in the <a href="htt
|
|
| 189 |
|
| 190 |
== Changelog ==
|
| 191 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 192 |
= 6.9.1 =
|
| 193 |
-
* Security Fix: Fixed display of unescaped data on logs page.
|
| 194 |
* Enhancement: The logging system now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests.
|
| 195 |
* Bug Fix: Fixed the File Change scanner in that it previously could fail to exclude selected directories on some systems.
|
| 196 |
|
|
@@ -411,5 +416,5 @@ Free support may be available with the help of the community in the <a href="htt
|
|
| 411 |
|
| 412 |
== Upgrade Notice ==
|
| 413 |
|
| 414 |
-
= 6.9.
|
| 415 |
-
Version 6.9.
|
| 3 |
Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
|
| 4 |
Requires at least: 4.7
|
| 5 |
Tested up to: 4.9.4
|
| 6 |
+
Stable tag: 6.9.2
|
| 7 |
Requires PHP: 5.2
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 189 |
|
| 190 |
== Changelog ==
|
| 191 |
|
| 192 |
+
= 6.9.2 =
|
| 193 |
+
* Bug Fix: Fixed situation that could cause lockout notifications being sent for whitelisted IPs.
|
| 194 |
+
* Bug Fix: Fixed issue where saving Global Settings would be blocked by an unwritable "Path to Log Files" path when the "Log Type" is set to "Database Only".
|
| 195 |
+
* Bug Fix: Fixed issue that prevented log database entries from purging and log file entries from rotating on a schedule.
|
| 196 |
+
|
| 197 |
= 6.9.1 =
|
| 198 |
+
* Security Fix: Fixed display of unescaped data on logs page.
|
| 199 |
* Enhancement: The logging system now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests.
|
| 200 |
* Bug Fix: Fixed the File Change scanner in that it previously could fail to exclude selected directories on some systems.
|
| 201 |
|
| 416 |
|
| 417 |
== Upgrade Notice ==
|
| 418 |
|
| 419 |
+
= 6.9.2 =
|
| 420 |
+
Version 6.9.2 contains various bug fixes. It is recommended for all users.
|
