BulletProof Security - Version 2.6

Version Description

Download this release

Release Info

Developer AITpro
Plugin Icon 128x128 BulletProof Security
Version 2.6
Comparing to
See all releases

Code changes from version 2.5 to 2.6

Files changed (7) hide show
  1. admin/htaccess/secure.htaccess +1 -1
  2. admin/htaccess/wpadmin-secure.htaccess +1 -1
  3. admin/mscan/mscan.php +34 -14
  4. bulletproof-security.php +5 -5
  5. includes/general-functions.php +11 -6
  6. includes/mscan-ajax-functions.php +152 -144
  7. readme.txt +2 -2
admin/htaccess/secure.htaccess CHANGED
@@ -1,4 +1,4 @@
1
- # BULLETPROOF 2.5 SECURE .HTACCESS
2
 
3
  # PHP/PHP.INI HANDLER/CACHE CODE
4
  # Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.
1
+ # BULLETPROOF 2.6 SECURE .HTACCESS
2
 
3
  # PHP/PHP.INI HANDLER/CACHE CODE
4
  # Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.
admin/htaccess/wpadmin-secure.htaccess CHANGED
@@ -1,4 +1,4 @@
1
- # BULLETPROOF 2.5 WP-ADMIN SECURE .HTACCESS
2
 
3
  # DO NOT ADD URL REWRITING IN THIS FILE OR WORDPRESS WILL BREAK
4
  # RewriteRule ^(.*)$ - [F] works in /wp-admin without breaking WordPress
1
+ # BULLETPROOF 2.6 WP-ADMIN SECURE .HTACCESS
2
 
3
  # DO NOT ADD URL REWRITING IN THIS FILE OR WORDPRESS WILL BREAK
4
  # RewriteRule ^(.*)$ - [F] works in /wp-admin without breaking WordPress
admin/mscan/mscan.php CHANGED
@@ -77,6 +77,16 @@ $bps_wpcontent_dir = str_replace( ABSPATH, '', WP_CONTENT_DIR );
77
  $wp_upload_dir = wp_upload_dir();
78
  $bps_uploads_dir = str_replace( ABSPATH, '', $wp_upload_dir['basedir'] );
79
 
 
 
 
 
 
 
 
 
 
 
80
  ?>
81
 
82
  </div>
@@ -686,6 +696,8 @@ function MScanTimer() {
686
  </form>
687
  </div>
688
 
 
 
689
  <div id="bps-accordion-1" class="bps-accordion-main-2" style="margin:0px 0px 20px 0px;display:none">
690
  <h3 id="mscan-accordion-1"><?php _e('MScan Options & Tools', 'bulletproof-security'); ?></h3>
691
  <div id="mscan-accordion-inner">
@@ -714,20 +726,24 @@ if ( isset( $_POST['Submit-MScan-Options'] ) && current_user_can('manage_options
714
  }
715
  }
716
 
717
- $source = $_SERVER['DOCUMENT_ROOT'];
718
-
 
719
  if ( is_dir($source) ) {
720
 
721
  $iterator = new DirectoryIterator($source);
722
  $dir_array = array();
723
 
724
  foreach ( $iterator as $files ) {
725
-
726
- if ( $files->isDir() && ! $files->isDot() ) {
727
-
728
- if ( ! empty( $files ) ) {
729
- $dir_array[] = $files->getFilename();
 
730
  }
 
 
731
  }
732
  }
733
 
@@ -794,7 +810,8 @@ if ( isset( $_POST['Submit-MScan-Options'] ) && current_user_can('manage_options
794
  // Update the bps_mscan_dirs db option for use in the MscanOptions Form.
795
  function bpsPro_save_mscan_options() {
796
 
797
- $source = $_SERVER['DOCUMENT_ROOT'];
 
798
 
799
  if ( is_dir($source) ) {
800
 
@@ -803,15 +820,18 @@ function bpsPro_save_mscan_options() {
803
  $dir_array = array();
804
 
805
  foreach ( $iterator as $files ) {
806
-
807
- if ( $files->isDir() && ! $files->isDot() ) {
808
-
809
- if ( ! empty( $files ) ) {
810
- $dir_array[] = $files->getFilename();
 
811
  }
 
 
812
  }
813
  }
814
-
815
  $dir_flip = array_flip($dir_array);
816
 
817
  // replace values in the flipped array, good for bulk replacing all values. ie all dirs found.
77
  $wp_upload_dir = wp_upload_dir();
78
  $bps_uploads_dir = str_replace( ABSPATH, '', $wp_upload_dir['basedir'] );
79
 
80
+ function bpsPro_mscan_openbasedir_check() {
81
+
82
+ $open_basedir = ini_get('open_basedir');
83
+
84
+ if ( $open_basedir != '' ) {
85
+ $text = '<div style="background-color:#dfecf2;padding:5px;margin-bottom:10px;border:1px solid #999;-moz-border-radius-topleft:3px;-webkit-border-top-left-radius:3px;-khtml-border-top-left-radius:3px;border-top-left-radius:3px;-moz-border-radius-topright:3px;-webkit-border-top-right-radius:3px;-khtml-border-top-right-radius:3px;border-top-right-radius:3px;-webkit-box-shadow: 3px 3px 5px -1px rgba(153,153,153,0.7);-moz-box-shadow: 3px 3px 5px -1px rgba(153,153,153,0.7);box-shadow: 3px 3px 5px -1px rgba(153,153,153,0.7);"><font color="blue"><strong>'.__('The open_basedir php.ini directive is enabled on your website/server. MScan scans will take 6 times longer to complete when open_basedir is enabled, the estimated scan time caculations will not be correct and the MScan Progress Bar will not be accurate when open_basedir is enabled. New estimated scan time calculations are pending in a future version of BPS to accomodate open_basedir if you would like to continue to use open_basedir. Recommendation: disable open_basedir in your server php.ini file or custom php.ini file.', 'bulletproof-security').'</strong></font></div>';
86
+ echo $text;
87
+ }
88
+ }
89
+
90
  ?>
91
 
92
  </div>
696
  </form>
697
  </div>
698
 
699
+ <?php bpsPro_mscan_openbasedir_check(); ?>
700
+
701
  <div id="bps-accordion-1" class="bps-accordion-main-2" style="margin:0px 0px 20px 0px;display:none">
702
  <h3 id="mscan-accordion-1"><?php _e('MScan Options & Tools', 'bulletproof-security'); ?></h3>
703
  <div id="mscan-accordion-inner">
726
  }
727
  }
728
 
729
+ $raw_source = $_SERVER['DOCUMENT_ROOT'];
730
+ $source = realpath($raw_source);
731
+
732
  if ( is_dir($source) ) {
733
 
734
  $iterator = new DirectoryIterator($source);
735
  $dir_array = array();
736
 
737
  foreach ( $iterator as $files ) {
738
+ try {
739
+ if ( $files->isDir() && ! $files->isDot() ) {
740
+
741
+ if ( ! empty( $files ) ) {
742
+ $dir_array[] = $files->getFilename();
743
+ }
744
  }
745
+ } catch (RuntimeException $e) {
746
+ // pending error message or log entry after Beta Testing is completed
747
  }
748
  }
749
 
810
  // Update the bps_mscan_dirs db option for use in the MscanOptions Form.
811
  function bpsPro_save_mscan_options() {
812
 
813
+ $raw_source = $_SERVER['DOCUMENT_ROOT'];
814
+ $source = realpath($raw_source);
815
 
816
  if ( is_dir($source) ) {
817
 
820
  $dir_array = array();
821
 
822
  foreach ( $iterator as $files ) {
823
+ try {
824
+ if ( $files->isDir() && ! $files->isDot() ) {
825
+
826
+ if ( ! empty( $files ) ) {
827
+ $dir_array[] = $files->getFilename();
828
+ }
829
  }
830
+ } catch (RuntimeException $e) {
831
+ // pending error message or log entry after Beta Testing is completed
832
  }
833
  }
834
+
835
  $dir_flip = array_flip($dir_array);
836
 
837
  // replace values in the flipped array, good for bulk replacing all values. ie all dirs found.
bulletproof-security.php CHANGED
@@ -4,8 +4,8 @@ Plugin Name: BulletProof Security
4
  Plugin URI: https://forum.ait-pro.com/read-me-first/
5
  Text Domain: bulletproof-security
6
  Domain Path: /languages/
7
- Description: <strong>Feature Highlights:</strong> Setup Wizard &bull; MScan Malware Scanner &bull; .htaccess Website Security Protection (Firewalls) &bull; Security Logging|HTTP Error Logging &bull; DB Backup &bull; DB Table Prefix Changer &bull; Login Security & Monitoring &bull; JTC-Lite Login Form Bot Lockout Protection &bull; Idle Session Logout (ISL) &bull; Auth Cookie Expiration (ACE) &bull; UI Theme Skin Changer &bull; System Info: Extensive System, Server and Security Status Information &bull; FrontEnd|BackEnd Maintenance Mode
8
- Version: 2.5
9
  Author: AITpro Website Security
10
  Author URI: https://forum.ait-pro.com/read-me-first/
11
  */
@@ -28,9 +28,9 @@ Author URI: https://forum.ait-pro.com/read-me-first/
28
  */
29
 
30
  // BPS variables
31
- define( 'BULLETPROOF_VERSION', '2.5' );
32
- $bps_last_version = '2.4';
33
- $bps_version = '2.5';
34
  $aitpro_bullet = '<img src="'.plugins_url('/bulletproof-security/admin/images/aitpro-bullet.png').'" style="padding:0px 3px 0px 3px;" />';
35
  // Top div & bottom div
36
  $bps_topDiv = '<div id="message" class="updated" style="background-color:#dfecf2;border:1px solid #999;-moz-border-radius-topleft:3px;-webkit-border-top-left-radius:3px;-khtml-border-top-left-radius:3px;border-top-left-radius:3px;-moz-border-radius-topright:3px;-webkit-border-top-right-radius:3px;-khtml-border-top-right-radius:3px;border-top-right-radius:3px;-webkit-box-shadow: 3px 3px 5px -1px rgba(153,153,153,0.7);-moz-box-shadow: 3px 3px 5px -1px rgba(153,153,153,0.7);box-shadow: 3px 3px 5px -1px rgba(153,153,153,0.7);"><p>';
4
  Plugin URI: https://forum.ait-pro.com/read-me-first/
5
  Text Domain: bulletproof-security
6
  Domain Path: /languages/
7
+ Description: <strong>Feature Highlights:</strong> Setup Wizard &bull; MScan Malware Scanner &bull; .htaccess Website Security Protection (Firewalls) &bull; Security Logging|HTTP Error Logging &bull; DB Backup &bull; DB Table Prefix Changer &bull; Login Security & Monitoring &bull; JTC-Lite Login Form Bot Lockout Protection &bull; Idle Session Logout (ISL) &bull; Auth Cookie Expiration (ACE) &bull; UI Theme Skin Changer &bull; System Info: Extensive System, Server and Security Status Information &bull; FrontEnd|BackEnd Maintenance Mode
8
+ Version: 2.6
9
  Author: AITpro Website Security
10
  Author URI: https://forum.ait-pro.com/read-me-first/
11
  */
28
  */
29
 
30
  // BPS variables
31
+ define( 'BULLETPROOF_VERSION', '2.6' );
32
+ $bps_last_version = '2.5';
33
+ $bps_version = '2.6';
34
  $aitpro_bullet = '<img src="'.plugins_url('/bulletproof-security/admin/images/aitpro-bullet.png').'" style="padding:0px 3px 0px 3px;" />';
35
  // Top div & bottom div
36
  $bps_topDiv = '<div id="message" class="updated" style="background-color:#dfecf2;border:1px solid #999;-moz-border-radius-topleft:3px;-webkit-border-top-left-radius:3px;-khtml-border-top-left-radius:3px;border-top-left-radius:3px;-moz-border-radius-topright:3px;-webkit-border-top-right-radius:3px;-khtml-border-top-right-radius:3px;border-top-right-radius:3px;-webkit-box-shadow: 3px 3px 5px -1px rgba(153,153,153,0.7);-moz-box-shadow: 3px 3px 5px -1px rgba(153,153,153,0.7);box-shadow: 3px 3px 5px -1px rgba(153,153,153,0.7);"><p>';
includes/general-functions.php CHANGED
@@ -876,9 +876,11 @@ function bpsPro_mu_tools_plugin_copy() {
876
  // Get any new dirs that have been created and remove any old dirs from the bps_mscan_dirs db option.
877
  // Also used in Setup Wizard: need to add setup wizard condition to display saved or updated db options etc.
878
  // Note: MScan Status db options do not need to be pre-saved. Will use bps_mscan_status == '' for display.
 
879
  function bpsPro_presave_mscan_options() {
880
 
881
- $source = $_SERVER['DOCUMENT_ROOT'];
 
882
 
883
  if ( is_dir($source) ) {
884
 
@@ -887,12 +889,15 @@ function bpsPro_presave_mscan_options() {
887
  $dir_array = array();
888
 
889
  foreach ( $iterator as $files ) {
890
-
891
- if ( $files->isDir() && ! $files->isDot() ) {
892
-
893
- if ( ! empty( $files ) ) {
894
- $dir_array[] = $files->getFilename();
 
895
  }
 
 
896
  }
897
  }
898
 
876
  // Get any new dirs that have been created and remove any old dirs from the bps_mscan_dirs db option.
877
  // Also used in Setup Wizard: need to add setup wizard condition to display saved or updated db options etc.
878
  // Note: MScan Status db options do not need to be pre-saved. Will use bps_mscan_status == '' for display.
879
+ // 2.6: open_basedir "fix" added
880
  function bpsPro_presave_mscan_options() {
881
 
882
+ $raw_source = $_SERVER['DOCUMENT_ROOT'];
883
+ $source = realpath($raw_source);
884
 
885
  if ( is_dir($source) ) {
886
 
889
  $dir_array = array();
890
 
891
  foreach ( $iterator as $files ) {
892
+ try {
893
+ if ( $files->isDir() && ! $files->isDot() ) {
894
+
895
+ if ( ! empty( $files ) ) {
896
+ $dir_array[] = $files->getFilename();
897
+ }
898
  }
899
+ } catch (RuntimeException $e) {
900
+ // pending error message or log entry after Beta Testing is completed
901
  }
902
  }
903
 
includes/mscan-ajax-functions.php CHANGED
@@ -152,96 +152,100 @@ global $wp_version, $wpdb;
152
 
153
  foreach ( $iterator as $files ) {
154
 
155
- if ( $files->isFile() ) {
156
-
157
- if ( file_get_contents($MScanStop) != 'run' ) {
158
- fwrite( $handle, "Scan Time Calculation: MScan Scanning was Stopped\r\n" );
159
- fclose($handle);
160
- exit();
161
-
162
- } else {
163
-
164
- if ( ! preg_match( '/(.*)((\/|\\\)'.$bps_wpcontent_dir.'(\/|\\\)bps-backup(\/|\\\))(.*)/', $files->getPathname() ) ) {
165
 
166
- $total_website_files_array[] = $files->getPathname();
 
 
 
 
 
167
 
168
- if ( $files->getFilename() == 'index.php' ) {
169
- $check_string1 = file_get_contents( $files->getPath() . '/index.php' );
170
- }
171
-
172
- if ( $files->getFilename() == 'readme.html' ) {
173
- $check_string2 = file_get_contents( $files->getPath() . '/readme.html' );
174
- }
175
-
176
- if ( $files->getFilename() == 'xmlrpc.php' ) {
177
- $check_string3 = file_get_contents( $files->getPath() . '/xmlrpc.php' );
178
- }
179
-
180
- $pos1 = strpos( $check_string1, "define('WP_USE_THEMES" );
181
- $pos2 = strpos( $check_string2, "https://wordpress.org/" );
182
- $pos3 = strpos( $check_string3, "XML-RPC protocol support for WordPress" );
183
 
184
- if ( $MScan_options['mscan_exclude_dirs'] != '' ) {
185
 
186
- $mscan_exclude_dirs = str_replace('\\\\', '\\', $MScan_options['mscan_exclude_dirs']);
187
- $mscan_exclude_dirs_array = explode( "\n", $mscan_exclude_dirs );
 
 
 
 
 
188
 
189
- $mscan_exclude_dirs_regex_array = array();
190
-
191
- foreach ( $mscan_exclude_dirs_array as $mscan_exclude_dir ) {
192
- $search_array = array( "\n", "\r\n", "\r", '\\', '/', '[', ']', '(', ')', '+', ' ');
193
- $replace_array = array( "", "", "", '\\\\', '\/', '\[', '\]', '\(', '\)', '\+', '\s');
194
- $mscan_exclude_dir = str_replace( $search_array, $replace_array, $mscan_exclude_dir );
195
- $mscan_exclude_dirs_regex_array[] = '(.*)'.$mscan_exclude_dir.'(.*)|';
196
  }
197
-
198
- $glue = implode("", $mscan_exclude_dirs_regex_array);
199
- $mscan_exclude_dir_regex = preg_replace( '/\|$/', '', $glue);
200
- $exclude_dirs_pattern = '/('.$mscan_exclude_dir_regex.')/';
201
 
202
- } else {
203
- $exclude_dirs_pattern = '/(\/bps-no-dirs\/)/';
204
- }
205
-
206
- $core_pattern = '/(.*)((\/|\\\)wp-admin(\/|\\\)|(\/|\\\)wp-includes(\/|\\\))(.*)/';
207
-
208
- if ( preg_match( $core_pattern, $files->getPathname() ) || $files->getFilename() == 'index.php' && $pos1 !== false || $files->getFilename() == 'readme.html' && $pos2 !== false || $files->getFilename() == 'xmlrpc.php' && $pos3 !== false || in_array($files->getFilename(), $wp_core_root_file_array) ) {
209
- $wp_core_file_array[] = $files->getPathname();
210
- }
211
-
212
- if ( ! preg_match( $core_pattern, $files->getPathname() ) && ! in_array($files->getFilename(), $wp_core_root_file_array) && ! preg_match( $exclude_dirs_pattern, $files->getPathname() ) ) {
213
-
214
- $ext = pathinfo( strtolower($files->getPathname()), PATHINFO_EXTENSION );
215
-
216
- if ( $files->getSize() <= $MScan_options['mscan_max_file_size'] * 1024 ) {
217
-
218
- if ( $MScan_options['mscan_scan_images'] == 'On' ) {
219
 
220
- if ( $ext == 'png' || $ext == 'gif' || $ext == 'bmp' || $ext == 'jpg' || $ext == 'jpeg' || $ext == 'tif' || $ext == 'tiff' ) {
221
- $image_file_path_array[] = $files->getPathname();
222
- }
 
 
 
 
 
 
 
223
  }
224
 
225
- if ( $ext == 'htm' || $ext == 'html' || $ext == 'htaccess' || $ext == 'js' || $ext == 'php' || $ext == 'phps' || $ext == 'php5' || $ext == 'php4' || $ext == 'php3' || $ext == 'phtml' || $ext == 'phpt' || $ext == 'shtm' || $ext == 'shtml' || $ext == 'xhtml' ) {
226
- $file_path_array[] = $files->getPathname();
227
- }
228
-
229
- } else {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
230
 
231
- if ( $MScan_options['mscan_scan_images'] == 'On' ) {
232
 
233
- if ( $ext == 'png' || $ext == 'gif' || $ext == 'bmp' || $ext == 'jpg' || $ext == 'jpeg' || $ext == 'tif' || $ext == 'tiff' ) {
234
- $skipped_image_file_path_array[] = $files->getPathname();
 
235
  }
236
- }
237
 
238
- if ( $ext == 'htm' || $ext == 'html' || $ext == 'htaccess' || $ext == 'js' || $ext == 'php' || $ext == 'phps' || $ext == 'php5' || $ext == 'php4' || $ext == 'php3' || $ext == 'phtml' || $ext == 'phpt' || $ext == 'shtm' || $ext == 'shtml' || $ext == 'xhtml' ) {
239
- $skipped_nonimage_file_path_array[] = $files->getPathname();
 
 
 
 
 
 
 
 
 
 
 
 
 
 
240
  }
241
  }
242
  }
243
  }
244
  }
 
 
245
  }
246
  }
247
 
@@ -528,7 +532,7 @@ global $wp_version;
528
  curl_setopt($ch, CURLOPT_URL, $wp_zip_url);
529
  curl_setopt($ch, CURLOPT_FAILONERROR, true);
530
  curl_setopt($ch, CURLOPT_HEADER, false);
531
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
532
  curl_setopt($ch, CURLOPT_AUTOREFERER, true);
533
  curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
534
  curl_setopt($ch, CURLOPT_TIMEOUT, 60);
@@ -845,96 +849,100 @@ global $wp_version, $wpdb;
845
 
846
  foreach ( $iterator as $files ) {
847
 
848
- if ( $files->isFile() ) {
849
-
850
- if ( file_get_contents($MScanStop) != 'run' ) {
851
- fwrite( $handle, "Scanning Files: MScan Scanning was Stopped\r\n" );
852
- fclose($handle);
853
- exit();
854
-
855
- } else {
856
-
857
- if ( ! preg_match( '/(.*)((\/|\\\)'.$bps_wpcontent_dir.'(\/|\\\)bps-backup(\/|\\\))(.*)/', $files->getPathname() ) ) {
858
 
859
- $total_website_files_array[] = $files->getPathname();
860
-
861
- if ( $files->getFilename() == 'index.php' ) {
862
- $check_string1 = file_get_contents( $files->getPath() . '/index.php' );
863
- }
864
-
865
- if ( $files->getFilename() == 'readme.html' ) {
866
- $check_string2 = file_get_contents( $files->getPath() . '/readme.html' );
867
- }
868
-
869
- if ( $files->getFilename() == 'xmlrpc.php' ) {
870
- $check_string3 = file_get_contents( $files->getPath() . '/xmlrpc.php' );
871
- }
872
 
873
- $pos1 = strpos( $check_string1, "define('WP_USE_THEMES" );
874
- $pos2 = strpos( $check_string2, "https://wordpress.org/" );
875
- $pos3 = strpos( $check_string3, "XML-RPC protocol support for WordPress" );
876
-
877
- if ( $MScan_options['mscan_exclude_dirs'] != '' ) {
878
 
879
- $mscan_exclude_dirs = str_replace('\\\\', '\\', $MScan_options['mscan_exclude_dirs']);
880
- $mscan_exclude_dirs_array = explode( "\n", $mscan_exclude_dirs );
 
 
 
 
 
 
 
881
 
882
- $mscan_exclude_dirs_regex_array = array();
883
-
884
- foreach ( $mscan_exclude_dirs_array as $mscan_exclude_dir ) {
885
- $search_array = array( "\n", "\r\n", "\r", '\\', '/', '[', ']', '(', ')', '+', ' ');
886
- $replace_array = array( "", "", "", '\\\\', '\/', '\[', '\]', '\(', '\)', '\+', '\s');
887
- $mscan_exclude_dir = str_replace( $search_array, $replace_array, $mscan_exclude_dir );
888
- $mscan_exclude_dirs_regex_array[] = '(.*)'.$mscan_exclude_dir.'(.*)|';
889
  }
890
-
891
- $glue = implode("", $mscan_exclude_dirs_regex_array);
892
- $mscan_exclude_dir_regex = preg_replace( '/\|$/', '', $glue);
893
- $exclude_dirs_pattern = '/('.$mscan_exclude_dir_regex.')/';
894
-
895
- } else {
896
- $exclude_dirs_pattern = '/(\/bps-no-dirs\/)/';
897
- }
898
-
899
- $core_pattern = '/(.*)((\/|\\\)wp-admin(\/|\\\)|(\/|\\\)wp-includes(\/|\\\))(.*)/';
900
-
901
- if ( preg_match( $core_pattern, $files->getPathname() ) || $files->getFilename() == 'index.php' && $pos1 !== false || $files->getFilename() == 'readme.html' && $pos2 !== false || $files->getFilename() == 'xmlrpc.php' && $pos3 !== false || in_array($files->getFilename(), $wp_core_root_file_array) ) {
902
- $wp_core_file_array[] = $files->getPathname();
903
- }
904
-
905
- if ( ! preg_match( $core_pattern, $files->getPathname() ) && ! in_array($files->getFilename(), $wp_core_root_file_array) && ! preg_match( $exclude_dirs_pattern, $files->getPathname() ) ) {
906
 
907
- $ext = pathinfo( strtolower($files->getPathname()), PATHINFO_EXTENSION );
908
-
909
- if ( $files->getSize() <= $MScan_options['mscan_max_file_size'] * 1024 ) {
910
-
911
- if ( $MScan_options['mscan_scan_images'] == 'On' ) {
912
 
913
- if ( $ext == 'png' || $ext == 'gif' || $ext == 'bmp' || $ext == 'jpg' || $ext == 'jpeg' || $ext == 'tif' || $ext == 'tiff' ) {
914
- $image_file_path_array[] = $files->getPathname();
915
- }
 
 
 
 
 
 
 
916
  }
917
 
918
- if ( $ext == 'htm' || $ext == 'html' || $ext == 'htaccess' || $ext == 'js' || $ext == 'php' || $ext == 'phps' || $ext == 'php5' || $ext == 'php4' || $ext == 'php3' || $ext == 'phtml' || $ext == 'phpt' || $ext == 'shtm' || $ext == 'shtml' || $ext == 'xhtml' ) {
919
- $file_path_array[] = $files->getPathname();
920
- }
921
-
922
- } else {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
923
 
924
- if ( $MScan_options['mscan_scan_images'] == 'On' ) {
925
 
926
- if ( $ext == 'png' || $ext == 'gif' || $ext == 'bmp' || $ext == 'jpg' || $ext == 'jpeg' || $ext == 'tif' || $ext == 'tiff' ) {
927
- $skipped_image_file_path_array[] = $files->getPathname();
 
928
  }
929
- }
930
 
931
- if ( $ext == 'htm' || $ext == 'html' || $ext == 'htaccess' || $ext == 'js' || $ext == 'php' || $ext == 'phps' || $ext == 'php5' || $ext == 'php4' || $ext == 'php3' || $ext == 'phtml' || $ext == 'phpt' || $ext == 'shtm' || $ext == 'shtml' || $ext == 'xhtml' ) {
932
- $skipped_nonimage_file_path_array[] = $files->getPathname();
 
 
 
 
 
 
 
 
 
 
 
 
 
 
933
  }
934
  }
935
  }
936
  }
937
  }
 
 
938
  }
939
  }
940
 
152
 
153
  foreach ( $iterator as $files ) {
154
 
155
+ try {
156
+ if ( $files->isFile() ) {
 
 
 
 
 
 
 
 
157
 
158
+ if ( file_get_contents($MScanStop) != 'run' ) {
159
+ fwrite( $handle, "Scan Time Calculation: MScan Scanning was Stopped\r\n" );
160
+ fclose($handle);
161
+ exit();
162
+
163
+ } else {
164
 
165
+ if ( ! preg_match( '/(.*)((\/|\\\)'.$bps_wpcontent_dir.'(\/|\\\)bps-backup(\/|\\\))(.*)/', $files->getPathname() ) ) {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
166
 
167
+ $total_website_files_array[] = $files->getPathname();
168
 
169
+ if ( $files->getFilename() == 'index.php' ) {
170
+ $check_string1 = file_get_contents( $files->getPath() . '/index.php' );
171
+ }
172
+
173
+ if ( $files->getFilename() == 'readme.html' ) {
174
+ $check_string2 = file_get_contents( $files->getPath() . '/readme.html' );
175
+ }
176
 
177
+ if ( $files->getFilename() == 'xmlrpc.php' ) {
178
+ $check_string3 = file_get_contents( $files->getPath() . '/xmlrpc.php' );
 
 
 
 
 
179
  }
180
+
181
+ $pos1 = strpos( $check_string1, "define('WP_USE_THEMES" );
182
+ $pos2 = strpos( $check_string2, "https://wordpress.org/" );
183
+ $pos3 = strpos( $check_string3, "XML-RPC protocol support for WordPress" );
184
 
185
+ if ( $MScan_options['mscan_exclude_dirs'] != '' ) {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
186
 
187
+ $mscan_exclude_dirs = str_replace('\\\\', '\\', $MScan_options['mscan_exclude_dirs']);
188
+ $mscan_exclude_dirs_array = explode( "\n", $mscan_exclude_dirs );
189
+
190
+ $mscan_exclude_dirs_regex_array = array();
191
+
192
+ foreach ( $mscan_exclude_dirs_array as $mscan_exclude_dir ) {
193
+ $search_array = array( "\n", "\r\n", "\r", '\\', '/', '[', ']', '(', ')', '+', ' ');
194
+ $replace_array = array( "", "", "", '\\\\', '\/', '\[', '\]', '\(', '\)', '\+', '\s');
195
+ $mscan_exclude_dir = str_replace( $search_array, $replace_array, $mscan_exclude_dir );
196
+ $mscan_exclude_dirs_regex_array[] = '(.*)'.$mscan_exclude_dir.'(.*)|';
197
  }
198
 
199
+ $glue = implode("", $mscan_exclude_dirs_regex_array);
200
+ $mscan_exclude_dir_regex = preg_replace( '/\|$/', '', $glue);
201
+ $exclude_dirs_pattern = '/('.$mscan_exclude_dir_regex.')/';
202
+
203
+ } else {
204
+ $exclude_dirs_pattern = '/(\/bps-no-dirs\/)/';
205
+ }
206
+
207
+ $core_pattern = '/(.*)((\/|\\\)wp-admin(\/|\\\)|(\/|\\\)wp-includes(\/|\\\))(.*)/';
208
+
209
+ if ( preg_match( $core_pattern, $files->getPathname() ) || $files->getFilename() == 'index.php' && $pos1 !== false || $files->getFilename() == 'readme.html' && $pos2 !== false || $files->getFilename() == 'xmlrpc.php' && $pos3 !== false || in_array($files->getFilename(), $wp_core_root_file_array) ) {
210
+ $wp_core_file_array[] = $files->getPathname();
211
+ }
212
+
213
+ if ( ! preg_match( $core_pattern, $files->getPathname() ) && ! in_array($files->getFilename(), $wp_core_root_file_array) && ! preg_match( $exclude_dirs_pattern, $files->getPathname() ) ) {
214
+
215
+ $ext = pathinfo( strtolower($files->getPathname()), PATHINFO_EXTENSION );
216
+
217
+ if ( $files->getSize() <= $MScan_options['mscan_max_file_size'] * 1024 ) {
218
 
219
+ if ( $MScan_options['mscan_scan_images'] == 'On' ) {
220
 
221
+ if ( $ext == 'png' || $ext == 'gif' || $ext == 'bmp' || $ext == 'jpg' || $ext == 'jpeg' || $ext == 'tif' || $ext == 'tiff' ) {
222
+ $image_file_path_array[] = $files->getPathname();
223
+ }
224
  }
 
225
 
226
+ if ( $ext == 'htm' || $ext == 'html' || $ext == 'htaccess' || $ext == 'js' || $ext == 'php' || $ext == 'phps' || $ext == 'php5' || $ext == 'php4' || $ext == 'php3' || $ext == 'phtml' || $ext == 'phpt' || $ext == 'shtm' || $ext == 'shtml' || $ext == 'xhtml' ) {
227
+ $file_path_array[] = $files->getPathname();
228
+ }
229
+
230
+ } else {
231
+
232
+ if ( $MScan_options['mscan_scan_images'] == 'On' ) {
233
+
234
+ if ( $ext == 'png' || $ext == 'gif' || $ext == 'bmp' || $ext == 'jpg' || $ext == 'jpeg' || $ext == 'tif' || $ext == 'tiff' ) {
235
+ $skipped_image_file_path_array[] = $files->getPathname();
236
+ }
237
+ }
238
+
239
+ if ( $ext == 'htm' || $ext == 'html' || $ext == 'htaccess' || $ext == 'js' || $ext == 'php' || $ext == 'phps' || $ext == 'php5' || $ext == 'php4' || $ext == 'php3' || $ext == 'phtml' || $ext == 'phpt' || $ext == 'shtm' || $ext == 'shtml' || $ext == 'xhtml' ) {
240
+ $skipped_nonimage_file_path_array[] = $files->getPathname();
241
+ }
242
  }
243
  }
244
  }
245
  }
246
  }
247
+ } catch (RuntimeException $e) {
248
+ // pending error message or log entry after Beta Testing is completed
249
  }
250
  }
251
 
532
  curl_setopt($ch, CURLOPT_URL, $wp_zip_url);
533
  curl_setopt($ch, CURLOPT_FAILONERROR, true);
534
  curl_setopt($ch, CURLOPT_HEADER, false);
535
+ @curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
536
  curl_setopt($ch, CURLOPT_AUTOREFERER, true);
537
  curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
538
  curl_setopt($ch, CURLOPT_TIMEOUT, 60);
849
 
850
  foreach ( $iterator as $files ) {
851
 
852
+ try {
853
+ if ( $files->isFile() ) {
 
 
 
 
 
 
 
 
854
 
855
+ if ( file_get_contents($MScanStop) != 'run' ) {
856
+ fwrite( $handle, "Scanning Files: MScan Scanning was Stopped\r\n" );
857
+ fclose($handle);
858
+ exit();
859
+
860
+ } else {
 
 
 
 
 
 
 
861
 
862
+ if ( ! preg_match( '/(.*)((\/|\\\)'.$bps_wpcontent_dir.'(\/|\\\)bps-backup(\/|\\\))(.*)/', $files->getPathname() ) ) {
 
 
 
 
863
 
864
+ $total_website_files_array[] = $files->getPathname();
865
+
866
+ if ( $files->getFilename() == 'index.php' ) {
867
+ $check_string1 = file_get_contents( $files->getPath() . '/index.php' );
868
+ }
869
+
870
+ if ( $files->getFilename() == 'readme.html' ) {
871
+ $check_string2 = file_get_contents( $files->getPath() . '/readme.html' );
872
+ }
873
 
874
+ if ( $files->getFilename() == 'xmlrpc.php' ) {
875
+ $check_string3 = file_get_contents( $files->getPath() . '/xmlrpc.php' );
 
 
 
 
 
876
  }
877
+
878
+ $pos1 = strpos( $check_string1, "define('WP_USE_THEMES" );
879
+ $pos2 = strpos( $check_string2, "https://wordpress.org/" );
880
+ $pos3 = strpos( $check_string3, "XML-RPC protocol support for WordPress" );
 
 
 
 
 
 
 
 
 
 
 
 
881
 
882
+ if ( $MScan_options['mscan_exclude_dirs'] != '' ) {
 
 
 
 
883
 
884
+ $mscan_exclude_dirs = str_replace('\\\\', '\\', $MScan_options['mscan_exclude_dirs']);
885
+ $mscan_exclude_dirs_array = explode( "\n", $mscan_exclude_dirs );
886
+
887
+ $mscan_exclude_dirs_regex_array = array();
888
+
889
+ foreach ( $mscan_exclude_dirs_array as $mscan_exclude_dir ) {
890
+ $search_array = array( "\n", "\r\n", "\r", '\\', '/', '[', ']', '(', ')', '+', ' ');
891
+ $replace_array = array( "", "", "", '\\\\', '\/', '\[', '\]', '\(', '\)', '\+', '\s');
892
+ $mscan_exclude_dir = str_replace( $search_array, $replace_array, $mscan_exclude_dir );
893
+ $mscan_exclude_dirs_regex_array[] = '(.*)'.$mscan_exclude_dir.'(.*)|';
894
  }
895
 
896
+ $glue = implode("", $mscan_exclude_dirs_regex_array);
897
+ $mscan_exclude_dir_regex = preg_replace( '/\|$/', '', $glue);
898
+ $exclude_dirs_pattern = '/('.$mscan_exclude_dir_regex.')/';
899
+
900
+ } else {
901
+ $exclude_dirs_pattern = '/(\/bps-no-dirs\/)/';
902
+ }
903
+
904
+ $core_pattern = '/(.*)((\/|\\\)wp-admin(\/|\\\)|(\/|\\\)wp-includes(\/|\\\))(.*)/';
905
+
906
+ if ( preg_match( $core_pattern, $files->getPathname() ) || $files->getFilename() == 'index.php' && $pos1 !== false || $files->getFilename() == 'readme.html' && $pos2 !== false || $files->getFilename() == 'xmlrpc.php' && $pos3 !== false || in_array($files->getFilename(), $wp_core_root_file_array) ) {
907
+ $wp_core_file_array[] = $files->getPathname();
908
+ }
909
+
910
+ if ( ! preg_match( $core_pattern, $files->getPathname() ) && ! in_array($files->getFilename(), $wp_core_root_file_array) && ! preg_match( $exclude_dirs_pattern, $files->getPathname() ) ) {
911
+
912
+ $ext = pathinfo( strtolower($files->getPathname()), PATHINFO_EXTENSION );
913
+
914
+ if ( $files->getSize() <= $MScan_options['mscan_max_file_size'] * 1024 ) {
915
 
916
+ if ( $MScan_options['mscan_scan_images'] == 'On' ) {
917
 
918
+ if ( $ext == 'png' || $ext == 'gif' || $ext == 'bmp' || $ext == 'jpg' || $ext == 'jpeg' || $ext == 'tif' || $ext == 'tiff' ) {
919
+ $image_file_path_array[] = $files->getPathname();
920
+ }
921
  }
 
922
 
923
+ if ( $ext == 'htm' || $ext == 'html' || $ext == 'htaccess' || $ext == 'js' || $ext == 'php' || $ext == 'phps' || $ext == 'php5' || $ext == 'php4' || $ext == 'php3' || $ext == 'phtml' || $ext == 'phpt' || $ext == 'shtm' || $ext == 'shtml' || $ext == 'xhtml' ) {
924
+ $file_path_array[] = $files->getPathname();
925
+ }
926
+
927
+ } else {
928
+
929
+ if ( $MScan_options['mscan_scan_images'] == 'On' ) {
930
+
931
+ if ( $ext == 'png' || $ext == 'gif' || $ext == 'bmp' || $ext == 'jpg' || $ext == 'jpeg' || $ext == 'tif' || $ext == 'tiff' ) {
932
+ $skipped_image_file_path_array[] = $files->getPathname();
933
+ }
934
+ }
935
+
936
+ if ( $ext == 'htm' || $ext == 'html' || $ext == 'htaccess' || $ext == 'js' || $ext == 'php' || $ext == 'phps' || $ext == 'php5' || $ext == 'php4' || $ext == 'php3' || $ext == 'phtml' || $ext == 'phpt' || $ext == 'shtm' || $ext == 'shtml' || $ext == 'xhtml' ) {
937
+ $skipped_nonimage_file_path_array[] = $files->getPathname();
938
+ }
939
  }
940
  }
941
  }
942
  }
943
  }
944
+ } catch (RuntimeException $e) {
945
+ // pending error message or log entry after Beta Testing is completed
946
  }
947
  }
948
 
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: https://wordpress.org/support/view/plugin-reviews/bulletproof-secur
4
  Tags: security, secure, scanner, login security, firewall, security plugin, wordpress security, login, malware, malware scanner, bruteforce, backup, exploit, infection, protection, virus, anti-virus, logout, spam, anti-spam
5
  Requires at least: 3.8
6
  Tested up to: 4.8
7
- Stable tag: 2.5
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -12,7 +12,7 @@ WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Bac
12
 
13
  == Description ==
14
 
15
- WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam & much more. View Security feature highlights below. View BulletProof Security feature details under the FAQ help section. Secure your WordPress website even further by adding additional BulletProof Security Bonus Custom Code. See Bonus Custom Code under the FAQ help section. Effective, Reliable & Easy to use WordPress Security Plugin.
16
 
17
  = BulletProof Security Feature Highlights =
18
 
4
  Tags: security, secure, scanner, login security, firewall, security plugin, wordpress security, login, malware, malware scanner, bruteforce, backup, exploit, infection, protection, virus, anti-virus, logout, spam, anti-spam
5
  Requires at least: 3.8
6
  Tested up to: 4.8
7
+ Stable tag: 2.6
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
12
 
13
  == Description ==
14
 
15
+ WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam & much more. View Security feature highlights below. View BulletProof Security feature details under the FAQ help section below. Secure your WordPress website even further by adding additional BulletProof Security Bonus Custom Code. See BulletProof Security Bonus Custom Code under the FAQ help section below. Effective, Reliable & Easy to use WordPress Security Plugin.
16
 
17
  = BulletProof Security Feature Highlights =
18