Defender Security – Malware Scanner, Login Security & Firewall - Version 1.7.3

Version Description

  • Fix: Two-factor authentication can be bypassed by user with no role.
  • Improvement: Enhanced two-factor authentication protection across multisites.
Download this release

Release Info

Developer jdailey
Plugin Icon 128x128 Defender Security – Malware Scanner, Login Security & Firewall
Version 1.7.3
Comparing to
See all releases

Code changes from version 1.7.2 to 1.7.3

Files changed (6) hide show
  1. app/module/advanced-tools/component/auth-api.php +21 -3
  2. app/module/advanced-tools/controller/main.php +4 -1
  3. changelog.txt +5 -0
  4. languages/wpdef-default.pot +5 -5
  5. readme.txt +7 -4
  6. wp-defender.php +1 -1
app/module/advanced-tools/component/auth-api.php CHANGED
@@ -6,6 +6,7 @@
6
  namespace WP_Defender\Module\Advanced_Tools\Component;
7
 
8
  use Hammer\Base\Component;
 
9
  use WP_Defender\Module\Advanced_Tools\Model\Auth_Settings;
10
 
11
  class Auth_API extends Component {
@@ -150,10 +151,27 @@ class Auth_API extends Component {
150
  if ( ! $user instanceof \WP_User ) {
151
  return false;
152
  }
153
- $settings = Auth_Settings::instance();
154
- $allowedForThisRole = array_intersect( $settings->userRoles, $user->roles );
 
 
155
 
156
- return count( $allowedForThisRole ) > 0;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
157
  }
158
 
159
  /**
6
  namespace WP_Defender\Module\Advanced_Tools\Component;
7
 
8
  use Hammer\Base\Component;
9
+ use WP_Defender\Behavior\Utils;
10
  use WP_Defender\Module\Advanced_Tools\Model\Auth_Settings;
11
 
12
  class Auth_API extends Component {
151
  if ( ! $user instanceof \WP_User ) {
152
  return false;
153
  }
154
+ $settings = Auth_Settings::instance();
155
+ if ( 0 === count( $user->roles ) ) {
156
+ return true;
157
+ }
158
 
159
+ if ( Utils::instance()->isActivatedSingle() ) {
160
+ $allowedForThisRole = array_intersect( $settings->userRoles, $user->roles );
161
+
162
+ return count( $allowedForThisRole ) > 0;
163
+ } else {
164
+ $blogs = get_blogs_of_user( $user->ID );
165
+ $userRoles = array();
166
+ foreach ( $blogs as $blog ) {
167
+ //get user roles for this blog
168
+ $u = new \WP_User( $user->ID, '', $blog->userblog_id );
169
+ $userRoles = array_merge( $u->roles, $userRoles );
170
+ }
171
+ $allowedForThisRole = array_intersect( $settings->userRoles, $userRoles );
172
+
173
+ return count( $allowedForThisRole ) > 0;
174
+ }
175
  }
176
 
177
  /**
app/module/advanced-tools/controller/main.php CHANGED
@@ -292,7 +292,8 @@ class Main extends Controller {
292
  $login_token = HTTP_Helper::retrieve_post( 'login_token' );
293
  $query = new \WP_User_Query( array(
294
  'meta_key' => 'defOTPLoginToken',
295
- 'meta_value' => $login_token
 
296
  ) );
297
  $res = $query->get_results();
298
  if ( empty( $res ) ) {
@@ -312,6 +313,7 @@ class Main extends Controller {
312
  delete_user_meta( $user->ID, 'defOTPLoginToken' );
313
  wp_set_current_user( $user->ID, $user->user_login );
314
  wp_set_auth_cookie( $user->ID, true );
 
315
  wp_redirect( $redirect );
316
  exit;
317
  } else {
@@ -321,6 +323,7 @@ class Main extends Controller {
321
  delete_user_meta( $user->ID, 'defenderBackupCode' );
322
  wp_set_current_user( $user->ID, $user->user_login );
323
  wp_set_auth_cookie( $user->ID, true );
 
324
  wp_redirect( $redirect );
325
  exit;
326
  } else {
292
  $login_token = HTTP_Helper::retrieve_post( 'login_token' );
293
  $query = new \WP_User_Query( array(
294
  'meta_key' => 'defOTPLoginToken',
295
+ 'meta_value' => $login_token,
296
+ 'blog_id' => 0
297
  ) );
298
  $res = $query->get_results();
299
  if ( empty( $res ) ) {
313
  delete_user_meta( $user->ID, 'defOTPLoginToken' );
314
  wp_set_current_user( $user->ID, $user->user_login );
315
  wp_set_auth_cookie( $user->ID, true );
316
+ $redirect = apply_filters( 'login_redirect', $redirect, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user );
317
  wp_redirect( $redirect );
318
  exit;
319
  } else {
323
  delete_user_meta( $user->ID, 'defenderBackupCode' );
324
  wp_set_current_user( $user->ID, $user->user_login );
325
  wp_set_auth_cookie( $user->ID, true );
326
+ $redirect = apply_filters( 'login_redirect', $redirect, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user );
327
  wp_redirect( $redirect );
328
  exit;
329
  } else {
changelog.txt CHANGED
@@ -4,6 +4,11 @@ Tested up to: 4.7.4
4
 
5
  Change Log:
6
 
 
 
 
 
 
7
  1.7.2 - 2017-09-10
8
  ----------------------------------------------------------------------
9
  - Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server.
4
 
5
  Change Log:
6
 
7
+ 1.7.3 - 2017-14-10
8
+ ----------------------------------------------------------------------
9
+ - Fix: Two-factor authentication can be bypassed by user with no role.
10
+ - Improvement: Enhanced two-factor authentication protection across multisites.
11
+
12
  1.7.2 - 2017-09-10
13
  ----------------------------------------------------------------------
14
  - Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server.
languages/wpdef-default.pot CHANGED
@@ -2,9 +2,9 @@
2
  # This file is distributed under the GNU General Public License (Version 2 - GPLv2).
3
  msgid ""
4
  msgstr ""
5
- "Project-Id-Version: WP Defender Pro 1.7.2\n"
6
  "Report-Msgid-Bugs-To: https://wpmudev.org\n"
7
- "POT-Creation-Date: 2017-10-11 04:26:45+00:00\n"
8
  "MIME-Version: 1.0\n"
9
  "Content-Type: text/plain; charset=utf-8\n"
10
  "Content-Transfer-Encoding: 8bit\n"
@@ -305,7 +305,7 @@ msgid "Defender%s"
305
  msgstr ""
306
 
307
  #: app/module/advanced-tools/behavior/at-widget.php:17
308
- #: app/module/advanced-tools/controller/main.php:393
309
  #: app/module/advanced-tools/view/layouts/layout.php:5
310
  msgid "Advanced Tools"
311
  msgstr ""
@@ -396,11 +396,11 @@ msgstr ""
396
  msgid "Some error happen"
397
  msgstr ""
398
 
399
- #: app/module/advanced-tools/controller/main.php:327
400
  msgid "Whoops, the passcode you entered was incorrect or expired."
401
  msgstr ""
402
 
403
- #: app/module/advanced-tools/controller/main.php:458
404
  #: app/module/audit/controller/main.php:196
405
  #: app/module/ip-lockout/controller/main.php:665
406
  #: app/module/scan/controller/main.php:305
2
  # This file is distributed under the GNU General Public License (Version 2 - GPLv2).
3
  msgid ""
4
  msgstr ""
5
+ "Project-Id-Version: WP Defender Pro 1.7.3\n"
6
  "Report-Msgid-Bugs-To: https://wpmudev.org\n"
7
+ "POT-Creation-Date: 2017-10-14 05:15:14+00:00\n"
8
  "MIME-Version: 1.0\n"
9
  "Content-Type: text/plain; charset=utf-8\n"
10
  "Content-Transfer-Encoding: 8bit\n"
305
  msgstr ""
306
 
307
  #: app/module/advanced-tools/behavior/at-widget.php:17
308
+ #: app/module/advanced-tools/controller/main.php:396
309
  #: app/module/advanced-tools/view/layouts/layout.php:5
310
  msgid "Advanced Tools"
311
  msgstr ""
396
  msgid "Some error happen"
397
  msgstr ""
398
 
399
+ #: app/module/advanced-tools/controller/main.php:330
400
  msgid "Whoops, the passcode you entered was incorrect or expired."
401
  msgstr ""
402
 
403
+ #: app/module/advanced-tools/controller/main.php:461
404
  #: app/module/audit/controller/main.php:196
405
  #: app/module/ip-lockout/controller/main.php:665
406
  #: app/module/scan/controller/main.php:305
readme.txt CHANGED
@@ -1,13 +1,13 @@
1
  === Defender Security, Monitoring, and Hack Protection ===
2
  Plugin Name: Defender Security, Monitoring, and Hack Protection
3
- Version: 1.7.2
4
  Author: WPMU DEV
5
  Author URI: http://premium.wpmudev.org/
6
  Contributors: WPMUDEV
7
  Tags: Security, Security Tweaks, Hardening, IP lockout, Monitoring, Blacklist, Site Protection, Hacked, Security Scan
8
- Requires at least: 3.5
9
- Tested up to: 4.8
10
- Stable tag: 1.7.2
11
  License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
12
 
13
  Protect WordPress from hackers with security tweaks, code scans, 2-Step Verification, IP lockouts, and monitoring.
@@ -110,6 +110,9 @@ Hackers and bot attacks are not the only threat to your site. No matter what se
110
 
111
 
112
  == Changelog ==
 
 
 
113
 
114
  = 1.7.2 =
115
  * Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server.
1
  === Defender Security, Monitoring, and Hack Protection ===
2
  Plugin Name: Defender Security, Monitoring, and Hack Protection
3
+ Version: 1.7.3
4
  Author: WPMU DEV
5
  Author URI: http://premium.wpmudev.org/
6
  Contributors: WPMUDEV
7
  Tags: Security, Security Tweaks, Hardening, IP lockout, Monitoring, Blacklist, Site Protection, Hacked, Security Scan
8
+ Requires at least: 4.6
9
+ Tested up to: 4.9
10
+ Stable tag: 1.7.3
11
  License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
12
 
13
  Protect WordPress from hackers with security tweaks, code scans, 2-Step Verification, IP lockouts, and monitoring.
110
 
111
 
112
  == Changelog ==
113
+ = 1.7.3 =
114
+ * Fix: Two-factor authentication can be bypassed by user with no role.
115
+ * Improvement: Enhanced two-factor authentication protection across multisites.
116
 
117
  = 1.7.2 =
118
  * Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server.
wp-defender.php CHANGED
@@ -3,7 +3,7 @@
3
  /**
4
  * Plugin Name: WP Defender
5
  * Plugin URI: https://premium.wpmudev.org/project/wp-defender/
6
- * Version: 1.7.2
7
  * Description: Get regular security scans, vulnerability reports, safety recommendations and customized hardening for your site in just a few clicks. Defender is the analyst and enforcer who never sleeps.
8
  * Author: WPMU DEV
9
  * Author URI: http://premium.wpmudev.org/
3
  /**
4
  * Plugin Name: WP Defender
5
  * Plugin URI: https://premium.wpmudev.org/project/wp-defender/
6
+ * Version: 1.7.3
7
  * Description: Get regular security scans, vulnerability reports, safety recommendations and customized hardening for your site in just a few clicks. Defender is the analyst and enforcer who never sleeps.
8
  * Author: WPMU DEV
9
  * Author URI: http://premium.wpmudev.org/