Defender Security – Malware Scanner, Login Security & Firewall - Version 2.6.4

Version Description

( 2021-11-15 ) =

  • Fix: Allow admin-post.php on Mask Login Area
Download this release

Release Info

Developer BigTonny
Plugin Icon 128x128 Defender Security – Malware Scanner, Login Security & Firewall
Version 2.6.4
Comparing to
See all releases

Code changes from version 2.6.3 to 2.6.4

Files changed (5) hide show
  1. languages/wpdef-default.pot +10 -10
  2. readme.txt +7 -3
  3. src/controller/mask-login.php +74 -39
  4. src/controller/recaptcha.php +1 -1
  5. wp-defender.php +3 -3
languages/wpdef-default.pot CHANGED
@@ -6,9 +6,9 @@
6
  #, fuzzy
7
  msgid ""
8
  msgstr ""
9
- "Project-Id-Version: wp-defender 2.6.3\n"
10
  "Report-Msgid-Bugs-To: \n"
11
- "POT-Creation-Date: 2021-11-03 12:34+0200\n"
12
  "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
13
  "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
14
  "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1389,8 +1389,8 @@ msgstr ""
1389
  #: src/component/backup-settings.php:1215 src/controller/audit-logging.php:509
1390
  #: src/controller/audit-logging.php:533
1391
  #: src/controller/blocklist-monitor.php:207
1392
- #: src/controller/blocklist-monitor.php:221 src/controller/mask-login.php:690
1393
- #: src/controller/mask-login.php:703 src/controller/password-protection.php:265
1394
  #: src/controller/password-protection.php:280 src/controller/recaptcha.php:969
1395
  #: src/controller/scan.php:596 src/controller/scan.php:628
1396
  #: src/controller/security-headers.php:160 src/controller/two-factor.php:731
@@ -1494,8 +1494,8 @@ msgstr ""
1494
  #: src/controller/audit-logging.php:524
1495
  #: src/controller/blocklist-monitor.php:205
1496
  #: src/controller/blocklist-monitor.php:221 src/controller/firewall.php:791
1497
- #: src/controller/firewall.php:823 src/controller/mask-login.php:690
1498
- #: src/controller/mask-login.php:703 src/controller/password-protection.php:265
1499
  #: src/controller/password-protection.php:279 src/controller/recaptcha.php:969
1500
  #: src/controller/scan.php:594 src/controller/scan.php:627
1501
  #: src/controller/security-headers.php:160 src/controller/two-factor.php:731
@@ -2221,7 +2221,7 @@ msgstr ""
2221
 
2222
  #: src/controller/audit-logging.php:375 src/controller/blacklist.php:127
2223
  #: src/controller/firewall.php:147 src/controller/main-setting.php:97
2224
- #: src/controller/mask-login.php:257 src/controller/password-protection.php:215
2225
  #: src/controller/password-reset.php:197 src/controller/scan.php:333
2226
  #: src/controller/security-headers.php:77 src/controller/two-factor.php:532
2227
  #: src/traits/setting.php:21
@@ -2505,19 +2505,19 @@ msgid ""
2505
  "manually."
2506
  msgstr ""
2507
 
2508
- #: src/controller/mask-login.php:96 src/controller/two-factor.php:71
2509
  msgid ""
2510
  "We've detected a conflict with Jetpack's Wordpress.com Log In feature. "
2511
  "Please disable it and return to this page to continue setup."
2512
  msgstr ""
2513
 
2514
- #: src/controller/mask-login.php:99 src/controller/two-factor.php:74
2515
  msgid ""
2516
  "We've detected a conflict with Theme my login. Please disable it and return "
2517
  "to this page to continue setup."
2518
  msgstr ""
2519
 
2520
- #: src/controller/mask-login.php:352
2521
  msgid ""
2522
  "This feature is forbidden temporarily for security reason. Try login again."
2523
  msgstr ""
6
  #, fuzzy
7
  msgid ""
8
  msgstr ""
9
+ "Project-Id-Version: wp-defender 2.6.4\n"
10
  "Report-Msgid-Bugs-To: \n"
11
+ "POT-Creation-Date: 2021-11-15 08:47+0200\n"
12
  "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
13
  "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
14
  "Language-Team: LANGUAGE <LL@li.org>\n"
1389
  #: src/component/backup-settings.php:1215 src/controller/audit-logging.php:509
1390
  #: src/controller/audit-logging.php:533
1391
  #: src/controller/blocklist-monitor.php:207
1392
+ #: src/controller/blocklist-monitor.php:221 src/controller/mask-login.php:702
1393
+ #: src/controller/mask-login.php:715 src/controller/password-protection.php:265
1394
  #: src/controller/password-protection.php:280 src/controller/recaptcha.php:969
1395
  #: src/controller/scan.php:596 src/controller/scan.php:628
1396
  #: src/controller/security-headers.php:160 src/controller/two-factor.php:731
1494
  #: src/controller/audit-logging.php:524
1495
  #: src/controller/blocklist-monitor.php:205
1496
  #: src/controller/blocklist-monitor.php:221 src/controller/firewall.php:791
1497
+ #: src/controller/firewall.php:823 src/controller/mask-login.php:702
1498
+ #: src/controller/mask-login.php:715 src/controller/password-protection.php:265
1499
  #: src/controller/password-protection.php:279 src/controller/recaptcha.php:969
1500
  #: src/controller/scan.php:594 src/controller/scan.php:627
1501
  #: src/controller/security-headers.php:160 src/controller/two-factor.php:731
2221
 
2222
  #: src/controller/audit-logging.php:375 src/controller/blacklist.php:127
2223
  #: src/controller/firewall.php:147 src/controller/main-setting.php:97
2224
+ #: src/controller/mask-login.php:268 src/controller/password-protection.php:215
2225
  #: src/controller/password-reset.php:197 src/controller/scan.php:333
2226
  #: src/controller/security-headers.php:77 src/controller/two-factor.php:532
2227
  #: src/traits/setting.php:21
2505
  "manually."
2506
  msgstr ""
2507
 
2508
+ #: src/controller/mask-login.php:95 src/controller/two-factor.php:71
2509
  msgid ""
2510
  "We've detected a conflict with Jetpack's Wordpress.com Log In feature. "
2511
  "Please disable it and return to this page to continue setup."
2512
  msgstr ""
2513
 
2514
+ #: src/controller/mask-login.php:98 src/controller/two-factor.php:74
2515
  msgid ""
2516
  "We've detected a conflict with Theme my login. Please disable it and return "
2517
  "to this page to continue setup."
2518
  msgstr ""
2519
 
2520
+ #: src/controller/mask-login.php:363
2521
  msgid ""
2522
  "This feature is forbidden temporarily for security reason. Try login again."
2523
  msgstr ""
readme.txt CHANGED
@@ -1,13 +1,13 @@
1
  === Defender Security - Malware Scanner, Login Security & Firewall ===
2
  Plugin Name: Defender Security - Malware Scanner, Login Security & Firewall
3
- Version: 2.6.3
4
  Author: WPMU DEV
5
  Author URI: https://wpmudev.com/
6
  Contributors: WPMUDEV
7
  Tags: security plugin, security, firewall, malware, malware scanner, antivirus, ip blocking, login security, brute force attacks, two-factor authentication, activity log, audit logs, block hackers, 2fa, hack
8
  Requires at least: 5.2
9
- Tested up to: 5.8.1
10
- Stable tag: 2.6.3
11
  Requires PHP: 5.6.20
12
  License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
13
 
@@ -240,6 +240,10 @@ Please open a new thread in Defender’s [support forum](https://wordpress.org/s
240
 
241
  == Changelog ==
242
 
 
 
 
 
243
  = 2.6.3 ( 2021-11-03 ) =
244
 
245
  - Enhance: White labeling support
1
  === Defender Security - Malware Scanner, Login Security & Firewall ===
2
  Plugin Name: Defender Security - Malware Scanner, Login Security & Firewall
3
+ Version: 2.6.4
4
  Author: WPMU DEV
5
  Author URI: https://wpmudev.com/
6
  Contributors: WPMUDEV
7
  Tags: security plugin, security, firewall, malware, malware scanner, antivirus, ip blocking, login security, brute force attacks, two-factor authentication, activity log, audit logs, block hackers, 2fa, hack
8
  Requires at least: 5.2
9
+ Tested up to: 5.8.2
10
+ Stable tag: 2.6.4
11
  Requires PHP: 5.6.20
12
  License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
13
 
240
 
241
  == Changelog ==
242
 
243
+ = 2.6.4 ( 2021-11-15 ) =
244
+
245
+ - Fix: Allow admin-post.php on Mask Login Area
246
+
247
  = 2.6.3 ( 2021-11-03 ) =
248
 
249
  - Enhance: White labeling support
src/controller/mask-login.php CHANGED
@@ -14,15 +14,15 @@ use WP_User;
14
 
15
  /**
16
  * This going to mask the login url & signup url and prevent directly access in those cases:
17
- * 1. visit wp-login.php & signup.php or any url with those as suffix
18
- * However, we will expose the mask url in
19
  * 1. Every login & signup links on frontend, if normal user click on the link, they shouldn't get block
20
- * 2. Every emails send from WP which contains the login URL, should not get block
21
  *
22
  * Instead of detect if the user logged in or not, we should have a hash of user id and salt for cookies,
23
- * this way when user direct from other source like back from HUB or so, they wont get lockout
24
  *
25
- * The condition for trigger is when user visit the right mask login, then we will generate
26
  *
27
  * Class Mask_Login
28
  * @package WP_Defender\Controller
@@ -31,7 +31,7 @@ class Mask_Login extends Controller2 {
31
  use IO, Permission;
32
 
33
  /**
34
- * Use for cache
35
  * @var \WP_Defender\Model\Setting\Mask_Login
36
  */
37
  protected $model;
@@ -48,7 +48,7 @@ class Mask_Login extends Controller2 {
48
 
49
  public function __construct() {
50
  add_filter( 'wp_defender_advanced_tools_data', array( &$this, 'script_data' ) );
51
- //internal cache so we don't need to query many times
52
  $this->model = wd_di()->get( \WP_Defender\Model\Setting\Mask_Login::class );
53
  $this->service = wd_di()->get( \WP_Defender\Component\Mask_Login::class );
54
  $this->register_routes();
@@ -59,23 +59,22 @@ class Mask_Login extends Controller2 {
59
  $is_jetpack_sso = $auth_component->is_jetpack_sso();
60
  $is_tml = $auth_component->is_tml();
61
  if ( ! $is_jetpack_sso && ! $is_tml ) {
62
- //monitor wp-admin, wp-login.php
63
  add_action( 'init', array( &$this, 'handle_login_request' ), 99 );
64
  add_filter( 'wp_redirect', array( &$this, 'filter_wp_redirect' ), 10 );
65
- //filter site_url & network_site_url so people won't get block screen
66
  add_filter( 'site_url', array( &$this, 'filter_site_url' ), 100, 2 );
67
  add_filter( 'network_site_url', array( &$this, 'filter_site_url' ), 100, 2 );
68
- //if this is enabled, then we should filter all the email links
69
  add_filter( 'wp_mail', array( &$this, 'replace_login_url_in_email' ), 10 );
70
- //for prevent admin redirect
71
  remove_action( 'template_redirect', 'wp_redirect_admin_locations' );
72
- //if Pro site is activated and user email is not defined, we need to update the
73
- //email to match the new login URL
74
  add_filter( 'update_welcome_email', array( &$this, 'update_welcome_email_prosite_case', 10, 6 ) );
75
- //change password link for new user
76
  add_filter( 'wp_new_user_notification_email', array( &$this, 'change_new_user_notification_email' ), 10, 3 );
77
  add_filter( 'lostpassword_redirect', array( &$this, 'change_lostpassword_redirect' ), 10 );
78
- //log links in email
79
  add_filter( 'report_email_logs_link', array( &$this, 'update_report_logs_link', 10, 2 ) );
80
  if ( class_exists( 'bbPress' ) ) {
81
  add_filter( 'bbp_redirect_login', array( &$this, 'make_sure_wpadmin_after_login' ), 10, 3 );
@@ -88,7 +87,7 @@ class Mask_Login extends Controller2 {
88
  }
89
  add_filter( 'retrieve_password_message', array( &$this, 'flywheel_change_password_message' ), 10, 4 );
90
  } else {
91
- //change password link for exist user
92
  add_filter( 'retrieve_password_message', array( &$this, 'change_password_message' ), 10, 4 );
93
  }
94
  } else {
@@ -173,8 +172,8 @@ class Mask_Login extends Controller2 {
173
  if ( $this->service->is_bot_request() ) {
174
  return;
175
  }
176
- //need to check if the current request is for signup, login, if those is not the slug, then we redirect
177
- //to the 404 redirect, or 403 wp die.
178
  $requested_path = $this->service->get_request_path();
179
  $requested_path_without_slash = ltrim( $requested_path, '/' );
180
  if ( ! $requested_path_without_slash ) {
@@ -182,22 +181,31 @@ class Mask_Login extends Controller2 {
182
  }
183
 
184
  if ( '/' . ltrim( $this->get_model()->mask_url, '/' ) === $requested_path ) {
185
- //we need to redirect this one to wp-login and open it.
186
  return $this->show_login_page();
187
  }
188
- if ( is_user_logged_in() || defined( 'DOING_AJAX' ) ) {
189
- //do nothing
 
 
 
 
 
 
 
 
 
 
190
  return;
191
  }
192
 
193
  // If user is not logged in but login cookie is set.
194
- if ( ! is_user_logged_in() && isset( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
195
  $user_id = wp_validate_auth_cookie( $_COOKIE[ LOGGED_IN_COOKIE ], 'logged_in' );
196
 
197
  if ( $user_id ) {
198
  // Cookie is valid so login the user.
199
  wp_set_current_user( $user_id );
200
-
201
  // Return from here because of valid user found.
202
  return;
203
  }
@@ -205,36 +213,39 @@ class Mask_Login extends Controller2 {
205
 
206
  $ticket = HTTP::get( 'ticket', false );
207
  if ( false !== $ticket && $this->service->redeem_ticket( $ticket ) ) {
208
- //allow to pass
209
  return;
210
  }
211
 
212
- //if current is same then we show the login screen.
213
  if ( $this->service->is_land_on_masked_url( $this->model->mask_url ) ) {
214
  return $this->show_login_page();
215
  }
216
 
217
- //if it's the verification link to change Network Admin Email.
218
  $is_multisite = is_multisite();
219
  if (
220
  $is_multisite
221
  && false !== strpos( parse_url( $requested_path, PHP_URL_QUERY ), 'network_admin_hash' )
222
  ) {
223
- $logs_url = add_query_arg( 'redirect_to', urlencode( $requested_path ), $this->get_model()->get_new_login_url() );
 
 
 
 
224
  wp_safe_redirect( $logs_url );
225
  die;
226
  }
227
-
228
  /**
229
  * Block if it's:
230
- * 1) no MU but there is an attempt to load the 'wp-signup.php' page
231
- * 2) from the list of forbidden slugs
232
  */
233
  if (
234
  ( ! $is_multisite && 'wp-signup.php' === $requested_path_without_slash )
235
  || $this->service->is_on_login_page( $requested_path_without_slash )
236
  ) {
237
- //if they are here and the flow getting here, then just lock.
238
  return $this->maybe_lock();
239
  }
240
  }
@@ -303,18 +314,18 @@ class Mask_Login extends Controller2 {
303
  }
304
 
305
  if ( is_user_logged_in() && false === stripos( $current_url, 'wp-login.php' ) ) {
306
- //do nothing
307
  return $current_url;
308
  }
309
 
310
  if ( false !== stripos( $current_url, 'wp-login.php' ) ) {
311
- //this is URL go to old wp-login.php
312
  $query = parse_url( $current_url, PHP_URL_QUERY );
313
  parse_str( $query, $params );
314
 
315
  return add_query_arg( $params, $this->get_model()->get_new_login_url( $this->get_site_url() ) );
316
  } else {
317
- //this case when admin map a domain into subsite, we need to update the new domain/masked-login into the list
318
  if ( ! function_exists( 'get_current_screen' ) ) {
319
  require_once( ABSPATH . 'wp-admin/includes/screen.php' );
320
  }
@@ -324,7 +335,7 @@ class Mask_Login extends Controller2 {
324
  return $current_url;
325
  }
326
  if ( 'sites-network' === $screen->id ) {
327
- //case URLs inside sites list, need to check those with custom domain cause when redirect, it will require re-login
328
  $requested_path = $this->service->get_request_path( $current_url );
329
  if ( '/wp-admin' === $requested_path ) {
330
  $current_domain = $_SERVER['HTTP_HOST'];
@@ -360,7 +371,7 @@ class Mask_Login extends Controller2 {
360
  if ( false === $lp ) {
361
  wp_die( esc_html( $forbidden_message ) );
362
  }
363
- // If the URL is without scheme, e.g. example.com, then add 'http' protocol at the beginning of the URL
364
  if ( ! isset( $lp['scheme'] ) && isset( $lp['path'] ) ) {
365
  $redirect_url = 'http://' . untrailingslashit( $redirect_url );
366
  }
@@ -388,6 +399,7 @@ class Mask_Login extends Controller2 {
388
 
389
  /**
390
  * Safe way to get cached model.
 
391
  * @return \WP_Defender\Model\Setting\Mask_Login
392
  */
393
  private function get_model() {
@@ -532,7 +544,7 @@ class Mask_Login extends Controller2 {
532
  * @param $title
533
  * @param $meta
534
  *
535
- * @return mixed
536
  */
537
  public function update_welcome_email_prosite_case( $welcome_email, $blog_id, $user_id, $password, $title, $meta ) {
538
  $url = get_blogaddress_by_id( $blog_id );
@@ -657,7 +669,7 @@ class Mask_Login extends Controller2 {
657
  return;
658
  }
659
 
660
- // if query data is not set.
661
  if ( ! isset( $_GET['newuseremail'] ) ) {
662
  return;
663
  }
@@ -669,7 +681,7 @@ class Mask_Login extends Controller2 {
669
  $wpdb->prepare( "SELECT meta_key FROM {$wpdb->usermeta} WHERE meta_value LIKE %s", $like )
670
  );
671
 
672
- // Hash could not found.
673
  if ( '_new_email' !== $meta_key ) {
674
  return;
675
  }
@@ -747,4 +759,27 @@ class Mask_Login extends Controller2 {
747
  }
748
  }
749
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
750
  }
14
 
15
  /**
16
  * This going to mask the login url & signup url and prevent directly access in those cases:
17
+ * 1. visit wp-login.php & signup.php or any url with those as suffix.
18
+ * However, we will expose the mask url in:
19
  * 1. Every login & signup links on frontend, if normal user click on the link, they shouldn't get block
20
+ * 2. Every email sends from WP which contains the login URL, should not get block.
21
  *
22
  * Instead of detect if the user logged in or not, we should have a hash of user id and salt for cookies,
23
+ * this way when user direct from other source like back from HUB or so, they won't get lockout.
24
  *
25
+ * The condition for trigger is when user visit the right mask login, then we will generate.
26
  *
27
  * Class Mask_Login
28
  * @package WP_Defender\Controller
31
  use IO, Permission;
32
 
33
  /**
34
+ * Use for cache.
35
  * @var \WP_Defender\Model\Setting\Mask_Login
36
  */
37
  protected $model;
48
 
49
  public function __construct() {
50
  add_filter( 'wp_defender_advanced_tools_data', array( &$this, 'script_data' ) );
51
+ // Internal cache, so we don't need to query many times.
52
  $this->model = wd_di()->get( \WP_Defender\Model\Setting\Mask_Login::class );
53
  $this->service = wd_di()->get( \WP_Defender\Component\Mask_Login::class );
54
  $this->register_routes();
59
  $is_jetpack_sso = $auth_component->is_jetpack_sso();
60
  $is_tml = $auth_component->is_tml();
61
  if ( ! $is_jetpack_sso && ! $is_tml ) {
62
+ // Monitor wp-admin, wp-login.php.
63
  add_action( 'init', array( &$this, 'handle_login_request' ), 99 );
64
  add_filter( 'wp_redirect', array( &$this, 'filter_wp_redirect' ), 10 );
65
+ // Filter site_url & network_site_url so people won't get block screen.
66
  add_filter( 'site_url', array( &$this, 'filter_site_url' ), 100, 2 );
67
  add_filter( 'network_site_url', array( &$this, 'filter_site_url' ), 100, 2 );
68
+ // If this is enabled, then we should filter all the email links.
69
  add_filter( 'wp_mail', array( &$this, 'replace_login_url_in_email' ), 10 );
70
+ // For prevent admin redirect.
71
  remove_action( 'template_redirect', 'wp_redirect_admin_locations' );
72
+ // If Pro site is activated and user email is not defined, we need to update the email to match the new login URL.
 
73
  add_filter( 'update_welcome_email', array( &$this, 'update_welcome_email_prosite_case', 10, 6 ) );
74
+ // Change password link for new user.
75
  add_filter( 'wp_new_user_notification_email', array( &$this, 'change_new_user_notification_email' ), 10, 3 );
76
  add_filter( 'lostpassword_redirect', array( &$this, 'change_lostpassword_redirect' ), 10 );
77
+ // Log links in email.
78
  add_filter( 'report_email_logs_link', array( &$this, 'update_report_logs_link', 10, 2 ) );
79
  if ( class_exists( 'bbPress' ) ) {
80
  add_filter( 'bbp_redirect_login', array( &$this, 'make_sure_wpadmin_after_login' ), 10, 3 );
87
  }
88
  add_filter( 'retrieve_password_message', array( &$this, 'flywheel_change_password_message' ), 10, 4 );
89
  } else {
90
+ // Change password link for exist user.
91
  add_filter( 'retrieve_password_message', array( &$this, 'change_password_message' ), 10, 4 );
92
  }
93
  } else {
172
  if ( $this->service->is_bot_request() ) {
173
  return;
174
  }
175
+ // Need to check if the current request is for signup, login.
176
+ // If it is not the slug, then we redirect to the 404 redirect, or 403 wp die.
177
  $requested_path = $this->service->get_request_path();
178
  $requested_path_without_slash = ltrim( $requested_path, '/' );
179
  if ( ! $requested_path_without_slash ) {
181
  }
182
 
183
  if ( '/' . ltrim( $this->get_model()->mask_url, '/' ) === $requested_path ) {
184
+ // We need to redirect this one to wp-login and open it.
185
  return $this->show_login_page();
186
  }
187
+ /**
188
+ * Allowed if:
189
+ * it's AJAX,
190
+ * the user is logged in,
191
+ * it's an admin post request.
192
+ */
193
+ if (
194
+ defined( 'DOING_AJAX' )
195
+ || is_user_logged_in()
196
+ || $this->is_allowed_path( $requested_path_without_slash )
197
+ ) {
198
+ // Do nothing.
199
  return;
200
  }
201
 
202
  // If user is not logged in but login cookie is set.
203
+ if ( isset( $_COOKIE[ LOGGED_IN_COOKIE ] ) && ! is_user_logged_in() ) {
204
  $user_id = wp_validate_auth_cookie( $_COOKIE[ LOGGED_IN_COOKIE ], 'logged_in' );
205
 
206
  if ( $user_id ) {
207
  // Cookie is valid so login the user.
208
  wp_set_current_user( $user_id );
 
209
  // Return from here because of valid user found.
210
  return;
211
  }
213
 
214
  $ticket = HTTP::get( 'ticket', false );
215
  if ( false !== $ticket && $this->service->redeem_ticket( $ticket ) ) {
216
+ // Allow to pass.
217
  return;
218
  }
219
 
220
+ // If current is same then we show the login screen.
221
  if ( $this->service->is_land_on_masked_url( $this->model->mask_url ) ) {
222
  return $this->show_login_page();
223
  }
224
 
225
+ // If it's the verification link to change Network Admin Email.
226
  $is_multisite = is_multisite();
227
  if (
228
  $is_multisite
229
  && false !== strpos( parse_url( $requested_path, PHP_URL_QUERY ), 'network_admin_hash' )
230
  ) {
231
+ $logs_url = add_query_arg(
232
+ 'redirect_to',
233
+ urlencode( $requested_path ),
234
+ $this->get_model()->get_new_login_url()
235
+ );
236
  wp_safe_redirect( $logs_url );
237
  die;
238
  }
 
239
  /**
240
  * Block if it's:
241
+ * 1) no MU but there is an attempt to load the 'wp-signup.php' page,
242
+ * 2) from the list of forbidden slugs.
243
  */
244
  if (
245
  ( ! $is_multisite && 'wp-signup.php' === $requested_path_without_slash )
246
  || $this->service->is_on_login_page( $requested_path_without_slash )
247
  ) {
248
+ // If they are here and the flow getting here, then just lock.
249
  return $this->maybe_lock();
250
  }
251
  }
314
  }
315
 
316
  if ( is_user_logged_in() && false === stripos( $current_url, 'wp-login.php' ) ) {
317
+ // Do nothing.
318
  return $current_url;
319
  }
320
 
321
  if ( false !== stripos( $current_url, 'wp-login.php' ) ) {
322
+ // This is URL go to old wp-login.php.
323
  $query = parse_url( $current_url, PHP_URL_QUERY );
324
  parse_str( $query, $params );
325
 
326
  return add_query_arg( $params, $this->get_model()->get_new_login_url( $this->get_site_url() ) );
327
  } else {
328
+ // This case when admin map a domain into subsite, we need to update the new domain/masked-login into the list.
329
  if ( ! function_exists( 'get_current_screen' ) ) {
330
  require_once( ABSPATH . 'wp-admin/includes/screen.php' );
331
  }
335
  return $current_url;
336
  }
337
  if ( 'sites-network' === $screen->id ) {
338
+ // Case URLs inside sites list, need to check those with custom domain cause when it's redirect, it will require re-login.
339
  $requested_path = $this->service->get_request_path( $current_url );
340
  if ( '/wp-admin' === $requested_path ) {
341
  $current_domain = $_SERVER['HTTP_HOST'];
371
  if ( false === $lp ) {
372
  wp_die( esc_html( $forbidden_message ) );
373
  }
374
+ // If the URL is without scheme, e.g. example.com, then add 'http' protocol at the beginning of the URL.
375
  if ( ! isset( $lp['scheme'] ) && isset( $lp['path'] ) ) {
376
  $redirect_url = 'http://' . untrailingslashit( $redirect_url );
377
  }
399
 
400
  /**
401
  * Safe way to get cached model.
402
+ *
403
  * @return \WP_Defender\Model\Setting\Mask_Login
404
  */
405
  private function get_model() {
544
  * @param $title
545
  * @param $meta
546
  *
547
+ * @return string
548
  */
549
  public function update_welcome_email_prosite_case( $welcome_email, $blog_id, $user_id, $password, $title, $meta ) {
550
  $url = get_blogaddress_by_id( $blog_id );
669
  return;
670
  }
671
 
672
+ // If query data is not set.
673
  if ( ! isset( $_GET['newuseremail'] ) ) {
674
  return;
675
  }
681
  $wpdb->prepare( "SELECT meta_key FROM {$wpdb->usermeta} WHERE meta_value LIKE %s", $like )
682
  );
683
 
684
+ // Hash not found.
685
  if ( '_new_email' !== $meta_key ) {
686
  return;
687
  }
759
  }
760
  }
761
  }
762
+
763
+ /**
764
+ * Check if a path is allowed without login masking.
765
+ *
766
+ * @param string $path Path to check.
767
+ *
768
+ * @since 2.6.4
769
+ * @return bool
770
+ */
771
+ private function is_allowed_path( $path ) {
772
+ // Admin post requests to admin-post.php should be allowed.
773
+ $allowed = 'wp-admin/admin-post.php' === $path && isset( $_REQUEST['action'] ); // phpcs:ignore
774
+
775
+ /**
776
+ * Filter to allow whitelisting paths from login masking.
777
+ *
778
+ * @param bool $allowed Is current path allowed?.
779
+ * @param string $path Path to check.
780
+ *
781
+ * @since 2.6.4
782
+ */
783
+ return apply_filters( 'wd_mask_login_is_allowed_path', $allowed, $path );
784
+ }
785
  }
src/controller/recaptcha.php CHANGED
@@ -436,7 +436,7 @@ class Recaptcha extends \WP_Defender\Controller2 {
436
  return $user;
437
  }
438
 
439
- if ( empty( filter_input( INPUT_POST, 'g-recaptcha-response') ) ) {
440
  return $user;
441
  }
442
 
436
  return $user;
437
  }
438
 
439
+ if ( ! isset( $_POST['g-recaptcha-response'] ) ) {
440
  return $user;
441
  }
442
 
wp-defender.php CHANGED
@@ -2,7 +2,7 @@
2
  /**
3
  * Plugin Name: Defender
4
  * Plugin URI: https://wpmudev.com/project/wp-defender/
5
- * Version: 2.6.3
6
  * Description: Get regular security scans, vulnerability reports, safety recommendations and customized hardening for your site in just a few clicks. Defender is the analyst and enforcer who never sleeps.
7
  * Author: WPMU DEV
8
  * Author URI: https://wpmudev.com/
@@ -15,10 +15,10 @@ if ( ! defined( 'ABSPATH' ) ) {
15
  die;
16
  }
17
  if ( ! defined( 'DEFENDER_VERSION' ) ) {
18
- define( 'DEFENDER_VERSION', '2.6.3' );
19
  }
20
  if ( ! defined( 'DEFENDER_DB_VERSION' ) ) {
21
- define( 'DEFENDER_DB_VERSION', '2.6.3' );
22
  }
23
  if ( ! defined( 'DEFENDER_SUI' ) ) {
24
  define( 'DEFENDER_SUI', '2-11-1' );
2
  /**
3
  * Plugin Name: Defender
4
  * Plugin URI: https://wpmudev.com/project/wp-defender/
5
+ * Version: 2.6.4
6
  * Description: Get regular security scans, vulnerability reports, safety recommendations and customized hardening for your site in just a few clicks. Defender is the analyst and enforcer who never sleeps.
7
  * Author: WPMU DEV
8
  * Author URI: https://wpmudev.com/
15
  die;
16
  }
17
  if ( ! defined( 'DEFENDER_VERSION' ) ) {
18
+ define( 'DEFENDER_VERSION', '2.6.4' );
19
  }
20
  if ( ! defined( 'DEFENDER_DB_VERSION' ) ) {
21
+ define( 'DEFENDER_DB_VERSION', '2.6.4' );
22
  }
23
  if ( ! defined( 'DEFENDER_SUI' ) ) {
24
  define( 'DEFENDER_SUI', '2-11-1' );