Version Description
( 2021-11-15 ) =
- Fix: Allow admin-post.php on Mask Login Area
Download this release
Release Info
Developer | BigTonny |
Plugin | Defender Security – Malware Scanner, Login Security & Firewall |
Version | 2.6.4 |
Comparing to | |
See all releases |
Code changes from version 2.6.3 to 2.6.4
- languages/wpdef-default.pot +10 -10
- readme.txt +7 -3
- src/controller/mask-login.php +74 -39
- src/controller/recaptcha.php +1 -1
- wp-defender.php +3 -3
languages/wpdef-default.pot
CHANGED
@@ -6,9 +6,9 @@
|
|
6 |
#, fuzzy
|
7 |
msgid ""
|
8 |
msgstr ""
|
9 |
-
"Project-Id-Version: wp-defender 2.6.
|
10 |
"Report-Msgid-Bugs-To: \n"
|
11 |
-
"POT-Creation-Date: 2021-11-
|
12 |
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
13 |
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
14 |
"Language-Team: LANGUAGE <LL@li.org>\n"
|
@@ -1389,8 +1389,8 @@ msgstr ""
|
|
1389 |
#: src/component/backup-settings.php:1215 src/controller/audit-logging.php:509
|
1390 |
#: src/controller/audit-logging.php:533
|
1391 |
#: src/controller/blocklist-monitor.php:207
|
1392 |
-
#: src/controller/blocklist-monitor.php:221 src/controller/mask-login.php:
|
1393 |
-
#: src/controller/mask-login.php:
|
1394 |
#: src/controller/password-protection.php:280 src/controller/recaptcha.php:969
|
1395 |
#: src/controller/scan.php:596 src/controller/scan.php:628
|
1396 |
#: src/controller/security-headers.php:160 src/controller/two-factor.php:731
|
@@ -1494,8 +1494,8 @@ msgstr ""
|
|
1494 |
#: src/controller/audit-logging.php:524
|
1495 |
#: src/controller/blocklist-monitor.php:205
|
1496 |
#: src/controller/blocklist-monitor.php:221 src/controller/firewall.php:791
|
1497 |
-
#: src/controller/firewall.php:823 src/controller/mask-login.php:
|
1498 |
-
#: src/controller/mask-login.php:
|
1499 |
#: src/controller/password-protection.php:279 src/controller/recaptcha.php:969
|
1500 |
#: src/controller/scan.php:594 src/controller/scan.php:627
|
1501 |
#: src/controller/security-headers.php:160 src/controller/two-factor.php:731
|
@@ -2221,7 +2221,7 @@ msgstr ""
|
|
2221 |
|
2222 |
#: src/controller/audit-logging.php:375 src/controller/blacklist.php:127
|
2223 |
#: src/controller/firewall.php:147 src/controller/main-setting.php:97
|
2224 |
-
#: src/controller/mask-login.php:
|
2225 |
#: src/controller/password-reset.php:197 src/controller/scan.php:333
|
2226 |
#: src/controller/security-headers.php:77 src/controller/two-factor.php:532
|
2227 |
#: src/traits/setting.php:21
|
@@ -2505,19 +2505,19 @@ msgid ""
|
|
2505 |
"manually."
|
2506 |
msgstr ""
|
2507 |
|
2508 |
-
#: src/controller/mask-login.php:
|
2509 |
msgid ""
|
2510 |
"We've detected a conflict with Jetpack's Wordpress.com Log In feature. "
|
2511 |
"Please disable it and return to this page to continue setup."
|
2512 |
msgstr ""
|
2513 |
|
2514 |
-
#: src/controller/mask-login.php:
|
2515 |
msgid ""
|
2516 |
"We've detected a conflict with Theme my login. Please disable it and return "
|
2517 |
"to this page to continue setup."
|
2518 |
msgstr ""
|
2519 |
|
2520 |
-
#: src/controller/mask-login.php:
|
2521 |
msgid ""
|
2522 |
"This feature is forbidden temporarily for security reason. Try login again."
|
2523 |
msgstr ""
|
6 |
#, fuzzy
|
7 |
msgid ""
|
8 |
msgstr ""
|
9 |
+
"Project-Id-Version: wp-defender 2.6.4\n"
|
10 |
"Report-Msgid-Bugs-To: \n"
|
11 |
+
"POT-Creation-Date: 2021-11-15 08:47+0200\n"
|
12 |
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
13 |
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
14 |
"Language-Team: LANGUAGE <LL@li.org>\n"
|
1389 |
#: src/component/backup-settings.php:1215 src/controller/audit-logging.php:509
|
1390 |
#: src/controller/audit-logging.php:533
|
1391 |
#: src/controller/blocklist-monitor.php:207
|
1392 |
+
#: src/controller/blocklist-monitor.php:221 src/controller/mask-login.php:702
|
1393 |
+
#: src/controller/mask-login.php:715 src/controller/password-protection.php:265
|
1394 |
#: src/controller/password-protection.php:280 src/controller/recaptcha.php:969
|
1395 |
#: src/controller/scan.php:596 src/controller/scan.php:628
|
1396 |
#: src/controller/security-headers.php:160 src/controller/two-factor.php:731
|
1494 |
#: src/controller/audit-logging.php:524
|
1495 |
#: src/controller/blocklist-monitor.php:205
|
1496 |
#: src/controller/blocklist-monitor.php:221 src/controller/firewall.php:791
|
1497 |
+
#: src/controller/firewall.php:823 src/controller/mask-login.php:702
|
1498 |
+
#: src/controller/mask-login.php:715 src/controller/password-protection.php:265
|
1499 |
#: src/controller/password-protection.php:279 src/controller/recaptcha.php:969
|
1500 |
#: src/controller/scan.php:594 src/controller/scan.php:627
|
1501 |
#: src/controller/security-headers.php:160 src/controller/two-factor.php:731
|
2221 |
|
2222 |
#: src/controller/audit-logging.php:375 src/controller/blacklist.php:127
|
2223 |
#: src/controller/firewall.php:147 src/controller/main-setting.php:97
|
2224 |
+
#: src/controller/mask-login.php:268 src/controller/password-protection.php:215
|
2225 |
#: src/controller/password-reset.php:197 src/controller/scan.php:333
|
2226 |
#: src/controller/security-headers.php:77 src/controller/two-factor.php:532
|
2227 |
#: src/traits/setting.php:21
|
2505 |
"manually."
|
2506 |
msgstr ""
|
2507 |
|
2508 |
+
#: src/controller/mask-login.php:95 src/controller/two-factor.php:71
|
2509 |
msgid ""
|
2510 |
"We've detected a conflict with Jetpack's Wordpress.com Log In feature. "
|
2511 |
"Please disable it and return to this page to continue setup."
|
2512 |
msgstr ""
|
2513 |
|
2514 |
+
#: src/controller/mask-login.php:98 src/controller/two-factor.php:74
|
2515 |
msgid ""
|
2516 |
"We've detected a conflict with Theme my login. Please disable it and return "
|
2517 |
"to this page to continue setup."
|
2518 |
msgstr ""
|
2519 |
|
2520 |
+
#: src/controller/mask-login.php:363
|
2521 |
msgid ""
|
2522 |
"This feature is forbidden temporarily for security reason. Try login again."
|
2523 |
msgstr ""
|
readme.txt
CHANGED
@@ -1,13 +1,13 @@
|
|
1 |
=== Defender Security - Malware Scanner, Login Security & Firewall ===
|
2 |
Plugin Name: Defender Security - Malware Scanner, Login Security & Firewall
|
3 |
-
Version: 2.6.
|
4 |
Author: WPMU DEV
|
5 |
Author URI: https://wpmudev.com/
|
6 |
Contributors: WPMUDEV
|
7 |
Tags: security plugin, security, firewall, malware, malware scanner, antivirus, ip blocking, login security, brute force attacks, two-factor authentication, activity log, audit logs, block hackers, 2fa, hack
|
8 |
Requires at least: 5.2
|
9 |
-
Tested up to: 5.8.
|
10 |
-
Stable tag: 2.6.
|
11 |
Requires PHP: 5.6.20
|
12 |
License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
|
13 |
|
@@ -240,6 +240,10 @@ Please open a new thread in Defender’s [support forum](https://wordpress.org/s
|
|
240 |
|
241 |
== Changelog ==
|
242 |
|
|
|
|
|
|
|
|
|
243 |
= 2.6.3 ( 2021-11-03 ) =
|
244 |
|
245 |
- Enhance: White labeling support
|
1 |
=== Defender Security - Malware Scanner, Login Security & Firewall ===
|
2 |
Plugin Name: Defender Security - Malware Scanner, Login Security & Firewall
|
3 |
+
Version: 2.6.4
|
4 |
Author: WPMU DEV
|
5 |
Author URI: https://wpmudev.com/
|
6 |
Contributors: WPMUDEV
|
7 |
Tags: security plugin, security, firewall, malware, malware scanner, antivirus, ip blocking, login security, brute force attacks, two-factor authentication, activity log, audit logs, block hackers, 2fa, hack
|
8 |
Requires at least: 5.2
|
9 |
+
Tested up to: 5.8.2
|
10 |
+
Stable tag: 2.6.4
|
11 |
Requires PHP: 5.6.20
|
12 |
License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
|
13 |
|
240 |
|
241 |
== Changelog ==
|
242 |
|
243 |
+
= 2.6.4 ( 2021-11-15 ) =
|
244 |
+
|
245 |
+
- Fix: Allow admin-post.php on Mask Login Area
|
246 |
+
|
247 |
= 2.6.3 ( 2021-11-03 ) =
|
248 |
|
249 |
- Enhance: White labeling support
|
src/controller/mask-login.php
CHANGED
@@ -14,15 +14,15 @@ use WP_User;
|
|
14 |
|
15 |
/**
|
16 |
* This going to mask the login url & signup url and prevent directly access in those cases:
|
17 |
-
* 1. visit wp-login.php & signup.php or any url with those as suffix
|
18 |
-
* However, we will expose the mask url in
|
19 |
* 1. Every login & signup links on frontend, if normal user click on the link, they shouldn't get block
|
20 |
-
* 2. Every
|
21 |
*
|
22 |
* Instead of detect if the user logged in or not, we should have a hash of user id and salt for cookies,
|
23 |
-
* this way when user direct from other source like back from HUB or so, they
|
24 |
*
|
25 |
-
* The condition for trigger is when user visit the right mask login, then we will generate
|
26 |
*
|
27 |
* Class Mask_Login
|
28 |
* @package WP_Defender\Controller
|
@@ -31,7 +31,7 @@ class Mask_Login extends Controller2 {
|
|
31 |
use IO, Permission;
|
32 |
|
33 |
/**
|
34 |
-
* Use for cache
|
35 |
* @var \WP_Defender\Model\Setting\Mask_Login
|
36 |
*/
|
37 |
protected $model;
|
@@ -48,7 +48,7 @@ class Mask_Login extends Controller2 {
|
|
48 |
|
49 |
public function __construct() {
|
50 |
add_filter( 'wp_defender_advanced_tools_data', array( &$this, 'script_data' ) );
|
51 |
-
//
|
52 |
$this->model = wd_di()->get( \WP_Defender\Model\Setting\Mask_Login::class );
|
53 |
$this->service = wd_di()->get( \WP_Defender\Component\Mask_Login::class );
|
54 |
$this->register_routes();
|
@@ -59,23 +59,22 @@ class Mask_Login extends Controller2 {
|
|
59 |
$is_jetpack_sso = $auth_component->is_jetpack_sso();
|
60 |
$is_tml = $auth_component->is_tml();
|
61 |
if ( ! $is_jetpack_sso && ! $is_tml ) {
|
62 |
-
//
|
63 |
add_action( 'init', array( &$this, 'handle_login_request' ), 99 );
|
64 |
add_filter( 'wp_redirect', array( &$this, 'filter_wp_redirect' ), 10 );
|
65 |
-
//
|
66 |
add_filter( 'site_url', array( &$this, 'filter_site_url' ), 100, 2 );
|
67 |
add_filter( 'network_site_url', array( &$this, 'filter_site_url' ), 100, 2 );
|
68 |
-
//
|
69 |
add_filter( 'wp_mail', array( &$this, 'replace_login_url_in_email' ), 10 );
|
70 |
-
//
|
71 |
remove_action( 'template_redirect', 'wp_redirect_admin_locations' );
|
72 |
-
//
|
73 |
-
//email to match the new login URL
|
74 |
add_filter( 'update_welcome_email', array( &$this, 'update_welcome_email_prosite_case', 10, 6 ) );
|
75 |
-
//
|
76 |
add_filter( 'wp_new_user_notification_email', array( &$this, 'change_new_user_notification_email' ), 10, 3 );
|
77 |
add_filter( 'lostpassword_redirect', array( &$this, 'change_lostpassword_redirect' ), 10 );
|
78 |
-
//
|
79 |
add_filter( 'report_email_logs_link', array( &$this, 'update_report_logs_link', 10, 2 ) );
|
80 |
if ( class_exists( 'bbPress' ) ) {
|
81 |
add_filter( 'bbp_redirect_login', array( &$this, 'make_sure_wpadmin_after_login' ), 10, 3 );
|
@@ -88,7 +87,7 @@ class Mask_Login extends Controller2 {
|
|
88 |
}
|
89 |
add_filter( 'retrieve_password_message', array( &$this, 'flywheel_change_password_message' ), 10, 4 );
|
90 |
} else {
|
91 |
-
//
|
92 |
add_filter( 'retrieve_password_message', array( &$this, 'change_password_message' ), 10, 4 );
|
93 |
}
|
94 |
} else {
|
@@ -173,8 +172,8 @@ class Mask_Login extends Controller2 {
|
|
173 |
if ( $this->service->is_bot_request() ) {
|
174 |
return;
|
175 |
}
|
176 |
-
//
|
177 |
-
//to the 404 redirect, or 403 wp die.
|
178 |
$requested_path = $this->service->get_request_path();
|
179 |
$requested_path_without_slash = ltrim( $requested_path, '/' );
|
180 |
if ( ! $requested_path_without_slash ) {
|
@@ -182,22 +181,31 @@ class Mask_Login extends Controller2 {
|
|
182 |
}
|
183 |
|
184 |
if ( '/' . ltrim( $this->get_model()->mask_url, '/' ) === $requested_path ) {
|
185 |
-
//
|
186 |
return $this->show_login_page();
|
187 |
}
|
188 |
-
|
189 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
190 |
return;
|
191 |
}
|
192 |
|
193 |
// If user is not logged in but login cookie is set.
|
194 |
-
if (
|
195 |
$user_id = wp_validate_auth_cookie( $_COOKIE[ LOGGED_IN_COOKIE ], 'logged_in' );
|
196 |
|
197 |
if ( $user_id ) {
|
198 |
// Cookie is valid so login the user.
|
199 |
wp_set_current_user( $user_id );
|
200 |
-
|
201 |
// Return from here because of valid user found.
|
202 |
return;
|
203 |
}
|
@@ -205,36 +213,39 @@ class Mask_Login extends Controller2 {
|
|
205 |
|
206 |
$ticket = HTTP::get( 'ticket', false );
|
207 |
if ( false !== $ticket && $this->service->redeem_ticket( $ticket ) ) {
|
208 |
-
//
|
209 |
return;
|
210 |
}
|
211 |
|
212 |
-
//
|
213 |
if ( $this->service->is_land_on_masked_url( $this->model->mask_url ) ) {
|
214 |
return $this->show_login_page();
|
215 |
}
|
216 |
|
217 |
-
//
|
218 |
$is_multisite = is_multisite();
|
219 |
if (
|
220 |
$is_multisite
|
221 |
&& false !== strpos( parse_url( $requested_path, PHP_URL_QUERY ), 'network_admin_hash' )
|
222 |
) {
|
223 |
-
$logs_url = add_query_arg(
|
|
|
|
|
|
|
|
|
224 |
wp_safe_redirect( $logs_url );
|
225 |
die;
|
226 |
}
|
227 |
-
|
228 |
/**
|
229 |
* Block if it's:
|
230 |
-
* 1) no MU but there is an attempt to load the 'wp-signup.php' page
|
231 |
-
* 2) from the list of forbidden slugs
|
232 |
*/
|
233 |
if (
|
234 |
( ! $is_multisite && 'wp-signup.php' === $requested_path_without_slash )
|
235 |
|| $this->service->is_on_login_page( $requested_path_without_slash )
|
236 |
) {
|
237 |
-
//
|
238 |
return $this->maybe_lock();
|
239 |
}
|
240 |
}
|
@@ -303,18 +314,18 @@ class Mask_Login extends Controller2 {
|
|
303 |
}
|
304 |
|
305 |
if ( is_user_logged_in() && false === stripos( $current_url, 'wp-login.php' ) ) {
|
306 |
-
//
|
307 |
return $current_url;
|
308 |
}
|
309 |
|
310 |
if ( false !== stripos( $current_url, 'wp-login.php' ) ) {
|
311 |
-
//
|
312 |
$query = parse_url( $current_url, PHP_URL_QUERY );
|
313 |
parse_str( $query, $params );
|
314 |
|
315 |
return add_query_arg( $params, $this->get_model()->get_new_login_url( $this->get_site_url() ) );
|
316 |
} else {
|
317 |
-
//
|
318 |
if ( ! function_exists( 'get_current_screen' ) ) {
|
319 |
require_once( ABSPATH . 'wp-admin/includes/screen.php' );
|
320 |
}
|
@@ -324,7 +335,7 @@ class Mask_Login extends Controller2 {
|
|
324 |
return $current_url;
|
325 |
}
|
326 |
if ( 'sites-network' === $screen->id ) {
|
327 |
-
//
|
328 |
$requested_path = $this->service->get_request_path( $current_url );
|
329 |
if ( '/wp-admin' === $requested_path ) {
|
330 |
$current_domain = $_SERVER['HTTP_HOST'];
|
@@ -360,7 +371,7 @@ class Mask_Login extends Controller2 {
|
|
360 |
if ( false === $lp ) {
|
361 |
wp_die( esc_html( $forbidden_message ) );
|
362 |
}
|
363 |
-
// If the URL is without scheme, e.g. example.com, then add 'http' protocol at the beginning of the URL
|
364 |
if ( ! isset( $lp['scheme'] ) && isset( $lp['path'] ) ) {
|
365 |
$redirect_url = 'http://' . untrailingslashit( $redirect_url );
|
366 |
}
|
@@ -388,6 +399,7 @@ class Mask_Login extends Controller2 {
|
|
388 |
|
389 |
/**
|
390 |
* Safe way to get cached model.
|
|
|
391 |
* @return \WP_Defender\Model\Setting\Mask_Login
|
392 |
*/
|
393 |
private function get_model() {
|
@@ -532,7 +544,7 @@ class Mask_Login extends Controller2 {
|
|
532 |
* @param $title
|
533 |
* @param $meta
|
534 |
*
|
535 |
-
* @return
|
536 |
*/
|
537 |
public function update_welcome_email_prosite_case( $welcome_email, $blog_id, $user_id, $password, $title, $meta ) {
|
538 |
$url = get_blogaddress_by_id( $blog_id );
|
@@ -657,7 +669,7 @@ class Mask_Login extends Controller2 {
|
|
657 |
return;
|
658 |
}
|
659 |
|
660 |
-
//
|
661 |
if ( ! isset( $_GET['newuseremail'] ) ) {
|
662 |
return;
|
663 |
}
|
@@ -669,7 +681,7 @@ class Mask_Login extends Controller2 {
|
|
669 |
$wpdb->prepare( "SELECT meta_key FROM {$wpdb->usermeta} WHERE meta_value LIKE %s", $like )
|
670 |
);
|
671 |
|
672 |
-
// Hash
|
673 |
if ( '_new_email' !== $meta_key ) {
|
674 |
return;
|
675 |
}
|
@@ -747,4 +759,27 @@ class Mask_Login extends Controller2 {
|
|
747 |
}
|
748 |
}
|
749 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
750 |
}
|
14 |
|
15 |
/**
|
16 |
* This going to mask the login url & signup url and prevent directly access in those cases:
|
17 |
+
* 1. visit wp-login.php & signup.php or any url with those as suffix.
|
18 |
+
* However, we will expose the mask url in:
|
19 |
* 1. Every login & signup links on frontend, if normal user click on the link, they shouldn't get block
|
20 |
+
* 2. Every email sends from WP which contains the login URL, should not get block.
|
21 |
*
|
22 |
* Instead of detect if the user logged in or not, we should have a hash of user id and salt for cookies,
|
23 |
+
* this way when user direct from other source like back from HUB or so, they won't get lockout.
|
24 |
*
|
25 |
+
* The condition for trigger is when user visit the right mask login, then we will generate.
|
26 |
*
|
27 |
* Class Mask_Login
|
28 |
* @package WP_Defender\Controller
|
31 |
use IO, Permission;
|
32 |
|
33 |
/**
|
34 |
+
* Use for cache.
|
35 |
* @var \WP_Defender\Model\Setting\Mask_Login
|
36 |
*/
|
37 |
protected $model;
|
48 |
|
49 |
public function __construct() {
|
50 |
add_filter( 'wp_defender_advanced_tools_data', array( &$this, 'script_data' ) );
|
51 |
+
// Internal cache, so we don't need to query many times.
|
52 |
$this->model = wd_di()->get( \WP_Defender\Model\Setting\Mask_Login::class );
|
53 |
$this->service = wd_di()->get( \WP_Defender\Component\Mask_Login::class );
|
54 |
$this->register_routes();
|
59 |
$is_jetpack_sso = $auth_component->is_jetpack_sso();
|
60 |
$is_tml = $auth_component->is_tml();
|
61 |
if ( ! $is_jetpack_sso && ! $is_tml ) {
|
62 |
+
// Monitor wp-admin, wp-login.php.
|
63 |
add_action( 'init', array( &$this, 'handle_login_request' ), 99 );
|
64 |
add_filter( 'wp_redirect', array( &$this, 'filter_wp_redirect' ), 10 );
|
65 |
+
// Filter site_url & network_site_url so people won't get block screen.
|
66 |
add_filter( 'site_url', array( &$this, 'filter_site_url' ), 100, 2 );
|
67 |
add_filter( 'network_site_url', array( &$this, 'filter_site_url' ), 100, 2 );
|
68 |
+
// If this is enabled, then we should filter all the email links.
|
69 |
add_filter( 'wp_mail', array( &$this, 'replace_login_url_in_email' ), 10 );
|
70 |
+
// For prevent admin redirect.
|
71 |
remove_action( 'template_redirect', 'wp_redirect_admin_locations' );
|
72 |
+
// If Pro site is activated and user email is not defined, we need to update the email to match the new login URL.
|
|
|
73 |
add_filter( 'update_welcome_email', array( &$this, 'update_welcome_email_prosite_case', 10, 6 ) );
|
74 |
+
// Change password link for new user.
|
75 |
add_filter( 'wp_new_user_notification_email', array( &$this, 'change_new_user_notification_email' ), 10, 3 );
|
76 |
add_filter( 'lostpassword_redirect', array( &$this, 'change_lostpassword_redirect' ), 10 );
|
77 |
+
// Log links in email.
|
78 |
add_filter( 'report_email_logs_link', array( &$this, 'update_report_logs_link', 10, 2 ) );
|
79 |
if ( class_exists( 'bbPress' ) ) {
|
80 |
add_filter( 'bbp_redirect_login', array( &$this, 'make_sure_wpadmin_after_login' ), 10, 3 );
|
87 |
}
|
88 |
add_filter( 'retrieve_password_message', array( &$this, 'flywheel_change_password_message' ), 10, 4 );
|
89 |
} else {
|
90 |
+
// Change password link for exist user.
|
91 |
add_filter( 'retrieve_password_message', array( &$this, 'change_password_message' ), 10, 4 );
|
92 |
}
|
93 |
} else {
|
172 |
if ( $this->service->is_bot_request() ) {
|
173 |
return;
|
174 |
}
|
175 |
+
// Need to check if the current request is for signup, login.
|
176 |
+
// If it is not the slug, then we redirect to the 404 redirect, or 403 wp die.
|
177 |
$requested_path = $this->service->get_request_path();
|
178 |
$requested_path_without_slash = ltrim( $requested_path, '/' );
|
179 |
if ( ! $requested_path_without_slash ) {
|
181 |
}
|
182 |
|
183 |
if ( '/' . ltrim( $this->get_model()->mask_url, '/' ) === $requested_path ) {
|
184 |
+
// We need to redirect this one to wp-login and open it.
|
185 |
return $this->show_login_page();
|
186 |
}
|
187 |
+
/**
|
188 |
+
* Allowed if:
|
189 |
+
* it's AJAX,
|
190 |
+
* the user is logged in,
|
191 |
+
* it's an admin post request.
|
192 |
+
*/
|
193 |
+
if (
|
194 |
+
defined( 'DOING_AJAX' )
|
195 |
+
|| is_user_logged_in()
|
196 |
+
|| $this->is_allowed_path( $requested_path_without_slash )
|
197 |
+
) {
|
198 |
+
// Do nothing.
|
199 |
return;
|
200 |
}
|
201 |
|
202 |
// If user is not logged in but login cookie is set.
|
203 |
+
if ( isset( $_COOKIE[ LOGGED_IN_COOKIE ] ) && ! is_user_logged_in() ) {
|
204 |
$user_id = wp_validate_auth_cookie( $_COOKIE[ LOGGED_IN_COOKIE ], 'logged_in' );
|
205 |
|
206 |
if ( $user_id ) {
|
207 |
// Cookie is valid so login the user.
|
208 |
wp_set_current_user( $user_id );
|
|
|
209 |
// Return from here because of valid user found.
|
210 |
return;
|
211 |
}
|
213 |
|
214 |
$ticket = HTTP::get( 'ticket', false );
|
215 |
if ( false !== $ticket && $this->service->redeem_ticket( $ticket ) ) {
|
216 |
+
// Allow to pass.
|
217 |
return;
|
218 |
}
|
219 |
|
220 |
+
// If current is same then we show the login screen.
|
221 |
if ( $this->service->is_land_on_masked_url( $this->model->mask_url ) ) {
|
222 |
return $this->show_login_page();
|
223 |
}
|
224 |
|
225 |
+
// If it's the verification link to change Network Admin Email.
|
226 |
$is_multisite = is_multisite();
|
227 |
if (
|
228 |
$is_multisite
|
229 |
&& false !== strpos( parse_url( $requested_path, PHP_URL_QUERY ), 'network_admin_hash' )
|
230 |
) {
|
231 |
+
$logs_url = add_query_arg(
|
232 |
+
'redirect_to',
|
233 |
+
urlencode( $requested_path ),
|
234 |
+
$this->get_model()->get_new_login_url()
|
235 |
+
);
|
236 |
wp_safe_redirect( $logs_url );
|
237 |
die;
|
238 |
}
|
|
|
239 |
/**
|
240 |
* Block if it's:
|
241 |
+
* 1) no MU but there is an attempt to load the 'wp-signup.php' page,
|
242 |
+
* 2) from the list of forbidden slugs.
|
243 |
*/
|
244 |
if (
|
245 |
( ! $is_multisite && 'wp-signup.php' === $requested_path_without_slash )
|
246 |
|| $this->service->is_on_login_page( $requested_path_without_slash )
|
247 |
) {
|
248 |
+
// If they are here and the flow getting here, then just lock.
|
249 |
return $this->maybe_lock();
|
250 |
}
|
251 |
}
|
314 |
}
|
315 |
|
316 |
if ( is_user_logged_in() && false === stripos( $current_url, 'wp-login.php' ) ) {
|
317 |
+
// Do nothing.
|
318 |
return $current_url;
|
319 |
}
|
320 |
|
321 |
if ( false !== stripos( $current_url, 'wp-login.php' ) ) {
|
322 |
+
// This is URL go to old wp-login.php.
|
323 |
$query = parse_url( $current_url, PHP_URL_QUERY );
|
324 |
parse_str( $query, $params );
|
325 |
|
326 |
return add_query_arg( $params, $this->get_model()->get_new_login_url( $this->get_site_url() ) );
|
327 |
} else {
|
328 |
+
// This case when admin map a domain into subsite, we need to update the new domain/masked-login into the list.
|
329 |
if ( ! function_exists( 'get_current_screen' ) ) {
|
330 |
require_once( ABSPATH . 'wp-admin/includes/screen.php' );
|
331 |
}
|
335 |
return $current_url;
|
336 |
}
|
337 |
if ( 'sites-network' === $screen->id ) {
|
338 |
+
// Case URLs inside sites list, need to check those with custom domain cause when it's redirect, it will require re-login.
|
339 |
$requested_path = $this->service->get_request_path( $current_url );
|
340 |
if ( '/wp-admin' === $requested_path ) {
|
341 |
$current_domain = $_SERVER['HTTP_HOST'];
|
371 |
if ( false === $lp ) {
|
372 |
wp_die( esc_html( $forbidden_message ) );
|
373 |
}
|
374 |
+
// If the URL is without scheme, e.g. example.com, then add 'http' protocol at the beginning of the URL.
|
375 |
if ( ! isset( $lp['scheme'] ) && isset( $lp['path'] ) ) {
|
376 |
$redirect_url = 'http://' . untrailingslashit( $redirect_url );
|
377 |
}
|
399 |
|
400 |
/**
|
401 |
* Safe way to get cached model.
|
402 |
+
*
|
403 |
* @return \WP_Defender\Model\Setting\Mask_Login
|
404 |
*/
|
405 |
private function get_model() {
|
544 |
* @param $title
|
545 |
* @param $meta
|
546 |
*
|
547 |
+
* @return string
|
548 |
*/
|
549 |
public function update_welcome_email_prosite_case( $welcome_email, $blog_id, $user_id, $password, $title, $meta ) {
|
550 |
$url = get_blogaddress_by_id( $blog_id );
|
669 |
return;
|
670 |
}
|
671 |
|
672 |
+
// If query data is not set.
|
673 |
if ( ! isset( $_GET['newuseremail'] ) ) {
|
674 |
return;
|
675 |
}
|
681 |
$wpdb->prepare( "SELECT meta_key FROM {$wpdb->usermeta} WHERE meta_value LIKE %s", $like )
|
682 |
);
|
683 |
|
684 |
+
// Hash not found.
|
685 |
if ( '_new_email' !== $meta_key ) {
|
686 |
return;
|
687 |
}
|
759 |
}
|
760 |
}
|
761 |
}
|
762 |
+
|
763 |
+
/**
|
764 |
+
* Check if a path is allowed without login masking.
|
765 |
+
*
|
766 |
+
* @param string $path Path to check.
|
767 |
+
*
|
768 |
+
* @since 2.6.4
|
769 |
+
* @return bool
|
770 |
+
*/
|
771 |
+
private function is_allowed_path( $path ) {
|
772 |
+
// Admin post requests to admin-post.php should be allowed.
|
773 |
+
$allowed = 'wp-admin/admin-post.php' === $path && isset( $_REQUEST['action'] ); // phpcs:ignore
|
774 |
+
|
775 |
+
/**
|
776 |
+
* Filter to allow whitelisting paths from login masking.
|
777 |
+
*
|
778 |
+
* @param bool $allowed Is current path allowed?.
|
779 |
+
* @param string $path Path to check.
|
780 |
+
*
|
781 |
+
* @since 2.6.4
|
782 |
+
*/
|
783 |
+
return apply_filters( 'wd_mask_login_is_allowed_path', $allowed, $path );
|
784 |
+
}
|
785 |
}
|
src/controller/recaptcha.php
CHANGED
@@ -436,7 +436,7 @@ class Recaptcha extends \WP_Defender\Controller2 {
|
|
436 |
return $user;
|
437 |
}
|
438 |
|
439 |
-
if (
|
440 |
return $user;
|
441 |
}
|
442 |
|
436 |
return $user;
|
437 |
}
|
438 |
|
439 |
+
if ( ! isset( $_POST['g-recaptcha-response'] ) ) {
|
440 |
return $user;
|
441 |
}
|
442 |
|
wp-defender.php
CHANGED
@@ -2,7 +2,7 @@
|
|
2 |
/**
|
3 |
* Plugin Name: Defender
|
4 |
* Plugin URI: https://wpmudev.com/project/wp-defender/
|
5 |
-
* Version: 2.6.
|
6 |
* Description: Get regular security scans, vulnerability reports, safety recommendations and customized hardening for your site in just a few clicks. Defender is the analyst and enforcer who never sleeps.
|
7 |
* Author: WPMU DEV
|
8 |
* Author URI: https://wpmudev.com/
|
@@ -15,10 +15,10 @@ if ( ! defined( 'ABSPATH' ) ) {
|
|
15 |
die;
|
16 |
}
|
17 |
if ( ! defined( 'DEFENDER_VERSION' ) ) {
|
18 |
-
define( 'DEFENDER_VERSION', '2.6.
|
19 |
}
|
20 |
if ( ! defined( 'DEFENDER_DB_VERSION' ) ) {
|
21 |
-
define( 'DEFENDER_DB_VERSION', '2.6.
|
22 |
}
|
23 |
if ( ! defined( 'DEFENDER_SUI' ) ) {
|
24 |
define( 'DEFENDER_SUI', '2-11-1' );
|
2 |
/**
|
3 |
* Plugin Name: Defender
|
4 |
* Plugin URI: https://wpmudev.com/project/wp-defender/
|
5 |
+
* Version: 2.6.4
|
6 |
* Description: Get regular security scans, vulnerability reports, safety recommendations and customized hardening for your site in just a few clicks. Defender is the analyst and enforcer who never sleeps.
|
7 |
* Author: WPMU DEV
|
8 |
* Author URI: https://wpmudev.com/
|
15 |
die;
|
16 |
}
|
17 |
if ( ! defined( 'DEFENDER_VERSION' ) ) {
|
18 |
+
define( 'DEFENDER_VERSION', '2.6.4' );
|
19 |
}
|
20 |
if ( ! defined( 'DEFENDER_DB_VERSION' ) ) {
|
21 |
+
define( 'DEFENDER_DB_VERSION', '2.6.4' );
|
22 |
}
|
23 |
if ( ! defined( 'DEFENDER_SUI' ) ) {
|
24 |
define( 'DEFENDER_SUI', '2-11-1' );
|