Version Description
- Initial release
Download this release
Release Info
Developer | sean212 |
Plugin | Lockdown WP Admin |
Version | 1.0 |
Comparing to | |
See all releases |
Version 1.0
- admin-private-users.php +67 -0
- admin.php +39 -0
- lockdown-wp-admin.php +473 -0
- no-wpmu.php +111 -0
- readme.txt +44 -0
admin-private-users.php
ADDED
@@ -0,0 +1,67 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<div class="wrap">
|
2 |
+
<div id="icon-options-general" class="icon32"></div><h2>HTTP Authentication Private Users</h2>
|
3 |
+
|
4 |
+
<?php
|
5 |
+
// Did we update?
|
6 |
+
if ( isset( $_GET['updated'] ) ) { ?>
|
7 |
+
<div class="updated fade"><p>Updated!</p></div>
|
8 |
+
<?php }
|
9 |
+
|
10 |
+
// Error message?
|
11 |
+
if ( isset( $_GET['error'] ) && $_GET['error'] == 'delete-self') { ?>
|
12 |
+
<div class="error fade"><p>You can't delete yourself!</p></div>
|
13 |
+
<?php } ?>
|
14 |
+
|
15 |
+
<form method="POST" action="<?php echo admin_url('admin.php?page=lockdown-private-users'); ?>"> <p>Adding users below will <em>only</em> work if you have "Private Usernames/Passwords" selected for HTTP Authentication.</p>
|
16 |
+
|
17 |
+
<p><strong>Please note a few things:</strong>
|
18 |
+
<ul>
|
19 |
+
<li>1. If you are ever locked out, you can just delete the plugin files via FTP (<code>/wp-content/plugins/lockdown-wp-admin/</code>) and you will be able to login again.</li>
|
20 |
+
<li>2. You cannot delete the current HTTP Authentication username you are using right now.</li>
|
21 |
+
|
22 |
+
<li>3. Private user HTTP Authentication will not work if you don't have a username added below.</li>
|
23 |
+
</ul>
|
24 |
+
</p>
|
25 |
+
|
26 |
+
<table class="widefat">
|
27 |
+
<thead>
|
28 |
+
<tr>
|
29 |
+
<th>Username</th>
|
30 |
+
<th>Action</th>
|
31 |
+
|
32 |
+
</tr>
|
33 |
+
</thead>
|
34 |
+
|
35 |
+
<tfoot>
|
36 |
+
|
37 |
+
<tr>
|
38 |
+
<th>Username</th>
|
39 |
+
<th>Action</th>
|
40 |
+
</tr>
|
41 |
+
|
42 |
+
</tfoot>
|
43 |
+
<tbody>
|
44 |
+
<?php if ( isset( $private_users ) && count( $private_users ) > 0 ) : ?>
|
45 |
+
<?php foreach( $private_users as $key => $user ) { ?>
|
46 |
+
<tr>
|
47 |
+
<td><?php echo $user['user']; ?></td>
|
48 |
+
<td><a href="admin.php?page=<?php echo $_GET['page']; ?>&delete=<?php echo $key; ?>&hash=<?php echo wp_hash(get_current_user_id()); ?>">Delete</a></td>
|
49 |
+
</tr><?php } endif; ?>
|
50 |
+
</tbody>
|
51 |
+
</table>
|
52 |
+
|
53 |
+
<h4>Add a Private User</h4>
|
54 |
+
<p>To add a user, fill out the username and password below and click "Save Options" below.</p>
|
55 |
+
<label><input type="text" name="private_username" /> New Username</label><br />
|
56 |
+
<label><input type="password" name="private_password" /> New Password</label>
|
57 |
+
|
58 |
+
<div class="clear"></div><br />
|
59 |
+
|
60 |
+
|
61 |
+
<input type="hidden" name="did_update" value="yes_we_did">
|
62 |
+
|
63 |
+
<input class='button-primary' type='submit' name='Save' value='<?php _e('Save Options'); ?>' id='submitbutton' />
|
64 |
+
|
65 |
+
|
66 |
+
</form>
|
67 |
+
</div>
|
admin.php
ADDED
@@ -0,0 +1,39 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<div class="wrap">
|
2 |
+
<div id="icon-options-general" class="icon32"></div><h2>Lockdown WordPress Admin</h2>
|
3 |
+
|
4 |
+
<?php if ( isset( $_GET['updated'] ) ) { ?>
|
5 |
+
<div class="updated fade"><p>Options updated!</p></div>
|
6 |
+
<?php } ?>
|
7 |
+
|
8 |
+
<p>We are going to help make WordPress a bit more secure.</p>
|
9 |
+
<form method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
|
10 |
+
|
11 |
+
<h3>Hide WP Admin</h3>
|
12 |
+
<p>We can "hide" WordPress's administration interface from the public. If you enable this, when you access <code><?php echo admin_url(); ?></code> when you <strong>aren't</strong> logged in, you will recieve a <a href="http://en.wikipedia.org/wiki/HTTP_404">404 error page</a> instead of redirecting to the login page.</p>
|
13 |
+
|
14 |
+
<label><input type="checkbox" name="hide_wp_admin" value="yep" <?php if ( get_option('ld_hide_wp_admin') === 'yep' ) { ?> checked <?php } ?>> Yes, please hide WP Admin from the user when they aren't logged in.</label>
|
15 |
+
|
16 |
+
<h3>HTTP Authentication</h3>
|
17 |
+
<p>Please read about HTTP Authentication on <a href="http://en.wikipedia.org/wiki/Basic_access_authentication">http://en.wikipedia.org/wiki/Basic_access_authentication</a>.</p>
|
18 |
+
|
19 |
+
<?php $http_auth_type = get_option('ld_http_auth'); ?>
|
20 |
+
<label><input name="http_auth" type="radio" value="none" <?php if ( $http_auth_type === '' || $http_auth_type === 'none' || !$http_auth_type ) { ?>checked<?php } ?>> Disable HTTP Auth.</label>
|
21 |
+
<div class="clear"></div>
|
22 |
+
<label><input type="radio" name="http_auth" <?php if ( $http_auth_type === 'wp_creds' ) { ?>checked<?php } ?> value="wp_creds"> WordPress Login Credentials</label>
|
23 |
+
<div class="clear"></div>
|
24 |
+
<label><input type="radio" name="http_auth" <?php if ( $http_auth_type === 'private' ) { ?>checked<?php } ?> value="private"> Private Usernames/Passwords</label>
|
25 |
+
<div class="clear"></div>
|
26 |
+
|
27 |
+
<br>
|
28 |
+
|
29 |
+
|
30 |
+
|
31 |
+
|
32 |
+
<input type="hidden" name="did_update" value="yes_we_did">
|
33 |
+
|
34 |
+
<input class='button-primary' type='submit' name='Save' value='<?php _e('Save Options'); ?>' id='submitbutton' />
|
35 |
+
|
36 |
+
|
37 |
+
</form>
|
38 |
+
|
39 |
+
</div>
|
lockdown-wp-admin.php
ADDED
@@ -0,0 +1,473 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
/*
|
3 |
+
Plugin Name: Lockdown WordPress Admin
|
4 |
+
Plugin URI: http://talkingwithsean.com/lockdown/
|
5 |
+
Description: Securing the WordPress Administration interface.
|
6 |
+
Version: 1.0
|
7 |
+
Author: Sean Fisher
|
8 |
+
Author URI: http://talkingwithsean.com/
|
9 |
+
License: GPL v3
|
10 |
+
*/
|
11 |
+
|
12 |
+
// This file name
|
13 |
+
define('LD_FILE_NAME', __FILE__ );
|
14 |
+
|
15 |
+
/**
|
16 |
+
* This is the plugin that will add security to our site
|
17 |
+
*
|
18 |
+
* @author Sean Fisher <me@tlksean.me>
|
19 |
+
* @version 1.0
|
20 |
+
* @license GPL v3
|
21 |
+
**/
|
22 |
+
class WP_LockAuth {
|
23 |
+
/**
|
24 |
+
* The HTTP Auth name for the protected area
|
25 |
+
*
|
26 |
+
* @access public
|
27 |
+
**/
|
28 |
+
public $relm = "Secure Area";
|
29 |
+
|
30 |
+
private $current_user = FALSE;
|
31 |
+
|
32 |
+
function WP_LockAuth()
|
33 |
+
{
|
34 |
+
require_once( dirname( __FILE__ ) .'/no-wpmu.php' );
|
35 |
+
|
36 |
+
add_action('admin_menu', array( &$this, 'add_admin_menu'));
|
37 |
+
|
38 |
+
$this->setup_hide_admin();
|
39 |
+
|
40 |
+
// Update options
|
41 |
+
$this->update_options();
|
42 |
+
$this->update_users();
|
43 |
+
|
44 |
+
}
|
45 |
+
|
46 |
+
/**
|
47 |
+
* Update the users
|
48 |
+
*
|
49 |
+
* @access private
|
50 |
+
**/
|
51 |
+
function update_users()
|
52 |
+
{
|
53 |
+
if ( !isset( $_GET['page'] ) )
|
54 |
+
return;
|
55 |
+
|
56 |
+
if ( $_GET['page'] !== 'lockdown-private-users' )
|
57 |
+
return;
|
58 |
+
|
59 |
+
// Add a user
|
60 |
+
if ( isset( $_POST['private_username'] ) && isset( $_POST['private_password'] ) )
|
61 |
+
{
|
62 |
+
if ( $_POST['private_username'] !== '' && $_POST['private_password'] !== '' )
|
63 |
+
{
|
64 |
+
// Adding a user.
|
65 |
+
$users = $this->get_private_users();
|
66 |
+
$add['user'] = sanitize_user( $_POST['private_username'] );
|
67 |
+
$add['pass'] = trim( md5( $_POST['private_password'] ) );
|
68 |
+
|
69 |
+
$users[] = $add;
|
70 |
+
|
71 |
+
update_option('ld_private_users', $users);
|
72 |
+
|
73 |
+
wp_redirect( admin_url('admin.php?page=lockdown-private-users&updated=true'));
|
74 |
+
return;
|
75 |
+
}
|
76 |
+
}
|
77 |
+
|
78 |
+
// Deleting a user.
|
79 |
+
if ( isset( $_GET['delete'] ) && isset( $_GET['hash'] ) )
|
80 |
+
{
|
81 |
+
// Check hash
|
82 |
+
if ( $_GET['hash'] !== wp_hash(get_current_user_id()) )
|
83 |
+
return;
|
84 |
+
|
85 |
+
// Delete the user.
|
86 |
+
unset( $users );
|
87 |
+
$users = $this->get_private_users();
|
88 |
+
$to_delete = (int) $_GET['delete'];
|
89 |
+
|
90 |
+
if ( count( $users ) > 0 )
|
91 |
+
{
|
92 |
+
foreach( $users as $key => $val )
|
93 |
+
{
|
94 |
+
if ( $key === $to_delete ) :
|
95 |
+
if( $this->current_user !== '' && $to_delete === $this->current_user )
|
96 |
+
{
|
97 |
+
// They can't delete themselves!
|
98 |
+
wp_redirect( admin_url('admin.php?page=lockdown-private-users&error=delete-self'));
|
99 |
+
return;
|
100 |
+
}
|
101 |
+
|
102 |
+
unset( $users[$key] );
|
103 |
+
endif;
|
104 |
+
}
|
105 |
+
}
|
106 |
+
|
107 |
+
update_option('ld_private_users', $users);
|
108 |
+
|
109 |
+
wp_redirect( admin_url('admin.php?page=lockdown-private-users&updated=true'));
|
110 |
+
return;
|
111 |
+
}
|
112 |
+
}
|
113 |
+
|
114 |
+
/**
|
115 |
+
* Update the options
|
116 |
+
*
|
117 |
+
* @access private
|
118 |
+
**/
|
119 |
+
function update_options()
|
120 |
+
{
|
121 |
+
if ( !isset( $_GET['page'] ) )
|
122 |
+
return;
|
123 |
+
|
124 |
+
if ( $_GET['page'] !== 'lockdown-wp-admin' )
|
125 |
+
return;
|
126 |
+
|
127 |
+
if ( !isset( $_POST['did_update'] ) )
|
128 |
+
return;
|
129 |
+
|
130 |
+
// They're updating.
|
131 |
+
if ( isset( $_POST['http_auth'] ) )
|
132 |
+
update_option('ld_http_auth', trim( strtolower( $_POST['http_auth'] ) ) );
|
133 |
+
else
|
134 |
+
update_option('ld_http_auth', 'none' );
|
135 |
+
|
136 |
+
if ( !isset( $_POST['hide_wp_admin'] ) )
|
137 |
+
{
|
138 |
+
update_option('ld_hide_wp_admin', 'nope');
|
139 |
+
}
|
140 |
+
else
|
141 |
+
{
|
142 |
+
if ( $_POST['hide_wp_admin'] === 'yep' )
|
143 |
+
update_option('ld_hide_wp_admin', 'yep');
|
144 |
+
else
|
145 |
+
update_option('ld_hide_wp_admin', 'nope');
|
146 |
+
}
|
147 |
+
|
148 |
+
// Redirect
|
149 |
+
wp_redirect( admin_url( 'plugins.php?page=lockdown-wp-admin&updated=true' ) );
|
150 |
+
return;
|
151 |
+
}
|
152 |
+
|
153 |
+
/**
|
154 |
+
* Send headers to the browser that are going to ask for a username/pass
|
155 |
+
* from the browser.
|
156 |
+
*
|
157 |
+
* @access private
|
158 |
+
* @return void
|
159 |
+
**/
|
160 |
+
private function inauth_headers()
|
161 |
+
{
|
162 |
+
header('WWW-Authenticate: Basic realm="'.$this->relm.'"');
|
163 |
+
header('HTTP/1.0 401 Unauthorized');
|
164 |
+
echo '<h1>Authorization Required.</h1>';
|
165 |
+
exit;
|
166 |
+
}
|
167 |
+
|
168 |
+
/**
|
169 |
+
* Check for a HTTP auth session
|
170 |
+
*
|
171 |
+
* If they find one, we will setup the 'INTERNAL_AUTH_PASSED' constant.
|
172 |
+
* If they failed, it will send the HTTP auth headers to get the username/
|
173 |
+
* password.
|
174 |
+
*
|
175 |
+
* @uses self::inauth_headers() When we need the username/pass
|
176 |
+
* @access public
|
177 |
+
**/
|
178 |
+
public function setup()
|
179 |
+
{
|
180 |
+
/* Check for values in $PHP_AUTH_USER and $PHP_AUTH_PW */
|
181 |
+
if ((!isset($_SERVER['PHP_AUTH_USER'])) || (!isset($_SERVER['PHP_AUTH_PW']))) {
|
182 |
+
$this->inauth_headers();
|
183 |
+
|
184 |
+
} else if ((isset($_SERVER['PHP_AUTH_USER'])) && (isset($_SERVER['PHP_AUTH_PW']))){
|
185 |
+
|
186 |
+
/* Values contain some values, so check to see if they're correct */
|
187 |
+
|
188 |
+
if (($_SERVER['PHP_AUTH_USER'] != $this->current_user) || (md5($_SERVER['PHP_AUTH_PW']) != $this->current_pass)) {
|
189 |
+
/* If either the username entered is incorrect, or the password entered is incorrect, send the headers causing dialog box to appear */
|
190 |
+
$this->inauth_headers();
|
191 |
+
|
192 |
+
} else if (($_SERVER['PHP_AUTH_USER'] === $this->current_user) || ( md5($_SERVER['PHP_AUTH_PW'] ) === $this->current_pass)) {
|
193 |
+
|
194 |
+
/* if both values are correct, print success message */
|
195 |
+
// We're good here!
|
196 |
+
define('INTERNAL_AUTH_PASSED', TRUE);
|
197 |
+
}
|
198 |
+
}
|
199 |
+
}
|
200 |
+
|
201 |
+
/**
|
202 |
+
* Get the users for the private creds
|
203 |
+
*
|
204 |
+
* @access private
|
205 |
+
**/
|
206 |
+
function get_private_users()
|
207 |
+
{
|
208 |
+
$opt = get_option('ld_private_users');
|
209 |
+
if ( !is_array( $opt ) )
|
210 |
+
return array();
|
211 |
+
|
212 |
+
return $opt;
|
213 |
+
}
|
214 |
+
|
215 |
+
/**
|
216 |
+
* Setup hiding wp-admin
|
217 |
+
*
|
218 |
+
* @access void
|
219 |
+
**/
|
220 |
+
function setup_hide_admin()
|
221 |
+
{
|
222 |
+
$opt = get_option('ld_hide_wp_admin');
|
223 |
+
|
224 |
+
// Nope!
|
225 |
+
if ( $opt !== 'yep' )
|
226 |
+
return;
|
227 |
+
|
228 |
+
// We're gonna hide it.
|
229 |
+
$no_check_files = array('async-upload.php');
|
230 |
+
$no_check_files = apply_filters('no_check_files', $no_check_files);
|
231 |
+
|
232 |
+
$explode = explode('/', $_SERVER['SCRIPT_FILENAME'] );
|
233 |
+
$file = end( $explode );
|
234 |
+
if ( in_array( $file, $no_check_files ) )
|
235 |
+
{
|
236 |
+
define('INTERNAL_AUTH_PASSED', TRUE);
|
237 |
+
return;
|
238 |
+
}
|
239 |
+
|
240 |
+
if ( is_admin() )
|
241 |
+
{
|
242 |
+
if ( !is_user_logged_in() )
|
243 |
+
{
|
244 |
+
// If they AREN'T logged in and they tried to access wp-admin
|
245 |
+
// we'll just serve them a 404!
|
246 |
+
status_header(404);
|
247 |
+
require( get_404_template() );
|
248 |
+
exit;
|
249 |
+
}
|
250 |
+
|
251 |
+
|
252 |
+
}
|
253 |
+
|
254 |
+
if ( is_admin() )
|
255 |
+
$this->setup_http_area();
|
256 |
+
}
|
257 |
+
|
258 |
+
function get_file()
|
259 |
+
{
|
260 |
+
// We're gonna hide it.
|
261 |
+
$no_check_files = array('async-upload.php');
|
262 |
+
$no_check_files = apply_filters('no_check_files', $no_check_files);
|
263 |
+
|
264 |
+
$explode = explode('/', $_SERVER['SCRIPT_FILENAME'] );
|
265 |
+
return end( $explode );
|
266 |
+
}
|
267 |
+
|
268 |
+
/**
|
269 |
+
* Setting up the HTTP Auth
|
270 |
+
*
|
271 |
+
* Here, we only check if it's enabled
|
272 |
+
*
|
273 |
+
* @access private
|
274 |
+
**/
|
275 |
+
function setup_http_area()
|
276 |
+
{
|
277 |
+
$opt = get_option('ld_http_auth');
|
278 |
+
|
279 |
+
switch( $opt )
|
280 |
+
{
|
281 |
+
// HTTP auth is going to ask for their WordPress creds.
|
282 |
+
case('wp_creds');
|
283 |
+
|
284 |
+
/* Check for values in $PHP_AUTH_USER and $PHP_AUTH_PW */
|
285 |
+
if ((!isset($_SERVER['PHP_AUTH_USER'])) || (!isset($_SERVER['PHP_AUTH_PW']))) {
|
286 |
+
$this->inauth_headers();
|
287 |
+
|
288 |
+
} else if ((isset($_SERVER['PHP_AUTH_USER'])) && (isset($_SERVER['PHP_AUTH_PW']))){
|
289 |
+
|
290 |
+
// Are they already logged in as this?
|
291 |
+
$current_uid = get_current_user_id();
|
292 |
+
$requested_uid = get_user_id_from_string($_SERVER['PHP_AUTH_USER']);
|
293 |
+
|
294 |
+
// Not a valid user.
|
295 |
+
if ( $requested_uid === null || !$requested_uid )
|
296 |
+
$this->inauth_headers();
|
297 |
+
|
298 |
+
// Already logged in?
|
299 |
+
//var_dump( $current_uid, $requested_uid, is_user_logged_in() );
|
300 |
+
if ($current_uid == $requested_uid && is_user_logged_in() )
|
301 |
+
{
|
302 |
+
define('INTERNAL_AUTH_PASSED', TRUE);
|
303 |
+
return;
|
304 |
+
}
|
305 |
+
|
306 |
+
// Try it via wp_signon
|
307 |
+
$creds = array();
|
308 |
+
$creds['user_login'] = $_SERVER['PHP_AUTH_USER'];
|
309 |
+
$creds['user_password'] = $_SERVER['PHP_AUTH_PW'];
|
310 |
+
$creds['remember'] = true;
|
311 |
+
$user = wp_signon( $creds, false );
|
312 |
+
|
313 |
+
// In error
|
314 |
+
if ( is_wp_error($user) )
|
315 |
+
$this->inauth_headers();
|
316 |
+
|
317 |
+
// They passed!
|
318 |
+
define('INTERNAL_AUTH_PASSED', TRUE);
|
319 |
+
}
|
320 |
+
break;
|
321 |
+
|
322 |
+
case('private');
|
323 |
+
$users = $this->get_private_users();
|
324 |
+
|
325 |
+
// We want a user to exist
|
326 |
+
// If nobody is found, we won't lock them out!
|
327 |
+
if ( !$users || !is_array( $users ) )
|
328 |
+
return;
|
329 |
+
|
330 |
+
// Let's NOT lock everybody out
|
331 |
+
if ( count( $users ) === 0 )
|
332 |
+
return;
|
333 |
+
|
334 |
+
/* Check for values in $PHP_AUTH_USER and $PHP_AUTH_PW */
|
335 |
+
if ( !isset( $_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) )
|
336 |
+
$this->inauth_headers();
|
337 |
+
|
338 |
+
// Did they enter a valid user?
|
339 |
+
if ( $this->user_array_check( $users, $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) )
|
340 |
+
{
|
341 |
+
// Yes!!
|
342 |
+
define('INTERNAL_AUTH_PASSED', TRUE);
|
343 |
+
$this->set_current_user( $users, $_SERVER['PHP_AUTH_USER'] );
|
344 |
+
return;
|
345 |
+
}
|
346 |
+
else
|
347 |
+
{
|
348 |
+
// Nope
|
349 |
+
$this->inauth_headers();
|
350 |
+
return;
|
351 |
+
}
|
352 |
+
|
353 |
+
break;
|
354 |
+
}
|
355 |
+
|
356 |
+
}
|
357 |
+
/**
|
358 |
+
* Check an internal array of users against a passed user and pass
|
359 |
+
*
|
360 |
+
* @access private
|
361 |
+
**/
|
362 |
+
function user_array_check( $array, $user, $pass )
|
363 |
+
{
|
364 |
+
foreach( $array as $key => $val )
|
365 |
+
{
|
366 |
+
if ( $val['user'] === $user && md5( $pass ) === $val['pass'] )
|
367 |
+
return TRUE;
|
368 |
+
}
|
369 |
+
|
370 |
+
return FALSE;
|
371 |
+
}
|
372 |
+
|
373 |
+
/**
|
374 |
+
* Set the current user
|
375 |
+
*
|
376 |
+
* @access private
|
377 |
+
**/
|
378 |
+
function set_current_user( $array, $user )
|
379 |
+
{
|
380 |
+
foreach( $array as $key => $val )
|
381 |
+
{
|
382 |
+
if ( $val['user'] === $user )
|
383 |
+
$this->current_user = $key;
|
384 |
+
}
|
385 |
+
}
|
386 |
+
|
387 |
+
/**
|
388 |
+
* Adds the admin menu
|
389 |
+
*
|
390 |
+
* @acces private
|
391 |
+
**/
|
392 |
+
function add_admin_menu()
|
393 |
+
{
|
394 |
+
add_menu_page('Lockdown WP', 'Lockdown WP', 'manage_options', 'lockdown-wp-admin', array( &$this, 'admin_callback'));
|
395 |
+
add_submenu_page( 'lockdown-wp-admin', 'Private Users', 'Private Users', 'manage_options', 'lockdown-private-users', array( &$this, 'sub_admin_callback'));
|
396 |
+
//add_plugins_page( 'Lockdown WP Admin', 'Lockdown WP Admin', 'manage_options', 'lockdown-wp-admin', array( &$this, 'admin_callback'));
|
397 |
+
}
|
398 |
+
|
399 |
+
/**
|
400 |
+
* The callback for the admin area
|
401 |
+
*
|
402 |
+
* @access private
|
403 |
+
**/
|
404 |
+
function admin_callback()
|
405 |
+
{
|
406 |
+
require_once( dirname( __FILE__ ) . '/admin.php' );
|
407 |
+
}
|
408 |
+
|
409 |
+
function sub_admin_callback()
|
410 |
+
{
|
411 |
+
$private_users = $this->get_private_users();
|
412 |
+
require_once( dirname( __FILE__ ) . '/admin-private-users.php' );
|
413 |
+
}
|
414 |
+
}
|
415 |
+
|
416 |
+
/**
|
417 |
+
* The function called at 'init'.
|
418 |
+
*
|
419 |
+
* Sets up the object
|
420 |
+
*
|
421 |
+
* @return void
|
422 |
+
* @access private
|
423 |
+
* @version 1.0
|
424 |
+
* @see do_action() Called by the 'init' hook'
|
425 |
+
**/
|
426 |
+
function ld_setup_auth()
|
427 |
+
{
|
428 |
+
// Setup the object.
|
429 |
+
$auth_obj = new WP_LockAuth();
|
430 |
+
|
431 |
+
// Is wp-login.php
|
432 |
+
$explode = explode('/', $_SERVER['SCRIPT_FILENAME'] );
|
433 |
+
$file = end( $explode );
|
434 |
+
if ( $file === 'async-upload.php' )
|
435 |
+
{
|
436 |
+
define('INTERNAL_AUTH_PASSED', TRUE);
|
437 |
+
return;
|
438 |
+
|
439 |
+
}
|
440 |
+
|
441 |
+
return;
|
442 |
+
if ( is_admin() )
|
443 |
+
{
|
444 |
+
if ( !is_user_logged_in() )
|
445 |
+
{
|
446 |
+
// If they AREN'T logged in and they tried to access wp-admin
|
447 |
+
// we'll just serve them a 404!
|
448 |
+
status_header(404);
|
449 |
+
require( get_404_template() );
|
450 |
+
exit;
|
451 |
+
}
|
452 |
+
|
453 |
+
$auth_obj->setup();
|
454 |
+
}
|
455 |
+
|
456 |
+
//add_filter('admin_url', array( $auth_obj, 'filter_wp_admin') );
|
457 |
+
//add_filter('site_url', array( $auth_obj, 'filter_wp_login') );
|
458 |
+
}
|
459 |
+
|
460 |
+
|
461 |
+
function filter_tb_login_redirect( $str )
|
462 |
+
{
|
463 |
+
return str_replace('wp-login.php', 'login-area.php', $str);
|
464 |
+
}
|
465 |
+
|
466 |
+
add_action('init', 'ld_setup_auth');
|
467 |
+
|
468 |
+
//add_filter('wp_redirect', 'filter_tb_login_redirect');
|
469 |
+
//add_filter('network_site_url', 'filter_tb_login_redirect');
|
470 |
+
//add_action('login_head', 'tnt_login_head');
|
471 |
+
//add_action('init', 'tnt_setup_auth');
|
472 |
+
//add_action('setup_theme', 'change_tnt_theme');
|
473 |
+
// add_filter('option_current_theme', 'change_tnt_theme', 100000);
|
no-wpmu.php
ADDED
@@ -0,0 +1,111 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
/**
|
3 |
+
* We don't want to allow for this plugin to be used in WP-MS or network wide
|
4 |
+
*
|
5 |
+
* @author Sean Fisher
|
6 |
+
* @version 1.0
|
7 |
+
**/
|
8 |
+
class Disable_WPMS_Plugin_LD
|
9 |
+
{
|
10 |
+
/**
|
11 |
+
* PHP 4 style constructor
|
12 |
+
*
|
13 |
+
* @access private
|
14 |
+
* @return void
|
15 |
+
**/
|
16 |
+
function Disable_WPMS_Plugin_LD()
|
17 |
+
{
|
18 |
+
register_activation_hook(LD_FILE_NAME, array( &$this, 'on_activate') );
|
19 |
+
}
|
20 |
+
|
21 |
+
/**
|
22 |
+
* Called when activating the plugin
|
23 |
+
*
|
24 |
+
* @access private
|
25 |
+
**/
|
26 |
+
function on_activate()
|
27 |
+
{
|
28 |
+
/**
|
29 |
+
* Disable buggy sitewide activation in WPMU and WP 3.0
|
30 |
+
*/
|
31 |
+
if ((is_multisite() && isset($_GET['sitewide'])) || ($this->is_network_mode() && isset($_GET['networkwide']))) {
|
32 |
+
$this->network_activate_error();
|
33 |
+
}
|
34 |
+
|
35 |
+
// Default options
|
36 |
+
update_option('ld_http_auth', 'none');
|
37 |
+
update_option('ld_hide_wp_admin', 'no');
|
38 |
+
}
|
39 |
+
|
40 |
+
/**
|
41 |
+
* De-activate a plugin
|
42 |
+
*
|
43 |
+
* @access private
|
44 |
+
**/
|
45 |
+
function network_activate_error()
|
46 |
+
{
|
47 |
+
// De-activate the plugin
|
48 |
+
$active_plugins = (array) get_option('active_plugins');
|
49 |
+
$active_plugins_network = (array) get_site_option('active_sitewide_plugins');
|
50 |
+
|
51 |
+
// workaround for WPMU deactivation bug
|
52 |
+
remove_action('deactivate_' . LD_FILE_NAME, 'deactivate_sitewide_plugin');
|
53 |
+
|
54 |
+
do_action('deactivate_plugin', LD_FILE_NAME);
|
55 |
+
|
56 |
+
$key = array_search(LD_FILE_NAME, $active_plugins);
|
57 |
+
|
58 |
+
if ($key !== false) {
|
59 |
+
array_splice($active_plugins, $key, 1);
|
60 |
+
}
|
61 |
+
|
62 |
+
unset($active_plugins_network[LD_FILE_NAME]);
|
63 |
+
|
64 |
+
do_action('deactivate_' . LD_FILE_NAME);
|
65 |
+
do_action('deactivated_plugin', LD_FILE_NAME);
|
66 |
+
|
67 |
+
update_option('active_plugins', $active_plugins);
|
68 |
+
update_site_option('active_sitewide_plugins', $active_plugins_network);
|
69 |
+
|
70 |
+
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
71 |
+
<html xmlns="http://www.w3.org/1999/xhtml">
|
72 |
+
<head>
|
73 |
+
<title>Network Activation Error</title>
|
74 |
+
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
75 |
+
</head>
|
76 |
+
<body>
|
77 |
+
<p>
|
78 |
+
<strong>Error:</strong> This plugin cannot be activated network-wide.
|
79 |
+
</p>
|
80 |
+
<p>
|
81 |
+
<a href="javascript:history.back(-1);">Back</a>
|
82 |
+
</p>
|
83 |
+
</body>
|
84 |
+
</html>
|
85 |
+
<?php
|
86 |
+
exit();
|
87 |
+
}
|
88 |
+
|
89 |
+
/**
|
90 |
+
* Returns true if it's WP with enabled Network mode
|
91 |
+
*
|
92 |
+
* @return boolean
|
93 |
+
* @author W3 Total Cache
|
94 |
+
*/
|
95 |
+
function is_network_mode()
|
96 |
+
{
|
97 |
+
static $network_mode = null;
|
98 |
+
|
99 |
+
if ($network_mode === null) {
|
100 |
+
$network_mode = (defined('MULTISITE') && MULTISITE);
|
101 |
+
}
|
102 |
+
|
103 |
+
return $network_mode;
|
104 |
+
}
|
105 |
+
}
|
106 |
+
|
107 |
+
function setup_disable_network_wide()
|
108 |
+
{
|
109 |
+
return new Disable_WPMS_Plugin_LD();
|
110 |
+
}
|
111 |
+
setup_disable_network_wide();
|
readme.txt
ADDED
@@ -0,0 +1,44 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
=== Lockdown WP Admin ===
|
2 |
+
Contributors: sean212
|
3 |
+
Donate link: http://talkingwithsean.com/donate/
|
4 |
+
Tags: security, wp-admin, http auth, 404, lockdown, talkingwithsean, secure
|
5 |
+
Requires at least: 3.0
|
6 |
+
Tested up to: 3.1
|
7 |
+
Stable tag: 1.0
|
8 |
+
|
9 |
+
This plugin will hide /wp-admin/ when you aren't logged in. If a user isn't logged in and they attempt to access /wp-admin/ directly, they will be unable to and it will return a 404.
|
10 |
+
|
11 |
+
Also, you can add HTTP authentication directly from WP admin and add custom username/password combinations for the HTTP auth, or use the WordPress credentials.
|
12 |
+
|
13 |
+
This doesn't touch any .htaccess files or change the WordPress core files. All the CSS/Images under /wp-admin/ are still accessible, just not the .php ones.
|
14 |
+
|
15 |
+
If you enable HTTP authencation, it will add HTTP auth to wthe PHP files in /wp-admin/
|
16 |
+
|
17 |
+
== Description ==
|
18 |
+
|
19 |
+
This plugin will hide /wp-admin/ when you aren't logged in. If a user isn't logged in and they attempt to access /wp-admin/ directly, they will be unable to and it will return a 404.
|
20 |
+
|
21 |
+
Also, you can add HTTP authentication directly from WP admin and add custom username/password combinations for the HTTP auth, or use the WordPress credentials.
|
22 |
+
|
23 |
+
This doesn't touch any .htaccess files or change the WordPress core files. All the CSS/Images under /wp-admin/ are still accessible, just not the .php ones.
|
24 |
+
|
25 |
+
If you enable HTTP authencation, it will add HTTP auth to the PHP files in /wp-admin/
|
26 |
+
|
27 |
+
== Installation ==
|
28 |
+
|
29 |
+
1. Upload `/lockdown-wp-admin/` to the `/wp-content/plugins/` directory
|
30 |
+
2. Activate the plugin through the 'Plugins' menu in WordPress
|
31 |
+
3. Navigate to the "Lockdown WP" menu
|
32 |
+
|
33 |
+
== Frequently Asked Questions ==
|
34 |
+
|
35 |
+
None yet.
|
36 |
+
|
37 |
+
== Screenshots ==
|
38 |
+
|
39 |
+
None yet.
|
40 |
+
|
41 |
+
== Changelog ==
|
42 |
+
|
43 |
+
= 1.0 =
|
44 |
+
* Initial release
|