Lockdown WP Admin - Version 1.2

Version Description

  • Cleaned up more code.
  • Security fixes that will prevent somebody from possibly hijacking your website. (Props Jon Cave)
Download this release

Release Info

Developer sean212
Plugin Icon wp plugin Lockdown WP Admin
Version 1.2
Comparing to
See all releases

Code changes from version 1.1.2 to 1.2

Files changed (5) hide show
  1. admin-private-users.php +9 -5
  2. admin.php +11 -3
  3. lockdown-wp-admin.php +36 -12
  4. no-wpmu.php +1 -1
  5. readme.txt +8 -7
admin-private-users.php CHANGED
@@ -1,18 +1,22 @@
1
  <div class="wrap">
2
  <div id="icon-options-general" class="icon32"></div><h2>HTTP Authentication Private Users</h2>
3
 
4
- <?php
5
- // Did we update?
6
- if ( isset( $_GET['updated'] ) ) { ?>
7
  <div class="updated fade"><p>Updated!</p></div>
8
  <?php }
9
 
10
  // Error message?
11
- if ( isset( $_GET['error'] ) && $_GET['error'] == 'delete-self') { ?>
12
  <div class="error fade"><p>You can't delete yourself!</p></div>
13
  <?php } ?>
14
 
15
- <form method="POST" action="<?php echo admin_url('admin.php?page=lockdown-private-users'); ?>"> <p>Adding users below will <em>only</em> work if you have "Private Usernames/Passwords" selected for HTTP Authentication.</p>
 
 
 
 
 
 
16
 
17
  <p><strong>Please note a few things:</strong>
18
  <ul>
1
  <div class="wrap">
2
  <div id="icon-options-general" class="icon32"></div><h2>HTTP Authentication Private Users</h2>
3
 
4
+ <?php if ( defined('LD_WP_ADMIN') && LD_WP_ADMIN == TRUE ) { ?>
 
 
5
  <div class="updated fade"><p>Updated!</p></div>
6
  <?php }
7
 
8
  // Error message?
9
+ if ( defined('LD_ERROR') && LD_ERROR == 'delete-self') { ?>
10
  <div class="error fade"><p>You can't delete yourself!</p></div>
11
  <?php } ?>
12
 
13
+ <form method="POST" action="<?php echo admin_url('admin.php?page=lockdown-private-users'); ?>">
14
+
15
+ <?php
16
+ // Nonces
17
+ wp_nonce_field('lockdown-wp-admin');
18
+ ?>
19
+ <p>Adding users below will <em>only</em> work if you have "Private Usernames/Passwords" selected for HTTP Authentication.</p>
20
 
21
  <p><strong>Please note a few things:</strong>
22
  <ul>
admin.php CHANGED
@@ -1,12 +1,20 @@
1
  <div class="wrap">
2
  <div id="icon-options-general" class="icon32"></div><h2>Lockdown WordPress Admin</h2>
3
 
4
- <?php if ( isset( $_GET['updated'] ) ) { ?>
5
  <div class="updated fade"><p>Options updated!</p></div>
6
  <?php } ?>
7
 
8
  <p>We are going to help make WordPress a bit more secure.</p>
9
- <form method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
 
 
 
 
 
 
 
 
10
 
11
  <h3>Hide WP Admin</h3>
12
  <p>We can "hide" WordPress's administration interface from the public. If you enable this, when you access <code><?php echo admin_url(); ?></code> when you <strong>aren't</strong> logged in, you will recieve a <a href="http://en.wikipedia.org/wiki/HTTP_404">404 error page</a> instead of redirecting to the login page.</p>
@@ -30,7 +38,7 @@
30
 
31
 
32
  <input type="hidden" name="did_update" value="yes_we_did">
33
-
34
  <input class='button-primary' type='submit' name='Save' value='<?php _e('Save Options'); ?>' id='submitbutton' />
35
 
36
 
1
  <div class="wrap">
2
  <div id="icon-options-general" class="icon32"></div><h2>Lockdown WordPress Admin</h2>
3
 
4
+ <?php if ( defined('LD_WP_ADMIN') && LD_WP_ADMIN == TRUE ) { ?>
5
  <div class="updated fade"><p>Options updated!</p></div>
6
  <?php } ?>
7
 
8
  <p>We are going to help make WordPress a bit more secure.</p>
9
+
10
+
11
+
12
+ <form method="POST" action="<?php echo admin_url('admin.php?page=lockdown-wp-admin'); ?>">
13
+
14
+ <?php
15
+ // Nonces
16
+ wp_nonce_field('lockdown-wp-admin');
17
+ ?>
18
 
19
  <h3>Hide WP Admin</h3>
20
  <p>We can "hide" WordPress's administration interface from the public. If you enable this, when you access <code><?php echo admin_url(); ?></code> when you <strong>aren't</strong> logged in, you will recieve a <a href="http://en.wikipedia.org/wiki/HTTP_404">404 error page</a> instead of redirecting to the login page.</p>
38
 
39
 
40
  <input type="hidden" name="did_update" value="yes_we_did">
41
+
42
  <input class='button-primary' type='submit' name='Save' value='<?php _e('Save Options'); ?>' id='submitbutton' />
43
 
44
 
lockdown-wp-admin.php CHANGED
@@ -1,9 +1,9 @@
1
  <?php
2
  /*
3
  Plugin Name: Lockdown WordPress Admin
4
- Plugin URI: http://talkingwithsean.com/lockdown/
5
  Description: Securing the WordPress Administration interface.
6
- Version: 1.1.2
7
  Author: Sean Fisher
8
  Author URI: http://talkingwithsean.com/
9
  License: GPL v3
@@ -20,6 +20,7 @@ define('LD_FILE_NAME', __FILE__ );
20
  * @license GPL v3
21
  **/
22
  class WP_LockAuth {
 
23
  /**
24
  * The HTTP Auth name for the protected area
25
  * Change this via calling the object, not by editing the file.
@@ -47,10 +48,8 @@ class WP_LockAuth {
47
  // Setup the plugin.
48
  $this->setup_hide_admin();
49
 
50
- // Should we update options here?
51
- $this->update_options();
52
- $this->update_users();
53
-
54
  }
55
 
56
  /**
@@ -66,6 +65,16 @@ class WP_LockAuth {
66
  if ( $_GET['page'] !== 'lockdown-private-users' )
67
  return;
68
 
 
 
 
 
 
 
 
 
 
 
69
  // Add a user
70
  if ( isset( $_POST['private_username'] ) && isset( $_POST['private_password'] ) )
71
  {
@@ -80,7 +89,8 @@ class WP_LockAuth {
80
 
81
  update_option('ld_private_users', $users);
82
 
83
- wp_redirect( admin_url('admin.php?page=lockdown-private-users&updated=true'));
 
84
  return;
85
  }
86
  }
@@ -105,7 +115,7 @@ class WP_LockAuth {
105
  if( $this->current_user !== '' && $to_delete === $this->current_user )
106
  {
107
  // They can't delete themselves!
108
- wp_redirect( admin_url('admin.php?page=lockdown-private-users&error=delete-self'));
109
  return;
110
  }
111
 
@@ -116,7 +126,7 @@ class WP_LockAuth {
116
 
117
  update_option('ld_private_users', $users);
118
 
119
- wp_redirect( admin_url('admin.php?page=lockdown-private-users&updated=true'));
120
  return;
121
  }
122
  }
@@ -137,6 +147,12 @@ class WP_LockAuth {
137
  if ( !isset( $_POST['did_update'] ) )
138
  return;
139
 
 
 
 
 
 
 
140
  // They're updating.
141
  if ( isset( $_POST['http_auth'] ) )
142
  update_option('ld_http_auth', trim( strtolower( $_POST['http_auth'] ) ) );
@@ -156,7 +172,7 @@ class WP_LockAuth {
156
  }
157
 
158
  // Redirect
159
- wp_redirect( admin_url( 'admin.php?page=lockdown-wp-admin&updated=true' ) );
160
  return;
161
  }
162
 
@@ -424,20 +440,28 @@ class WP_LockAuth {
424
  /**
425
  * The callback for the admin area
426
  *
427
- * @access private
428
  **/
429
  function admin_callback()
430
  {
 
 
 
 
431
  require_once( dirname( __FILE__ ) . '/admin.php' );
432
  }
433
 
434
  /**
435
  * The callback for ther private users management.
436
  *
437
- * @access private
438
  **/
439
  function sub_admin_callback()
440
  {
 
 
 
 
441
  $private_users = $this->get_private_users();
442
  require_once( dirname( __FILE__ ) . '/admin-private-users.php' );
443
  }
1
  <?php
2
  /*
3
  Plugin Name: Lockdown WordPress Admin
4
+ Plugin URI: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
5
  Description: Securing the WordPress Administration interface.
6
+ Version: 1.2
7
  Author: Sean Fisher
8
  Author URI: http://talkingwithsean.com/
9
  License: GPL v3
20
  * @license GPL v3
21
  **/
22
  class WP_LockAuth {
23
+
24
  /**
25
  * The HTTP Auth name for the protected area
26
  * Change this via calling the object, not by editing the file.
48
  // Setup the plugin.
49
  $this->setup_hide_admin();
50
 
51
+ // We no longer update the options here, but rather when we call on the callback function from the menu.
52
+ // More secure.
 
 
53
  }
54
 
55
  /**
65
  if ( $_GET['page'] !== 'lockdown-private-users' )
66
  return;
67
 
68
+ // Nonce
69
+ if ( !isset( $_POST['_wpnonce'] ) )
70
+ return;
71
+
72
+ $nonce = $_POST['_wpnonce'];
73
+ if (! wp_verify_nonce($nonce, 'lockdown-wp-admin') )
74
+ wp_die('Security error, please try again.');
75
+
76
+ // ---------------------------------------------------
77
+
78
  // Add a user
79
  if ( isset( $_POST['private_username'] ) && isset( $_POST['private_password'] ) )
80
  {
89
 
90
  update_option('ld_private_users', $users);
91
 
92
+ define('LD_WP_ADMIN', TRUE);
93
+ //wp_redirect( admin_url('admin.php?page=lockdown-private-users&updated=true'));
94
  return;
95
  }
96
  }
115
  if( $this->current_user !== '' && $to_delete === $this->current_user )
116
  {
117
  // They can't delete themselves!
118
+ define('LD_ERROR', 'delete-self');
119
  return;
120
  }
121
 
126
 
127
  update_option('ld_private_users', $users);
128
 
129
+ define('LD_WP_ADMIN', TRUE);
130
  return;
131
  }
132
  }
147
  if ( !isset( $_POST['did_update'] ) )
148
  return;
149
 
150
+ // Nonce
151
+ $nonce = $_POST['_wpnonce'];
152
+ if (! wp_verify_nonce($nonce, 'lockdown-wp-admin') )
153
+ wp_die('Security error, please try again.');
154
+
155
+ // ---------------------------------------------------
156
  // They're updating.
157
  if ( isset( $_POST['http_auth'] ) )
158
  update_option('ld_http_auth', trim( strtolower( $_POST['http_auth'] ) ) );
172
  }
173
 
174
  // Redirect
175
+ define('LD_WP_ADMIN', TRUE);
176
  return;
177
  }
178
 
440
  /**
441
  * The callback for the admin area
442
  *
443
+ * You need the 'manage_options' capability to get here.
444
  **/
445
  function admin_callback()
446
  {
447
+ // Update the options
448
+ $this->update_options();
449
+
450
+ // The UI
451
  require_once( dirname( __FILE__ ) . '/admin.php' );
452
  }
453
 
454
  /**
455
  * The callback for ther private users management.
456
  *
457
+ * You need the 'manage_options' capability to get here.
458
  **/
459
  function sub_admin_callback()
460
  {
461
+ // Update the users options
462
+ $this->update_users();
463
+
464
+ // The UI
465
  $private_users = $this->get_private_users();
466
  require_once( dirname( __FILE__ ) . '/admin-private-users.php' );
467
  }
no-wpmu.php CHANGED
@@ -3,7 +3,7 @@
3
  * We don't want to allow for this plugin to be used in WP-MS or network wide.
4
  *
5
  * @author Sean Fisher
6
- * @version 1.1
7
  **/
8
  class Disable_WPMS_Plugin_LD
9
  {
3
  * We don't want to allow for this plugin to be used in WP-MS or network wide.
4
  *
5
  * @author Sean Fisher
6
+ * @version 1.2
7
  **/
8
  class Disable_WPMS_Plugin_LD
9
  {
readme.txt CHANGED
@@ -1,10 +1,11 @@
1
  === Lockdown WP Admin ===
2
  Contributors: sean212
3
  Donate link: http://talkingwithsean.com/donate/
 
4
  Tags: security, wp-admin, http auth, 404, lockdown, talkingwithsean, secure
5
  Requires at least: 3.0
6
- Tested up to: 3.1
7
- Stable tag: 1.1.2
8
 
9
  This plugin will hide /wp-admin/ when you aren't logged in. If a user isn't logged in and they attempt to access /wp-admin/ directly, they will be unable to and it will return a 404.
10
 
@@ -34,10 +35,6 @@ If you enable HTTP authencation, it will add HTTP auth to the PHP files in /wp-a
34
 
35
  None yet.
36
 
37
- == Screenshots ==
38
-
39
- None yet.
40
-
41
  == Changelog ==
42
 
43
  = 1.0 =
@@ -48,4 +45,8 @@ None yet.
48
 
49
  = 1.1 =
50
  * Fixed a bug on activating the plugin network wide, we disabled network wide activation.
51
- * Cleaned up the plugin and prevented a double loop of the HTTP check, unnecessary.
 
 
 
 
1
  === Lockdown WP Admin ===
2
  Contributors: sean212
3
  Donate link: http://talkingwithsean.com/donate/
4
+ Link: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
5
  Tags: security, wp-admin, http auth, 404, lockdown, talkingwithsean, secure
6
  Requires at least: 3.0
7
+ Tested up to: 3.2
8
+ Stable tag: 1.2
9
 
10
  This plugin will hide /wp-admin/ when you aren't logged in. If a user isn't logged in and they attempt to access /wp-admin/ directly, they will be unable to and it will return a 404.
11
 
35
 
36
  None yet.
37
 
 
 
 
 
38
  == Changelog ==
39
 
40
  = 1.0 =
45
 
46
  = 1.1 =
47
  * Fixed a bug on activating the plugin network wide, we disabled network wide activation.
48
+ * Cleaned up the plugin and prevented a double loop of the HTTP check, unnecessary.
49
+
50
+ = 1.2 =
51
+ * Cleaned up more code.
52
+ * Security fixes that will prevent somebody from possibly hijacking your website. (Props Jon Cave)