Lockdown WP Admin - Version 1.4

Version Description

Fixed a bug with user's with a index.php base
Added stats for us to collect about about URL setup and server configuration for our users. This will let us make the plugin even better.
Fixed bug for having private user management in WP Admin

Release Info

Developer	sean212
Plugin	Lockdown WP Admin
Version	1.4
Comparing to
See all releases

Code changes from version 1.3.5.1 to 1.4

Files changed (5) hide show

admin-private-users.php +3 -1
admin.php +5 -3
lockdown-wp-admin.php +82 -23
no-wpmu.php +3 -2
readme.txt +11 -5

admin-private-users.php CHANGED Viewed

	@@ -46,10 +46,12 @@ if ( defined('LD_ERROR') && LD_ERROR == 'delete-self') { ?>
46	</tfoot>
47	<tbody>
48	<?php if ( isset( $private_users ) && count( $private_users ) > 0 ) : ?>


49	<?php foreach( $private_users as $key => $user ) { ?>
50	<tr>
51	<td><?php echo $user['user']; ?></td>
52	- <td><a href="admin.php?page=<?php echo $_GET['page']; ?>&delete=<?php echo $key; ?>&~~hash~~=<?php echo ~~wp_hash(get_current_user_id())~~; ?>">Delete</a></td>
53	</tr><?php } endif; ?>
54	</tbody>
55	</table>


46	</tfoot>
47	<tbody>
48	<?php if ( isset( $private_users ) && count( $private_users ) > 0 ) : ?>
49	+ <?php $nonce = wp_create_nonce('lockdown-wp-admin'); ?>
50	+
51	<?php foreach( $private_users as $key => $user ) { ?>
52	<tr>
53	<td><?php echo $user['user']; ?></td>
54	+ <td><a href="admin.php?page=<?php echo $_GET['page']; ?>&delete=<?php echo $key; ?>&_wpnonce=<?php echo $nonce; ?>">Delete</a></td>
55	</tr><?php } endif; ?>
56	</tbody>
57	</table>

admin.php CHANGED Viewed

	@@ -12,7 +12,8 @@ if ( defined('LD_DIS_BASE') && LD_DIS_BASE == TRUE )
12	?>
13
14	<p>We are going to help make WordPress a bit more secure.</p>
15	- <p><a href="http://twitter.com/talkingwithsean"><img src="http://twitter-badges.s3.amazonaws.com/follow_me-c.png" width="160" height="27" /></a~~></p>~~

16
17
18
	@@ -29,6 +30,7 @@ if ( defined('LD_DIS_BASE') && LD_DIS_BASE == TRUE )
29	<label><input type="checkbox" name="hide_wp_admin" value="yep" <?php if ( get_option('ld_hide_wp_admin') === 'yep' ) { ?> checked <?php } ?>> Yes, please hide WP Admin from the user when they aren't logged in.</label>
30
31	<br /><br />

32	<label> Change the WordPress Login URL? <?php echo wp_guess_url().'/'; ?><input type="text" name="login_base" value="<?php echo $this->login_base; ?>" /><br />
33	<em>This will change it from <?php echo wp_guess_url(); ?>/wp-login.php to whatever you put in this box. If you leave it <strong>black</strong>, it will be disabled.<br />
34	Say if you put "login" into the box, your new login URL will be <?php echo wp_guess_url(); ?>/login/.</em></label>
	@@ -39,8 +41,8 @@ $url = wp_guess_url() . '/'. $this->login_base;
39	?>
40	<p>Your current login URL is <code><a href="<?php echo $url; ?>"><?php echo $url; ?></a></code>.</p>
41
42	- <h4>Please Note Something!</h4>
43	- <p>If you are using a cache plugin (WTC, WP Super Cache, etc), you need to enable it to not cache the above base. That means (for most caching plugins) adding whatever you enter into the box above into your plugins Caching Whitelist, that is the list of URLs that your plugin doesn't cache. If you have any questions, tweet me @talkingwithsean.</p>
44
45
46	<h3>HTTP Authentication</h3>


12	?>
13
14	<p>We are going to help make WordPress a bit more secure.</p>
15	+ <p><a href="http://twitter.com/talkingwithsean"><img src="http://twitter-badges.s3.amazonaws.com/follow_me-c.png" width="160" height="27" /></a><br />
16	+ I tweet a lot of cool things and often post whenever I update this plugin. <a href="http://twitter.com/talkingwithsean">@talkingwithsean</a></p>
17
18
19

30	<label><input type="checkbox" name="hide_wp_admin" value="yep" <?php if ( get_option('ld_hide_wp_admin') === 'yep' ) { ?> checked <?php } ?>> Yes, please hide WP Admin from the user when they aren't logged in.</label>
31
32	<br /><br />
33	+ <h3>WordPress Login URL</h3>
34	<label> Change the WordPress Login URL? <?php echo wp_guess_url().'/'; ?><input type="text" name="login_base" value="<?php echo $this->login_base; ?>" /><br />
35	<em>This will change it from <?php echo wp_guess_url(); ?>/wp-login.php to whatever you put in this box. If you leave it <strong>black</strong>, it will be disabled.<br />
36	Say if you put "login" into the box, your new login URL will be <?php echo wp_guess_url(); ?>/login/.</em></label>

41	?>
42	<p>Your current login URL is <code><a href="<?php echo $url; ?>"><?php echo $url; ?></a></code>.</p>
43
44	+ <blockquote><h4>Please Note Something!</h4>
45	+ <p>If you are using a cache plugin (WTC, WP Super Cache, etc), you need to enable it to not cache the above base. That means (for most caching plugins) adding whatever you enter into the box above into your plugins Caching Whitelist, that is the list of URLs that your plugin doesn't cache. If you have any questions, tweet me @talkingwithsean.</p></blockquote>
46
47
48	<h3>HTTP Authentication</h3>

lockdown-wp-admin.php CHANGED Viewed

	@@ -3,12 +3,14 @@
3	Plugin Name: Lockdown WordPress Admin
4	Plugin URI: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
5	Description: Securing the WordPress Administration interface.
6	- Version: 1.~~3.5.1~~
7	Author: Sean Fisher
8	Author URI: http://talkingwithsean.com/
9	License: GPL v3
10	*/
11


12	// This file name
13	define('LD_FILE_NAME', __FILE__ );
14
	@@ -21,6 +23,14 @@ define('LD_FILE_NAME', __FILE__ );
21	**/
22	class WP_LockAuth {
23








24	/**
25	* The HTTP Auth name for the protected area
26	* Change this via calling the object, not by editing the file.
	@@ -76,11 +86,11 @@ class WP_LockAuth {
76	return;
77
78	// Nonce
79	- if ( !isset( $~~_POST~~['_wpnonce'] ) )
80	return;
81
82	- $nonce = $~~_POST~~['_wpnonce'];
83	- if (! wp_verify_nonce($nonce, 'lockdown-wp-admin') )
84	wp_die('Security error, please try again.');
85
86	// ---------------------------------------------------
	@@ -106,12 +116,8 @@ class WP_LockAuth {
106	}
107
108	// Deleting a user.
109	- if ( isset( $_GET['delete'] ) ~~&& isset( $_GET['hash']~~ ) )
110	{
111	- // Check hash
112	- if ( $_GET['hash'] !== wp_hash(get_current_user_id()) )
113	- return;
114	-
115	// Delete the user.
116	unset( $users );
117	$users = $this->get_private_users();
	@@ -479,6 +485,11 @@ class WP_LockAuth {
479	// Update the options
480	$this->update_options();
481





482	// The UI
483	require_once( dirname( __FILE__ ) . '/admin.php' );
484	}
	@@ -512,8 +523,6 @@ class WP_LockAuth {
512	return;
513
514	$this->login_base = $login_base;
515	- //var_dump( $this->login_base );
516	- //die();
517	unset( $login_base );
518
519	// Setup the filters for the new login form
	@@ -525,6 +534,7 @@ class WP_LockAuth {
525	// This means we need to take the current URL,
526	// strip it of an WordPress path (if the blog is located @ /blog/)
527	// And then remove the query string

528
529	// The blog's URL
530	$blog_url = trailingslashit( get_bloginfo('url') );
	@@ -534,6 +544,8 @@ class WP_LockAuth {
534	$current_url = $schema . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
535
536	$request_url = str_replace( $blog_url, '', $current_url );


537	list( $base, $query ) = explode( '?', $request_url, 2 );
538
539	// Remove trailing slash
	@@ -572,6 +584,63 @@ class WP_LockAuth {
572	{
573	return str_replace('wp-login.php', $this->login_base, $str);
574	}

























































575	}
576
577	/**
	@@ -590,16 +659,6 @@ function ld_setup_auth()
590	$auth_obj = new WP_LockAuth();
591	}
592

593
594	- ~~function~~ ~~ld_get_url_path()~~
595	- {
596	- if ( defined('WP_SITEURL') && '' != WP_SITEURL ) {
597	- $url = WP_SITEURL;
598	- } else {
599	- $schema = is_ssl() ? 'https://' : 'http://';
600	- $url = preg_replace('\|/wp-admin/.*\|i', '', $schema . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
601	- }
602	- return rtrim($url, '/');
603	- }
604	-
605	- add_action('init', 'ld_setup_auth');


3	Plugin Name: Lockdown WordPress Admin
4	Plugin URI: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
5	Description: Securing the WordPress Administration interface.
6	+ Version: 1.4
7	Author: Sean Fisher
8	Author URI: http://talkingwithsean.com/
9	License: GPL v3
10	*/
11
12	+
13	+
14	// This file name
15	define('LD_FILE_NAME', __FILE__ );
16

23	**/
24	class WP_LockAuth {
25
26	+ /**
27	+ * The version of lockdown WP Admin
28	+ *
29	+ * @param string
30	+ * @access private
31	+ **/
32	+ private $ld_admin_version = '1.4';
33	+
34	/**
35	* The HTTP Auth name for the protected area
36	* Change this via calling the object, not by editing the file.

86	return;
87
88	// Nonce
89	+ if ( !isset( $_REQUEST['_wpnonce'] ) )
90	return;
91
92	+ $nonce = $_REQUEST['_wpnonce'];
93	+ if ( !wp_verify_nonce( $nonce, 'lockdown-wp-admin' ) )
94	wp_die('Security error, please try again.');
95
96	// ---------------------------------------------------

116	}
117
118	// Deleting a user.
119	+ if ( isset( $_GET['delete'] ) )
120	{




121	// Delete the user.
122	unset( $users );
123	$users = $this->get_private_users();

485	// Update the options
486	$this->update_options();
487
488	+ // The stats
489	+ $check_stats_sent = get_transient('ld_send_stats');
490	+ if ( !$check_stats_sent )
491	+ $this->send_stats();
492	+
493	// The UI
494	require_once( dirname( __FILE__ ) . '/admin.php' );
495	}

523	return;
524
525	$this->login_base = $login_base;


526	unset( $login_base );
527
528	// Setup the filters for the new login form

534	// This means we need to take the current URL,
535	// strip it of an WordPress path (if the blog is located @ /blog/)
536	// And then remove the query string
537	+ // We also need to remove the index.php from the URL if it exists
538
539	// The blog's URL
540	$blog_url = trailingslashit( get_bloginfo('url') );

544	$current_url = $schema . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
545
546	$request_url = str_replace( $blog_url, '', $current_url );
547	+ $request_url = str_replace('index.php/', '', $request_url);
548	+
549	list( $base, $query ) = explode( '?', $request_url, 2 );
550
551	// Remove trailing slash

584	{
585	return str_replace('wp-login.php', $this->login_base, $str);
586	}
587	+
588	+ /**
589	+ * Send stats
590	+ *
591	+ * Send anyomous stats to help out the development of the plugin.
592	+ * This should be pretty temporary.
593	+ * @access private
594	+ **/
595	+ public function send_stats()
596	+ {
597	+ global $wp_version;
598	+
599	+ $to_post = array(
600	+ 'ld_admin_version' => $this->ld_admin_version,
601	+ 'server' => $_SERVER['HTTP_HOST'],
602	+ 'request_url' => $_SERVER['REQUEST_URI'],
603	+ 'wordpress_version' => $wp_version,
604	+ 'url' => get_bloginfo( 'url' ),
605	+ // I reconsidered this..
606	+ // 'admin_email' => get_bloginfo('admin_email'),
607	+ 'charset' => get_bloginfo('charset'),
608	+ 'login_base' => $this->login_base,
609	+ 'ld_http_auth' => get_option('ld_http_auth'),
610	+ 'ld_hide_wp_admin' => get_option('ld_hide_wp_admin'),
611	+ 'permalink_structure' => get_option('permalink_structure'),
612	+ 'server_software' => $_SERVER['SERVER_SOFTWARE'],
613	+ 'query_string' => $_SERVER['QUERY_STRING'],
614	+ 'wp_version' => $wp_version,
615	+ );
616	+
617	+ if ( function_exists('got_mod_rewrite '))
618	+ $to_post['got_mod_rewrite '] = got_mod_rewrite();
619	+
620	+ $options = array(
621	+ 'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3),
622	+ 'body' => array( 'data' => serialize( $to_post ) ),
623	+ 'user-agent' => 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )
624	+ );
625	+
626	+ $raw_response = wp_remote_post('http://labs.talkingwithsean.com/lockdown-api/main/send/', $options);
627	+
628	+ // Set that we sent it
629	+ set_transient('ld_send_stats', 'true', 604800);
630	+
631	+ // What'd they respond?
632	+ if ( is_wp_error( $raw_response ) )
633	+ return FALSE;
634	+
635	+ if ( 200 != $raw_response['response']['code'] )
636	+ return FALSE;
637	+
638	+ $response = json_decode( unserialize( $raw_response['body'] ) );
639	+
640	+ if ( !is_array( $response ) )
641	+ return FALSE;
642	+
643	+ }
644	}
645
646	/**

659	$auth_obj = new WP_LockAuth();
660	}
661
662	+ add_action('init', 'ld_setup_auth');
663
664	+ /* End of file: lockdown-wp-admin.php */

no-wpmu.php CHANGED Viewed

	@@ -3,7 +3,6 @@
3	* We don't want to allow for this plugin to be used in WP-MS or network wide.
4	*
5	* @author Sean Fisher
6	- * @version 1.3.5
7	**/
8	class Disable_WPMS_Plugin_LD
9	{
	@@ -105,4 +104,6 @@ class Disable_WPMS_Plugin_LD
105	}
106
107	// The object.
108	- $setup_no_wpmu = new Disable_WPMS_Plugin_LD();


3	* We don't want to allow for this plugin to be used in WP-MS or network wide.
4	*
5	* @author Sean Fisher

6	**/
7	class Disable_WPMS_Plugin_LD
8	{

104	}
105
106	// The object.
107	+ $setup_no_wpmu = new Disable_WPMS_Plugin_LD();
108	+
109	+ /* End of file: no-wpmu.php */

readme.txt CHANGED Viewed

	@@ -2,10 +2,10 @@
2	Contributors: sean212
3	Donate link: http://talkingwithsean.com/donate/
4	Link: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
5	- Tags: security, wp-admin, http auth, 404, lockdown, talkingwithsean, secure
6	Requires at least: 3.0
7	Tested up to: 3.2
8	- Stable tag: 1.~~3.5.1~~
9
10	This plugin will hide /wp-admin/ when you aren't logged in. If a user isn't logged in and they attempt to access /wp-admin/ directly, they will be unable to and it will return a 404.
11
	@@ -13,11 +13,12 @@ Also, you can add HTTP authentication directly from WP admin and add custom user
13
14	This doesn't touch any .htaccess files or change the WordPress core files. All the CSS/Images under /wp-admin/ are still accessible, just not the .php ones.
15
16	- If you enable HTTP authencation, it will add HTTP auth to wthe PHP files in /wp-admin/

17
18	== Description ==
19
20	- This plugin will hide /wp-admin/ when you aren't logged in. If a user isn't logged in and they attempt to access /wp-admin/ directly, they will be unable to and it will return a 404.
21
22	Also, you can add HTTP authentication directly from WP admin and add custom username/password combinations for the HTTP auth, or use the WordPress credentials.
23
	@@ -52,4 +53,9 @@ None yet.
52	* Security fixes that will prevent somebody from possibly hijacking your website. (Props Jon Cave)
53
54	= 1.3.1 =
55	- * Added the ability to change the login URL entirely. It will disable /wp-login.php and give it whatever you want to make it.


2	Contributors: sean212
3	Donate link: http://talkingwithsean.com/donate/
4	Link: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
5	+ Tags: security, wp-admin, login, hide login, rename login, http auth, 404, lockdown, talkingwithsean, secure
6	Requires at least: 3.0
7	Tested up to: 3.2
8	+ Stable tag: 1.4
9
10	This plugin will hide /wp-admin/ when you aren't logged in. If a user isn't logged in and they attempt to access /wp-admin/ directly, they will be unable to and it will return a 404.
11

13
14	This doesn't touch any .htaccess files or change the WordPress core files. All the CSS/Images under /wp-admin/ are still accessible, just not the .php ones.
15
16	+ If you enable HTTP authencation, it will add HTTP auth to wthe PHP files in /wp-admin/. It will also rename the login URL from /wp-login.php to whatever you want (/login/, /random-stuff/, etc)
17	+
18
19	== Description ==
20
21	+ This plugin will hide /wp-admin/ when you aren't logged in. If a user isn't logged in and they attempt to access /wp-admin/ directly, they will be unable to and it will return a 404. It can also rename the login URL.
22
23	Also, you can add HTTP authentication directly from WP admin and add custom username/password combinations for the HTTP auth, or use the WordPress credentials.
24

53	* Security fixes that will prevent somebody from possibly hijacking your website. (Props Jon Cave)
54
55	= 1.3.1 =
56	+ * Added the ability to change the login URL entirely. It will disable /wp-login.php and give it whatever you want to make it.
57	+
58	+ = 1.4 =
59	+ * Fixed a bug with user's with a index.php base
60	+ * Added stats for us to collect about about URL setup and server configuration for our users. This will let us make the plugin even better.
61	+ * Fixed bug for having private user management in WP Admin