Version Description
Download this release
Release Info
| Developer | sean212 |
| Plugin |  Lockdown WP Admin |
| Version | 1.5 |
| Comparing to | |
| See all releases | |
Code changes from version 1.4.1 to 1.5
- admin.php +52 -56
- lockdown-wp-admin.php +20 -6
- readme.txt +20 -13
admin.php
CHANGED
|
@@ -1,71 +1,67 @@
|
|
| 1 |
<div class="wrap">
|
| 2 |
-
<div id="icon-options-general" class="icon32"></div
|
| 3 |
-
|
| 4 |
-
<?php if ( defined('LD_WP_ADMIN') && LD_WP_ADMIN == TRUE ) { ?>
|
| 5 |
-
<div class="updated fade"
|
| 6 |
-
|
|
|
|
|
|
|
| 7 |
if ( defined('LD_DIS_BASE') && LD_DIS_BASE == TRUE )
|
| 8 |
{
|
| 9 |
-
|
| 10 |
-
|
|
|
|
|
|
|
|
|
|
| 11 |
}
|
| 12 |
?>
|
| 13 |
-
|
| 14 |
<p>We are going to help make WordPress a bit more secure.</p>
|
| 15 |
<p><a href="http://twitter.com/talkingwithsean"><img src="http://twitter-badges.s3.amazonaws.com/follow_me-c.png" width="160" height="27" /></a><br />
|
| 16 |
-
I tweet a lot of cool things and often post whenever I update this plugin. <a href="http://twitter.com/talkingwithsean">@talkingwithsean</a></p>
|
| 17 |
-
|
| 18 |
-
|
| 19 |
-
|
| 20 |
-
<form method="POST" action="<?php echo admin_url('admin.php?page=lockdown-wp-admin'); ?>">
|
| 21 |
-
|
| 22 |
-
<?php
|
| 23 |
// Nonces
|
| 24 |
wp_nonce_field('lockdown-wp-admin');
|
| 25 |
?>
|
| 26 |
-
|
| 27 |
-
|
| 28 |
-
|
| 29 |
-
|
| 30 |
-
|
| 31 |
-
|
| 32 |
-
|
| 33 |
-
|
| 34 |
-
|
| 35 |
-
|
| 36 |
-
|
| 37 |
-
|
| 38 |
-
<?php
|
|
|
|
| 39 |
global $auth_obj;
|
| 40 |
$url = wp_guess_url() . '/'. $this->login_base;
|
| 41 |
?>
|
| 42 |
-
<p>Your current login URL is <code><a href="<?php echo $url; ?>"><?php echo $url; ?></a></code>.</p>
|
| 43 |
-
|
| 44 |
-
<
|
| 45 |
-
<p>If you are using a cache plugin (WTC, WP Super Cache, etc), you need to enable it to not cache the above base. That means (for most caching plugins) adding whatever you enter into the box above into your plugins Caching Whitelist, that is the list of URLs that your plugin doesn't cache. If you have any questions, tweet me @talkingwithsean.</p
|
| 46 |
-
|
| 47 |
-
|
| 48 |
-
|
| 49 |
-
|
| 50 |
-
|
| 51 |
-
|
| 52 |
-
|
| 53 |
-
|
| 54 |
-
|
| 55 |
-
|
| 56 |
-
|
| 57 |
-
|
| 58 |
-
|
| 59 |
-
|
| 60 |
-
|
| 61 |
-
|
| 62 |
-
|
| 63 |
-
|
| 64 |
-
|
| 65 |
-
|
| 66 |
-
<input class='button-primary' type='submit' name='Save' value='<?php _e('Save Options'); ?>' id='submitbutton' />
|
| 67 |
-
|
| 68 |
-
|
| 69 |
</form>
|
| 70 |
-
|
| 71 |
</div>
|
| 1 |
<div class="wrap">
|
| 2 |
+
<div id="icon-options-general" class="icon32"></div>
|
| 3 |
+
<h2>Lockdown WordPress Admin</h2>
|
| 4 |
+
<?php if ( defined('LD_WP_ADMIN') && LD_WP_ADMIN == TRUE ) { ?>
|
| 5 |
+
<div class="updated fade">
|
| 6 |
+
<p>Options updated!</p>
|
| 7 |
+
</div>
|
| 8 |
+
<?php }
|
| 9 |
if ( defined('LD_DIS_BASE') && LD_DIS_BASE == TRUE )
|
| 10 |
{
|
| 11 |
+
?>
|
| 12 |
+
<div class="updated fade">
|
| 13 |
+
<p>You can't make that your URL Base! </p>
|
| 14 |
+
</div>
|
| 15 |
+
<?php
|
| 16 |
}
|
| 17 |
?>
|
|
|
|
| 18 |
<p>We are going to help make WordPress a bit more secure.</p>
|
| 19 |
<p><a href="http://twitter.com/talkingwithsean"><img src="http://twitter-badges.s3.amazonaws.com/follow_me-c.png" width="160" height="27" /></a><br />
|
| 20 |
+
I tweet a lot of cool things and often post whenever I update this plugin. <a href="http://twitter.com/talkingwithsean">@talkingwithsean</a></p>
|
| 21 |
+
<form method="POST" action="<?php echo admin_url('admin.php?page=lockdown-wp-admin'); ?>">
|
| 22 |
+
<?php
|
|
|
|
|
|
|
|
|
|
|
|
|
| 23 |
// Nonces
|
| 24 |
wp_nonce_field('lockdown-wp-admin');
|
| 25 |
?>
|
| 26 |
+
<h3>Hide WP Admin</h3>
|
| 27 |
+
<p>We can "hide" WordPress's administration interface from the public. If you enable this, when you access <code><?php echo admin_url(); ?></code> when you <strong>aren't</strong> logged in, you will recieve a <a href="http://en.wikipedia.org/wiki/HTTP_404">404 error page</a> instead of redirecting to the login page.</p>
|
| 28 |
+
<label>
|
| 29 |
+
<input type="checkbox" name="hide_wp_admin" value="yep" <?php if ( get_option('ld_hide_wp_admin') === 'yep' ) { ?> checked <?php } ?>>
|
| 30 |
+
Yes, please hide WP Admin from the user when they aren't logged in.</label>
|
| 31 |
+
<br />
|
| 32 |
+
<br />
|
| 33 |
+
<h3>WordPress Login URL</h3>
|
| 34 |
+
<label> Change the WordPress Login URL? <?php echo wp_guess_url().'/'; ?>
|
| 35 |
+
<input type="text" name="login_base" value="<?php echo $this->login_base; ?>" />
|
| 36 |
+
<br />
|
| 37 |
+
<em>This will change it from <?php echo wp_guess_url(); ?>/wp-login.php to whatever you put in this box. If you leave it <strong>black</strong>, it will be disabled.<br />
|
| 38 |
+
Say if you put "login" into the box, your new login URL will be <?php echo wp_guess_url(); ?>/login/.</em></label>
|
| 39 |
+
<?php
|
| 40 |
global $auth_obj;
|
| 41 |
$url = wp_guess_url() . '/'. $this->login_base;
|
| 42 |
?>
|
| 43 |
+
<p>Your current login URL is <code><a href="<?php echo $url; ?>"><?php echo $url; ?></a></code>.</p>
|
| 44 |
+
<blockquote>
|
| 45 |
+
<h4>Please Note Something!</h4>
|
| 46 |
+
<p>If you are using a cache plugin (WTC, WP Super Cache, etc), you need to enable it to not cache the above base. That means (for most caching plugins) adding whatever you enter into the box above into your plugins Caching Whitelist, that is the list of URLs that your plugin doesn't cache. If you have any questions, tweet me @talkingwithsean.</p>
|
| 47 |
+
</blockquote>
|
| 48 |
+
<h3>HTTP Authentication</h3>
|
| 49 |
+
<p>Please read about HTTP Authentication on <a href="http://en.wikipedia.org/wiki/Basic_access_authentication">http://en.wikipedia.org/wiki/Basic_access_authentication</a>.</p>
|
| 50 |
+
<?php $http_auth_type = get_option('ld_http_auth'); ?>
|
| 51 |
+
<label>
|
| 52 |
+
<input name="http_auth" type="radio" value="none" <?php if ( $http_auth_type === '' || $http_auth_type === 'none' || !$http_auth_type ) { ?>checked<?php } ?>>
|
| 53 |
+
Disable HTTP Auth.</label>
|
| 54 |
+
<div class="clear"></div>
|
| 55 |
+
<label>
|
| 56 |
+
<input type="radio" name="http_auth" <?php if ( $http_auth_type === 'wp_creds' ) { ?>checked<?php } ?> value="wp_creds">
|
| 57 |
+
WordPress Login Credentials</label>
|
| 58 |
+
<div class="clear"></div>
|
| 59 |
+
<label>
|
| 60 |
+
<input type="radio" name="http_auth" <?php if ( $http_auth_type === 'private' ) { ?>checked<?php } ?> value="private">
|
| 61 |
+
Private Usernames/Passwords</label>
|
| 62 |
+
<div class="clear"></div>
|
| 63 |
+
<br>
|
| 64 |
+
<input type="hidden" name="did_update" value="yes_we_did">
|
| 65 |
+
<input class='button-primary' type='submit' name='Save' value='<?php _e('Save Options'); ?>' id='submitbutton' />
|
|
|
|
|
|
|
|
|
|
|
|
|
| 66 |
</form>
|
|
|
|
| 67 |
</div>
|
lockdown-wp-admin.php
CHANGED
|
@@ -3,7 +3,7 @@
|
|
| 3 |
Plugin Name: Lockdown WordPress Admin
|
| 4 |
Plugin URI: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
|
| 5 |
Description: Securing the WordPress Administration interface.
|
| 6 |
-
Version: 1.
|
| 7 |
Author: Sean Fisher
|
| 8 |
Author URI: http://talkingwithsean.com/
|
| 9 |
License: GPL v3
|
|
@@ -17,8 +17,8 @@ define('LD_FILE_NAME', __FILE__ );
|
|
| 17 |
/**
|
| 18 |
* This is the plugin that will add security to our site
|
| 19 |
*
|
| 20 |
-
* @author Sean Fisher <
|
| 21 |
-
* @version 1.
|
| 22 |
* @license GPL v3
|
| 23 |
**/
|
| 24 |
class WP_LockAuth {
|
|
@@ -29,7 +29,7 @@ class WP_LockAuth {
|
|
| 29 |
* @param string
|
| 30 |
* @access private
|
| 31 |
**/
|
| 32 |
-
private $ld_admin_version = '1.
|
| 33 |
|
| 34 |
/**
|
| 35 |
* The HTTP Auth name for the protected area
|
|
@@ -290,7 +290,7 @@ class WP_LockAuth {
|
|
| 290 |
return;
|
| 291 |
|
| 292 |
// We're gonna hide it.
|
| 293 |
-
$no_check_files = array('async-upload.php');
|
| 294 |
$no_check_files = apply_filters('no_check_files', $no_check_files);
|
| 295 |
|
| 296 |
$explode = explode('/', $_SERVER['SCRIPT_FILENAME'] );
|
|
@@ -310,7 +310,21 @@ class WP_LockAuth {
|
|
| 310 |
// If they AREN'T logged in and they tried to access wp-admin
|
| 311 |
// we'll just serve them a 404!
|
| 312 |
status_header(404);
|
| 313 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 314 |
|
| 315 |
exit;
|
| 316 |
}
|
| 3 |
Plugin Name: Lockdown WordPress Admin
|
| 4 |
Plugin URI: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
|
| 5 |
Description: Securing the WordPress Administration interface.
|
| 6 |
+
Version: 1.5
|
| 7 |
Author: Sean Fisher
|
| 8 |
Author URI: http://talkingwithsean.com/
|
| 9 |
License: GPL v3
|
| 17 |
/**
|
| 18 |
* This is the plugin that will add security to our site
|
| 19 |
*
|
| 20 |
+
* @author Sean Fisher <sean@talkingwithsean.com>
|
| 21 |
+
* @version 1.5
|
| 22 |
* @license GPL v3
|
| 23 |
**/
|
| 24 |
class WP_LockAuth {
|
| 29 |
* @param string
|
| 30 |
* @access private
|
| 31 |
**/
|
| 32 |
+
private $ld_admin_version = '1.5';
|
| 33 |
|
| 34 |
/**
|
| 35 |
* The HTTP Auth name for the protected area
|
| 290 |
return;
|
| 291 |
|
| 292 |
// We're gonna hide it.
|
| 293 |
+
$no_check_files = array('async-upload.php', 'admin-ajax.php', 'wp-app.php');
|
| 294 |
$no_check_files = apply_filters('no_check_files', $no_check_files);
|
| 295 |
|
| 296 |
$explode = explode('/', $_SERVER['SCRIPT_FILENAME'] );
|
| 310 |
// If they AREN'T logged in and they tried to access wp-admin
|
| 311 |
// we'll just serve them a 404!
|
| 312 |
status_header(404);
|
| 313 |
+
$four_tpl = get_404_template();
|
| 314 |
+
if ( empty($four_tpl) OR !file_exists($four_tpl) )
|
| 315 |
+
{
|
| 316 |
+
// We're gonna try and get TwentyTen's one
|
| 317 |
+
$twenty_ten_tpl = WP_CONTENT_DIR . '/themes/twentyten/404.php';
|
| 318 |
+
if (file_exists($twenty_ten_tpl))
|
| 319 |
+
require($twenty_ten_tpl);
|
| 320 |
+
else
|
| 321 |
+
wp_die('404 - File not found!', '', array('response' => 404));
|
| 322 |
+
}
|
| 323 |
+
else
|
| 324 |
+
{
|
| 325 |
+
// Their theme has a template!
|
| 326 |
+
require( $four_tpl );
|
| 327 |
+
}
|
| 328 |
|
| 329 |
exit;
|
| 330 |
}
|
readme.txt
CHANGED
|
@@ -5,16 +5,9 @@ Link: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
|
|
| 5 |
Tags: security, wp-admin, login, hide login, rename login, http auth, 404, lockdown, talkingwithsean, secure
|
| 6 |
Requires at least: 3.0
|
| 7 |
Tested up to: 3.2
|
| 8 |
-
Stable tag: 1.
|
| 9 |
-
|
| 10 |
-
This plugin will hide /wp-admin/ when you aren't logged in. If a user isn't logged in and they attempt to access /wp-admin/ directly, they will be unable to and it will return a 404.
|
| 11 |
-
|
| 12 |
-
Also, you can add HTTP authentication directly from WP admin and add custom username/password combinations for the HTTP auth, or use the WordPress credentials.
|
| 13 |
-
|
| 14 |
-
This doesn't touch any .htaccess files or change the WordPress core files. All the CSS/Images under /wp-admin/ are still accessible, just not the .php ones.
|
| 15 |
-
|
| 16 |
-
If you enable HTTP authencation, it will add HTTP auth to wthe PHP files in /wp-admin/. It will also rename the login URL from /wp-login.php to whatever you want (/login/, /random-stuff/, etc)
|
| 17 |
|
|
|
|
| 18 |
|
| 19 |
== Description ==
|
| 20 |
|
|
@@ -27,17 +20,27 @@ This doesn't touch any .htaccess files or change the WordPress core files. All t
|
|
| 27 |
If you enable HTTP authencation, it will add HTTP auth to the PHP files in /wp-admin/
|
| 28 |
|
| 29 |
== Installation ==
|
| 30 |
-
|
| 31 |
1. Upload `/lockdown-wp-admin/` to the `/wp-content/plugins/` directory
|
| 32 |
2. Activate the plugin through the 'Plugins' menu in WordPress
|
| 33 |
3. Navigate to the "Lockdown WP" menu
|
| 34 |
|
| 35 |
== Frequently Asked Questions ==
|
|
|
|
| 36 |
|
| 37 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38 |
|
| 39 |
-
|
| 40 |
|
|
|
|
| 41 |
= 1.0 =
|
| 42 |
* Initial release
|
| 43 |
|
|
@@ -58,4 +61,8 @@ None yet.
|
|
| 58 |
= 1.4 =
|
| 59 |
* Fixed a bug with user's with a index.php base
|
| 60 |
* Added stats for us to collect about about URL setup and server configuration for our users. This will let us make the plugin even better.
|
| 61 |
-
* Fixed bug for having private user management in WP Admin
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
Tags: security, wp-admin, login, hide login, rename login, http auth, 404, lockdown, talkingwithsean, secure
|
| 6 |
Requires at least: 3.0
|
| 7 |
Tested up to: 3.2
|
| 8 |
+
Stable tag: 1.5
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
|
| 10 |
+
This plugin will lockdown WP Admin. It can hide wp-admin and wp-login as well as add HTTP auth to the login system. It can change the login URL.
|
| 11 |
|
| 12 |
== Description ==
|
| 13 |
|
| 20 |
If you enable HTTP authencation, it will add HTTP auth to the PHP files in /wp-admin/
|
| 21 |
|
| 22 |
== Installation ==
|
|
|
|
| 23 |
1. Upload `/lockdown-wp-admin/` to the `/wp-content/plugins/` directory
|
| 24 |
2. Activate the plugin through the 'Plugins' menu in WordPress
|
| 25 |
3. Navigate to the "Lockdown WP" menu
|
| 26 |
|
| 27 |
== Frequently Asked Questions ==
|
| 28 |
+
How can we add files to the whitelist to hide from the public eye? We want to have AJAX and use a custom file, but we can't because it hides it from the public.
|
| 29 |
|
| 30 |
+
You can add a file using the 'no_check_files' filter. Use this:
|
| 31 |
+
<?php
|
| 32 |
+
function add_my_cool_filter($data)
|
| 33 |
+
{
|
| 34 |
+
// You have to accept the $data argument or else it will cause a system meltdown ;)
|
| 35 |
+
$data[] = 'my-file-name.php'; // JUST the file name.
|
| 36 |
+
return $data;
|
| 37 |
+
}
|
| 38 |
+
add_filter('no_check_files', 'add_my_cool_filter');
|
| 39 |
+
?>
|
| 40 |
|
| 41 |
+
Simple.
|
| 42 |
|
| 43 |
+
== Changelog ==
|
| 44 |
= 1.0 =
|
| 45 |
* Initial release
|
| 46 |
|
| 61 |
= 1.4 =
|
| 62 |
* Fixed a bug with user's with a index.php base
|
| 63 |
* Added stats for us to collect about about URL setup and server configuration for our users. This will let us make the plugin even better.
|
| 64 |
+
* Fixed bug for having private user management in WP Admin
|
| 65 |
+
|
| 66 |
+
= 1.4.2 =
|
| 67 |
+
* Bug fixes
|
| 68 |
+
* Added `admin-ajax.php` to the files that we permit to be access in wp-admin.
|
