Lockdown WP Admin - Version 1.8

Version Description

Finally discovered why so many users had HTTP auth errors. Fixed it to support almost 80% of hosts out there.
If you still have problems, shoot me an email.

Release Info

Developer	sean212
Plugin	Lockdown WP Admin
Version	1.8
Comparing to
See all releases

Code changes from version 1.7 to 1.8

Files changed (5) hide show

admin-private-users.php +1 -0
admin.php +1 -0
lockdown-wp-admin.php +82 -68
no-wpmu.php +1 -1
readme.txt +8 -4

admin-private-users.php CHANGED Viewed

	@@ -1,3 +1,4 @@

1	<div class="wrap">
2	<div id="icon-options-general" class="icon32"></div><h2>HTTP Authentication Private Users</h2>
3


1	+ <?php if (! defined('ABSPATH')) exit; ?>
2	<div class="wrap">
3	<div id="icon-options-general" class="icon32"></div><h2>HTTP Authentication Private Users</h2>
4

admin.php CHANGED Viewed

	@@ -1,3 +1,4 @@

1	<div class="wrap">
2	<div id="icon-options-general" class="icon32"></div>
3	<h2>Lockdown WordPress Admin</h2>


1	+ <?php if (! defined('ABSPATH')) exit; ?>
2	<div class="wrap">
3	<div id="icon-options-general" class="icon32"></div>
4	<h2>Lockdown WordPress Admin</h2>

lockdown-wp-admin.php CHANGED Viewed

	@@ -1,12 +1,12 @@
1	- <?php
2	/*
3	Plugin Name: Lockdown WordPress Admin
4	Plugin URI: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
5	Description: Securing the WordPress Administration interface.
6	- Version: 1.7
7	Author: Sean Fisher
8	Author URI: http://talkingwithsean.com/
9	- License: GPL v3
10	*/
11
12	// This file name
	@@ -16,8 +16,8 @@ define('LD_FILE_NAME', __FILE__ );
16	* This is the plugin that will add security to our site
17	*
18	* @author Sean Fisher <sean@talkingwithsean.com>
19	- * @version 1.7
20	- * @license GPL v3
21	**/
22	class WP_LockAuth {
23
	@@ -27,7 +27,7 @@ class WP_LockAuth {
27	* @param string
28	* @access private
29	**/
30	- private $ld_admin_version = '1.7';
31
32	/**
33	* The HTTP Auth name for the protected area
	@@ -66,8 +66,41 @@ class WP_LockAuth {
66	// Hide the login form
67	$this->redo_login_form();
68
69	- // We no longer update the options here, but rather when we call on the callback function from the menu.
70	- // ~~More secure.~~

































71	}
72
73	/**
	@@ -108,7 +141,6 @@ class WP_LockAuth {
108	update_option('ld_private_users', $users);
109
110	define('LD_WP_ADMIN', TRUE);
111	- //wp_redirect( admin_url('admin.php?page=lockdown-private-users&updated=true'));
112	return;
113	}
114	}
	@@ -168,6 +200,7 @@ class WP_LockAuth {
168
169	// ---------------------------------------------------
170	// They're updating.

171	if ( isset( $_POST['http_auth'] ) )
172	update_option('ld_http_auth', trim( strtolower( $_POST['http_auth'] ) ) );
173	else
	@@ -231,39 +264,6 @@ class WP_LockAuth {
231	exit;
232	}
233
234	- /**
235	- * Check for a HTTP auth session
236	- *
237	- * If they find one, we will setup the 'INTERNAL_AUTH_PASSED' constant.
238	- * If they failed, it will send the HTTP auth headers to get the username/
239	- * password.
240	- *
241	- * @uses self::inauth_headers() When we need the username/pass
242	- * @access public
243	- **/
244	- public function setup()
245	- {
246	- /* Check for values in $PHP_AUTH_USER and $PHP_AUTH_PW */
247	- if ((!isset($_SERVER['PHP_AUTH_USER'])) \|\| (!isset($_SERVER['PHP_AUTH_PW']))) {
248	- $this->inauth_headers();
249	-
250	- } else if ((isset($_SERVER['PHP_AUTH_USER'])) && (isset($_SERVER['PHP_AUTH_PW']))){
251	-
252	- /* Values contain some values, so check to see if they're correct */
253	-
254	- if (($_SERVER['PHP_AUTH_USER'] != $this->current_user) \|\| (md5($_SERVER['PHP_AUTH_PW']) != $this->current_pass)) {
255	- /* If either the username entered is incorrect, or the password entered is incorrect, send the headers causing dialog box to appear */
256	- $this->inauth_headers();
257	-
258	- } else if (($_SERVER['PHP_AUTH_USER'] === $this->current_user) \|\| ( md5($_SERVER['PHP_AUTH_PW'] ) === $this->current_pass)) {
259	-
260	- /* if both values are correct, print success message */
261	- // We're good here!
262	- define('INTERNAL_AUTH_PASSED', TRUE);
263	- }
264	- }
265	- }
266	-
267	/**
268	* Get the users for the private creds
269	*
	@@ -287,9 +287,12 @@ class WP_LockAuth {
287	{
288	$opt = get_option('ld_hide_wp_admin');
289
290	- // Nope!
291	if ( $opt !== 'yep' )


292	return;

293
294	// We're gonna hide it.
295	$no_check_files = array('async-upload.php', 'admin-ajax.php', 'wp-app.php');
	@@ -307,7 +310,7 @@ class WP_LockAuth {
307	if ( is_admin() )
308	{
309	// Non logged in users.
310	- if ( !is_user_logged_in() )
311	{
312	// If they AREN'T logged in and they tried to access wp-admin
313	// we'll just serve them a 404!
	@@ -328,6 +331,7 @@ class WP_LockAuth {
328	require( $four_tpl );
329	}
330

331	exit;
332	}
333
	@@ -363,23 +367,23 @@ class WP_LockAuth {
363	// We save what type of auth we're doing here.
364	$opt = get_option('ld_http_auth');
365

366	switch( $opt )
367	{
368	// HTTP auth is going to ask for their WordPress creds.
369	case('wp_creds');
370	-
371	- /* ~~Check~~ ~~for values in~~ $~~PHP_AUTH_USER~~ ~~and $PHP_AUTH_PW */~~
372	- if (~~!isset($_SERVER['PHP_AUTH_USER']~~) \|\| ~~!isset($_SERVER['PHP_AUTH_PW']))~~
373	- $this->inauth_headers();
374
375	// Are they already logged in as this?
376	$current_uid = get_current_user_id();
377
378	// We fixed this for use with non WP-MS sites
379	- $requested_user = get_user_by('login', $~~_SERVER~~['~~PHP_AUTH_USER~~']);
380
381	// Not a valid user.
382	- if ( !$requested_user )
383	$this->inauth_headers();
384
385	// The correct User ID.
	@@ -393,11 +397,11 @@ class WP_LockAuth {
393	}
394
395	// Attempt to sign them in if they aren't alerady
396	- if ( !is_user_logged_in() ) :
397	// Try it via wp_signon
398	$creds = array();
399	- $creds['user_login'] = $~~_SERVER~~['~~PHP_AUTH_USER~~'];
400	- $creds['user_password'] = $~~_SERVER~~['~~PHP_AUTH_PW~~'];
401	$creds['remember'] = true;
402	$user = wp_signon( $creds, false );
403
	@@ -408,30 +412,34 @@ class WP_LockAuth {
408
409	// They passed!
410	define('INTERNAL_AUTH_PASSED', TRUE);
411	- break;
412

413	case('private');
414	$users = $this->get_private_users();
415
416	- // We want a user to exist
417	- // If nobody is found, we won't lock them out!
418	- if ( !$users \|\| !is_array( $users ) )
419	return;
420
421	// Let's NOT lock everybody out
422	- if ( count( $users ) ~~===~~ 0 )
423	return;
424
425	- /* ~~Check~~ ~~for~~ ~~values~~ in ~~$PHP_AUTH_USER and $PHP_AUTH_PW */~~
426	- if ( ~~!isset(~~ $~~_SERVER['PHP_AUTH_USER'] ) \|\| !isset~~( ~~$_SERVER['PHP_AUTH_PW']~~ ) )



427	$this->inauth_headers();
428
429	// Did they enter a valid user?
430	- if ( $this->user_array_check( $users, $~~_SERVER~~['~~PHP_AUTH_USER~~'], $~~_SERVER~~['~~PHP_AUTH_PW~~'] ) )
431	{
432	// Yes!!
433	define('INTERNAL_AUTH_PASSED', TRUE);
434	- $this->set_current_user( $users, $~~_SERVER~~['~~PHP_AUTH_USER~~'] );
435	return;
436	}
437	else
	@@ -441,7 +449,12 @@ class WP_LockAuth {
441	return;
442	}
443
444	- break;





445	}
446
447	}
	@@ -455,7 +468,7 @@ class WP_LockAuth {
455	* @param string $user The username to check for
456	* @param string $pass The password to check for (plain text)
457	**/
458	- function user_array_check( $array, $user, $pass )
459	{
460	foreach( $array as $key => $val )
461	{
	@@ -471,7 +484,7 @@ class WP_LockAuth {
471	*
472	* @access private
473	**/
474	- function set_current_user( $array, $user )
475	{
476	foreach( $array as $key => $val )
477	{
	@@ -604,8 +617,8 @@ class WP_LockAuth {
604	*
605	* @return void
606	* @access private
607	- * @~~version~~ 1.0
608	- * @see do_action() Called by the 'init' ~~hook'~~
609	**/
610	function ld_setup_auth()
611	{
	@@ -615,4 +628,5 @@ function ld_setup_auth()
615
616	add_action('init', 'ld_setup_auth');
617
618	- /* End of file: lockdown-wp-admin.php */


1	+ <?php if (! defined('ABSPATH')) exit;
2	/*
3	Plugin Name: Lockdown WordPress Admin
4	Plugin URI: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
5	Description: Securing the WordPress Administration interface.
6	+ Version: 1.8
7	Author: Sean Fisher
8	Author URI: http://talkingwithsean.com/
9	+ License: GPL
10	*/
11
12	// This file name

16	* This is the plugin that will add security to our site
17	*
18	* @author Sean Fisher <sean@talkingwithsean.com>
19	+ * @version 1.8
20	+ * @license GPL
21	**/
22	class WP_LockAuth {
23

27	* @param string
28	* @access private
29	**/
30	+ private $ld_admin_version = '1.8';
31
32	/**
33	* The HTTP Auth name for the protected area

66	// Hide the login form
67	$this->redo_login_form();
68
69	+ // We no longer update the options here, but rather when we call on the callback function from the menu, more secure.
70	+ }
71	+
72	+ /**
73	+ * Get a username and password from the HTTP auth
74	+ *
75	+ * @return array\|bool
76	+ **/
77	+ function get_http_auth_creds()
78	+ {
79	+ // Since PHP saves the HTTP Password in a bunch of places, we have to be able to test for all of them
80	+ $username = NULL;
81	+ $password = NULL;
82	+
83	+ // mod_php
84	+ if (isset($_SERVER['PHP_AUTH_USER']))
85	+ {
86	+ $username = $_SERVER['PHP_AUTH_USER'];
87	+ $password = $_SERVER['PHP_AUTH_PW'];
88	+ }
89	+
90	+ // most other servers
91	+ elseif ($_SERVER['HTTP_AUTHENTICATION'])
92	+ {
93	+ if (strpos(strtolower($_SERVER['HTTP_AUTHENTICATION']),'basic') === 0)
94	+ {
95	+ list($username,$password) = explode(':',base64_decode(substr($_SERVER['HTTP_AUTHENTICATION'], 6)));
96	+ }
97	+ }
98	+
99	+ // Check them - if they're null a/o empty, they're invalid.
100	+ if ( is_null($username) OR is_null($password) OR empty($username) OR empty($password))
101	+ return FALSE;
102	+ else
103	+ return array('username' => $username, 'password' => $password);
104	}
105
106	/**

141	update_option('ld_private_users', $users);
142
143	define('LD_WP_ADMIN', TRUE);

144	return;
145	}
146	}

200
201	// ---------------------------------------------------
202	// They're updating.
203	+ // ---------------------------------------------------
204	if ( isset( $_POST['http_auth'] ) )
205	update_option('ld_http_auth', trim( strtolower( $_POST['http_auth'] ) ) );
206	else

264	exit;
265	}
266

































267	/**
268	* Get the users for the private creds
269	*

287	{
288	$opt = get_option('ld_hide_wp_admin');
289
290	+ // Nope, they didn't enable it.
291	if ( $opt !== 'yep' )
292	+ {
293	+ $this->setup_http_area();
294	return;
295	+ }
296
297	// We're gonna hide it.
298	$no_check_files = array('async-upload.php', 'admin-ajax.php', 'wp-app.php');

310	if ( is_admin() )
311	{
312	// Non logged in users.
313	+ if ( ! is_user_logged_in() )
314	{
315	// If they AREN'T logged in and they tried to access wp-admin
316	// we'll just serve them a 404!

331	require( $four_tpl );
332	}
333
334	+ // Either way, it's gonna stop right here.
335	exit;
336	}
337

367	// We save what type of auth we're doing here.
368	$opt = get_option('ld_http_auth');
369
370	+ // What type of auth are we doing?
371	switch( $opt )
372	{
373	// HTTP auth is going to ask for their WordPress creds.
374	case('wp_creds');
375	+ $creds = $this->get_http_auth_creds();
376	+ if (! $creds )
377	+ $this->inauth_headers(); // Invalid credentials

378
379	// Are they already logged in as this?
380	$current_uid = get_current_user_id();
381
382	// We fixed this for use with non WP-MS sites
383	+ $requested_user = get_user_by('login', $creds['username']);
384
385	// Not a valid user.
386	+ if (! $requested_user )
387	$this->inauth_headers();
388
389	// The correct User ID.

397	}
398
399	// Attempt to sign them in if they aren't alerady
400	+ if (! is_user_logged_in() ) :
401	// Try it via wp_signon
402	$creds = array();
403	+ $creds['user_login'] = $creds['username'];
404	+ $creds['user_password'] = $creds['password'];
405	$creds['remember'] = true;
406	$user = wp_signon( $creds, false );
407

412
413	// They passed!
414	define('INTERNAL_AUTH_PASSED', TRUE);
415	+ break;
416
417	+ // Private list of users to check
418	case('private');
419	$users = $this->get_private_users();
420
421	+ // We want a user to exist.
422	+ // If nobody is found, we won't lock them out!
423	+ if ( ! $users \|\| ! is_array( $users ) )
424	return;
425
426	// Let's NOT lock everybody out
427	+ if ( count( $users ) < 1 )
428	return;
429
430	+ // Get the HTTP auth creds
431	+ $creds = $this->get_http_auth_creds();
432	+
433	+ // Invalid creds
434	+ if (! $creds )
435	$this->inauth_headers();
436
437	// Did they enter a valid user?
438	+ if ( $this->user_array_check( $users, $creds['username'], $creds['password'] ) )
439	{
440	// Yes!!
441	define('INTERNAL_AUTH_PASSED', TRUE);
442	+ $this->set_current_user( $users, $creds['username'] );
443	return;
444	}
445	else

449	return;
450	}
451
452	+ break;
453	+
454	+ // Unknown type of auth
455	+ default;
456	+ return FALSE;
457	+ break;
458	}
459
460	}

468	* @param string $user The username to check for
469	* @param string $pass The password to check for (plain text)
470	**/
471	+ public function user_array_check( $array, $user, $pass )
472	{
473	foreach( $array as $key => $val )
474	{

484	*
485	* @access private
486	**/
487	+ private function set_current_user( $array, $user )
488	{
489	foreach( $array as $key => $val )
490	{

617	*
618	* @return void
619	* @access private
620	+ * @since 1.0
621	+ * @see do_action() Called by the 'init' action.
622	**/
623	function ld_setup_auth()
624	{

628
629	add_action('init', 'ld_setup_auth');
630
631	+ /* End of file: lockdown-wp-admin.php */
632	+ /* Code is poetry. */

no-wpmu.php CHANGED Viewed

	@@ -1,4 +1,4 @@
1	- <?php
2	/**
3	* We don't want to allow for this plugin to be used in WP-MS or network wide.
4	*


1	+ <?php if (! defined('ABSPATH')) exit;
2	/**
3	* We don't want to allow for this plugin to be used in WP-MS or network wide.
4	*

readme.txt CHANGED Viewed

	@@ -5,7 +5,7 @@ Link: http://talkingwithsean.com/2011/01/lockdown-wp-admin/
5	Tags: security, wp-admin, login, hide login, rename login, http auth, 404, lockdown, talkingwithsean, secure
6	Requires at least: 3.0
7	Tested up to: 3.2
8	- Stable tag: 1.7
9
10	This plugin will lockdown WP Admin. It can hide wp-admin and wp-login as well as add HTTP auth to the login system. It can change the login URL.
11
	@@ -28,7 +28,7 @@ If you enable HTTP authencation, it will add HTTP auth to the PHP files in /wp-a
28	= How can we add files to the whitelist to hide from the public eye? We want to have AJAX and use a custom file, but we can't because it hides it from the public. =
29
30	You can add a file using the 'no_check_files' filter. Use this:
31	- ~~<?php~~
32	function add_my_cool_filter($data)
33	{
34	// You have to accept the $data argument or else it will cause a system meltdown ;)
	@@ -36,7 +36,7 @@ You can add a file using the 'no_check_files' filter. Use this:
36	return $data;
37	}
38	add_filter('no_check_files', 'add_my_cool_filter');
39	- ?>
40
41	Simple.
42
	@@ -75,4 +75,8 @@ You can create a .txt file named 'disable_auth.txt' in your wp-content/plugins/l
75	* Added way to get back into WP-ADMIN if locked out (See the FAQ)
76
77	= 1.7 =
78	- * Removed the stats that were collected to that we could understand the issues that users were having with the plugin.


5	Tags: security, wp-admin, login, hide login, rename login, http auth, 404, lockdown, talkingwithsean, secure
6	Requires at least: 3.0
7	Tested up to: 3.2
8	+ Stable tag: 1.8
9
10	This plugin will lockdown WP Admin. It can hide wp-admin and wp-login as well as add HTTP auth to the login system. It can change the login URL.
11

28	= How can we add files to the whitelist to hide from the public eye? We want to have AJAX and use a custom file, but we can't because it hides it from the public. =
29
30	You can add a file using the 'no_check_files' filter. Use this:
31	+ `
32	function add_my_cool_filter($data)
33	{
34	// You have to accept the $data argument or else it will cause a system meltdown ;)

36	return $data;
37	}
38	add_filter('no_check_files', 'add_my_cool_filter');
39	+ `
40
41	Simple.
42

75	* Added way to get back into WP-ADMIN if locked out (See the FAQ)
76
77	= 1.7 =
78	+ * Removed the stats that were collected to that we could understand the issues that users were having with the plugin.
79	+
80	+ = 1.8 =
81	+ * Finally discovered why so many users had HTTP auth errors. Fixed it to support almost 80% of hosts out there.
82	+ * If you still have problems, shoot me an email.