Password Protected - Version 2.0.1

Version Description

Security fix: Use a more complex password hash for cookie key. Props Marcin Bury, Securitum.
Split logout functionality into separate function.

Release Info

Developer	husobj
Plugin	Password Protected
Version	2.0.1
Comparing to
See all releases

Code changes from version 2.0 to 2.0.1

Files changed (3) hide show

languages/password-protected.pot +88 -76
password-protected.php +38 -26
readme.txt +6 -2

languages/password-protected.pot CHANGED Viewed

	@@ -4,188 +4,200 @@ msgid ""
4	msgstr ""
5	"Project-Id-Version: Password Protected\n"
6	"Report-Msgid-Bugs-To: http://wordpress.org/tag/password-protected\n"
7	- "POT-Creation-Date: ~~2014~~-04-15 00:07-0000\n"
8	- "PO-Revision-Date: ~~2014~~-04-15 00:07-0000\n"
9	"Last-Translator: Ben Huson <ben@thewhiteroom.net>\n"
10	"Language-Team: LANGUAGE\n"
11	"Language: en_US\n"
12	"MIME-Version: 1.0\n"
13	"Content-Type: text/plain; charset=UTF-8\n"
14	"Content-Transfer-Encoding: 8bit\n"
15	- "X-Generator: Poedit 1.6.2\n"
16	"X-Poedit-KeywordsList: __;_e;_ex;_x\n"
17	"X-Poedit-Basepath: ./\n"
18	"Plural-Forms: nplurals=2; plural=(n != 1);\n"
19	"X-Poedit-SearchPath-0: ..\n"
20
21	- #: ../~~password-protected~~.php:~~115~~
22	- #, php-format
23	- msgid ""
24	- "Feeds are not available for this site. Please visit the <a href=\"%s"
25	- "\">website</a>."
26	- msgstr ""
27	-
28	- #: ../password-protected.php:183
29	- msgid "Incorrect Password"
30	- msgstr ""
31	-
32	- #: ../password-protected.php:427
33	- msgid ""
34	- "The Password Protected plugin does not work with WP Engine hosting. Please "
35	- "disable it."
36	- msgstr ""
37	-
38	- #: ../admin/admin.php:26 ../admin/admin.php:63
39	msgid "Password Protected"
40	msgstr ""
41
42	- #: ../admin/admin.php:36
43	msgid "Password Protected Settings"
44	msgstr ""
45
46	- #: ../admin/admin.php:40
47	msgid "Save Changes"
48	msgstr ""
49
50	- #: ../admin/admin.php:64
51	msgid ""
52	"<p><strong>Password Protected Status</strong><br />Turn on/off password "
53	"protection.</p>"
54	msgstr ""
55
56	- #: ../admin/admin.php:65
57	msgid ""
58	- "<p><strong>Protected Permissions</strong><br />Allow access for logged in "
59	- "~~users~~ and administrators without needing to enter a password. You will need "
60	- "~~to enable~~ this option if you want administrators to be able to preview the "
61	- "~~site in the~~ Theme Customizer. Also allow RSS Feeds to be accessed when the "
62	- "~~site is password~~ protected.</p>"
63	msgstr ""
64
65	- #: ../admin/admin.php:66
66	msgid ""
67	- "<p><strong>Password Fields</strong><br />To set a new password, enter it "
68	- "~~into~~ both fields. You cannot set an `empty` password. To disable password "
69	- "~~protection~~ uncheck the Enabled checkbox.</p>"
70	msgstr ""
71
72	- #: ../admin/admin.php:82
73	msgid "Password Protected Status"
74	msgstr ""
75
76	- #: ../admin/admin.php:89
77	msgid "Protected Permissions"
78	msgstr ""
79
80	- #: ../admin/admin.php:96
81	msgid "New Password"
82	msgstr ""
83
84	- #: ../admin/admin.php:~~120~~




85	msgid ""
86	"New password not saved. When setting a new password please enter it in both "
87	"fields."
88	msgstr ""
89
90	- #: ../admin/admin.php:~~123~~
91	msgid "New password not saved. Password fields did not match."
92	msgstr ""
93
94	- #: ../admin/admin.php:~~126~~
95	msgid "New password saved."
96	msgstr ""
97
98	- #: ../admin/admin.php:~~138~~
99	msgid ""
100	- "Password protect your web site. Users will be asked to enter a password to "
101	- "~~view~~ the site."
102	msgstr ""
103
104	- #: ../admin/admin.php:~~139~~
105	msgid ""
106	- "For more information about Password Protected settings, view the \"Help\" "
107	- "~~tab at~~ the top of this page."
108	msgstr ""
109
110	- #: ../admin/admin.php:~~146~~
111	msgid "Enabled"
112	msgstr ""
113
114	- #: ../admin/admin.php:~~153~~
115	msgid "Allow Administrators"
116	msgstr ""
117
118	- #: ../admin/admin.php:~~154~~
119	msgid "Allow Logged In Users"
120	msgstr ""
121
122	- #: ../admin/admin.php:~~155~~
123	msgid "Allow RSS Feeds"
124	msgstr ""
125
126	- #: ../admin/admin.php:~~162~~
127	msgid ""
128	- "If you would like to change the password type a new one. Otherwise leave "
129	- "~~this~~ blank."
130	msgstr ""
131
132	- #: ../admin/admin.php:~~163~~
133	msgid "Type your new password again."
134	msgstr ""
135
136	- #: ../admin/admin.php:~~198~~




137	msgid "http://github.com/benhuson/password-protected"
138	msgstr ""
139
140	- #: ../admin/admin.php:~~198~~
141	msgid "GitHub"
142	msgstr ""
143
144	- #: ../admin/admin.php:~~199~~
145	msgid ""
146	"https://www.transifex.com/projects/p/password-protected/resource/password-"
147	"protected/"
148	msgstr ""
149
150	- #: ../admin/admin.php:~~199~~
151	msgid "Translate"
152	msgstr ""
153
154	- #: ../admin/admin.php:~~213~~
155	msgid "Settings"
156	msgstr ""
157
158	- #: ../admin/admin.php:~~238~~












159	msgid ""
160	- "You have enabled password protection ~~but~~ ~~not~~ ~~yet~~ ~~set~~ a ~~password.~~ ~~Please set~~ "
161	- "~~one~~ ~~below~~."
162	msgstr ""
163
164	- #: ../admin/admin.php:~~242~~
165	msgid ""
166	- "You have enabled password protection and allowed ~~administrators~~ ~~and~~ ~~logged~~ "
167	- "~~in users - other users~~ will still need to enter a password to view the site."
168	msgstr ""
169
170	- #: ../~~admin/admin~~.php:~~244~~

171	msgid ""
172	- "~~You~~ ~~have~~ ~~enabled~~ ~~password~~ ~~protection~~ ~~and~~ ~~allowed~~ ~~administrators~~ - ~~other~~ "
173	- "~~users will still need to enter~~ a ~~password to view the site.~~"




174	msgstr ""
175
176	- #: ../~~admin/admin~~.php:~~246~~




177	msgid ""
178	- "~~You~~ ~~have~~ ~~enabled~~ ~~password~~ ~~protection~~ ~~and~~ ~~allowed~~ ~~logged~~ in ~~users~~ - ~~other~~ "
179	- "~~users~~ ~~will still need to enter a password to view the site~~."
180	msgstr ""
181
182	- #: ../theme/login.php:40
183	msgid ""
184	- "<strong>ERROR</strong>: Cookies are blocked or not supported by your "
185	- "~~browser. You~~ must <a href='http://www.google.com/cookies.html'>enable "
186	- "~~cookies</a> to use~~ WordPress."
187	msgstr ""
188
189	- #: ../theme/login.php:~~132~~
190	msgid "Password"
191	msgstr ""


4	msgstr ""
5	"Project-Id-Version: Password Protected\n"
6	"Report-Msgid-Bugs-To: http://wordpress.org/tag/password-protected\n"
7	+ "POT-Creation-Date: 2015-05-14 23:14-0000\n"
8	+ "PO-Revision-Date: 2015-05-14 23:15-0000\n"
9	"Last-Translator: Ben Huson <ben@thewhiteroom.net>\n"
10	"Language-Team: LANGUAGE\n"
11	"Language: en_US\n"
12	"MIME-Version: 1.0\n"
13	"Content-Type: text/plain; charset=UTF-8\n"
14	"Content-Transfer-Encoding: 8bit\n"
15	+ "X-Generator: Poedit 1.7.5\n"
16	"X-Poedit-KeywordsList: __;_e;_ex;_x\n"
17	"X-Poedit-Basepath: ./\n"
18	"Plural-Forms: nplurals=2; plural=(n != 1);\n"
19	"X-Poedit-SearchPath-0: ..\n"
20
21	+ #: ../admin/admin.php:30 ../admin/admin.php:80

















22	msgid "Password Protected"
23	msgstr ""
24
25	+ #: ../admin/admin.php:43
26	msgid "Password Protected Settings"
27	msgstr ""
28
29	+ #: ../admin/admin.php:49
30	msgid "Save Changes"
31	msgstr ""
32
33	+ #: ../admin/admin.php:81
34	msgid ""
35	"<p><strong>Password Protected Status</strong><br />Turn on/off password "
36	"protection.</p>"
37	msgstr ""
38
39	+ #: ../admin/admin.php:82
40	msgid ""
41	+ "<p><strong>Protected Permissions</strong><br />Allow access for logged in users "
42	+ "and administrators without needing to enter a password. You will need to enable "
43	+ "this option if you want administrators to be able to preview the site in the "
44	+ "Theme Customizer. Also allow RSS Feeds to be accessed when the site is password "
45	+ "protected.</p>"
46	msgstr ""
47
48	+ #: ../admin/admin.php:83
49	msgid ""
50	+ "<p><strong>Password Fields</strong><br />To set a new password, enter it into "
51	+ "both fields. You cannot set an `empty` password. To disable password protection "
52	+ "uncheck the Enabled checkbox.</p>"
53	msgstr ""
54
55	+ #: ../admin/admin.php:102
56	msgid "Password Protected Status"
57	msgstr ""
58
59	+ #: ../admin/admin.php:110
60	msgid "Protected Permissions"
61	msgstr ""
62
63	+ #: ../admin/admin.php:118
64	msgid "New Password"
65	msgstr ""
66
67	+ #: ../admin/admin.php:126
68	+ msgid "Allow IP Addresses"
69	+ msgstr ""
70	+
71	+ #: ../admin/admin.php:155
72	msgid ""
73	"New password not saved. When setting a new password please enter it in both "
74	"fields."
75	msgstr ""
76
77	+ #: ../admin/admin.php:158
78	msgid "New password not saved. Password fields did not match."
79	msgstr ""
80
81	+ #: ../admin/admin.php:161
82	msgid "New password saved."
83	msgstr ""
84
85	+ #: ../admin/admin.php:195
86	msgid ""
87	+ "Password protect your web site. Users will be asked to enter a password to view "
88	+ "the site."
89	msgstr ""
90
91	+ #: ../admin/admin.php:196
92	msgid ""
93	+ "For more information about Password Protected settings, view the \"Help\" tab at "
94	+ "the top of this page."
95	msgstr ""
96
97	+ #: ../admin/admin.php:205
98	msgid "Enabled"
99	msgstr ""
100
101	+ #: ../admin/admin.php:214
102	msgid "Allow Administrators"
103	msgstr ""
104
105	+ #: ../admin/admin.php:215
106	msgid "Allow Logged In Users"
107	msgstr ""
108
109	+ #: ../admin/admin.php:216
110	msgid "Allow RSS Feeds"
111	msgstr ""
112
113	+ #: ../admin/admin.php:225
114	msgid ""
115	+ "If you would like to change the password type a new one. Otherwise leave this "
116	+ "blank."
117	msgstr ""
118
119	+ #: ../admin/admin.php:226
120	msgid "Type your new password again."
121	msgstr ""
122
123	+ #: ../admin/admin.php:236
124	+ msgid "Enter one IP address per line"
125	+ msgstr ""
126	+
127	+ #: ../admin/admin.php:277
128	msgid "http://github.com/benhuson/password-protected"
129	msgstr ""
130
131	+ #: ../admin/admin.php:277
132	msgid "GitHub"
133	msgstr ""
134
135	+ #: ../admin/admin.php:278
136	msgid ""
137	"https://www.transifex.com/projects/p/password-protected/resource/password-"
138	"protected/"
139	msgstr ""
140
141	+ #: ../admin/admin.php:278
142	msgid "Translate"
143	msgstr ""
144
145	+ #: ../admin/admin.php:295
146	msgid "Settings"
147	msgstr ""
148
149	+ #: ../admin/admin.php:323
150	+ msgid ""
151	+ "You have enabled password protection but not yet set a password. Please set one "
152	+ "below."
153	+ msgstr ""
154	+
155	+ #: ../admin/admin.php:328
156	+ msgid ""
157	+ "You have enabled password protection and allowed administrators and logged in "
158	+ "users - other users will still need to enter a password to view the site."
159	+ msgstr ""
160	+
161	+ #: ../admin/admin.php:330
162	msgid ""
163	+ "You have enabled password protection and allowed administrators - other users "
164	+ "will still need to enter a password to view the site."
165	msgstr ""
166
167	+ #: ../admin/admin.php:332
168	msgid ""
169	+ "You have enabled password protection and allowed logged in users - other users "
170	+ "will still need to enter a password to view the site."
171	msgstr ""
172
173	+ #: ../password-protected.php:157
174	+ #, php-format
175	msgid ""
176	+ "Feeds are not available for this site. Please visit the <a href=\"%s\">website</"
177	+ "a>."
178	+ msgstr ""
179	+
180	+ #: ../password-protected.php:299
181	+ msgid "Incorrect Password"
182	msgstr ""
183
184	+ #: ../password-protected.php:435 ../password-protected.php:439
185	+ msgid "Logout"
186	+ msgstr ""
187	+
188	+ #: ../password-protected.php:755
189	msgid ""
190	+ "The Password Protected plugin does not work with WP Engine hosting. Please "
191	+ "disable it."
192	msgstr ""
193
194	+ #: ../theme/password-protected-login.php:42
195	msgid ""
196	+ "<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You "
197	+ "must <a href='http://www.google.com/cookies.html'>enable cookies</a> to use "
198	+ "WordPress."
199	msgstr ""
200
201	+ #: ../theme/password-protected-login.php:107
202	msgid "Password"
203	msgstr ""

password-protected.php CHANGED Viewed

	@@ -4,7 +4,7 @@
4	Plugin Name: Password Protected
5	Plugin URI: https://wordpress.org/plugins/password-protected/
6	Description: A very simple way to quickly password protect your WordPress site with a single password. Please note: This plugin does not restrict access to uploaded files and images and does not work on WP Engine or with some caching setups.
7	- Version: 2.0
8	Author: Ben Huson
9	Text Domain: password-protected
10	Author URI: http://github.com/benhuson/password-protected/
	@@ -42,7 +42,7 @@ $Password_Protected = new Password_Protected();
42
43	class Password_Protected {
44
45	- var $version = '1.9';
46	var $admin = null;
47	var $errors = null;
48
	@@ -60,6 +60,7 @@ class Password_Protected {
60	add_filter( 'password_protected_is_active', array( $this, 'allow_ip_addresses' ) );
61
62	add_action( 'init', array( $this, 'disable_caching' ), 1 );

63	add_action( 'init', array( $this, 'maybe_process_login' ), 1 );
64	add_action( 'wp', array( $this, 'disable_feeds' ) );
65	add_action( 'template_redirect', array( $this, 'maybe_show_login' ), -1 );
	@@ -248,6 +249,28 @@ class Password_Protected {
248
249	}
250






















251	/**
252	* Maybe Process Login
253	*/
	@@ -279,22 +302,6 @@ class Password_Protected {
279
280	}
281
282	- // Log out
283	- if ( isset( $_REQUEST['password-protected'] ) && $_REQUEST['password-protected'] == 'logout' ) {
284	-
285	- $this->logout();
286	-
287	- if ( isset( $_REQUEST['redirect_to'] ) ) {
288	- $redirect_to = esc_url_raw( $_REQUEST['redirect_to'], array( 'http', 'https' ) );
289	- } else {
290	- $redirect_to = home_url( '/' );
291	- }
292	-
293	- wp_redirect( $redirect_to );
294	- exit();
295	-
296	- }
297	-
298	}
299
300	/**
	@@ -453,6 +460,17 @@ class Password_Protected {
453
454	}
455











456	/**
457	* Validate Auth Cookie
458	*
	@@ -482,10 +500,7 @@ class Password_Protected {
482	return false;
483	}
484
485	- $~~pass~~ = md5( ~~get_option~~( '~~password_protected_password~~' ) );
486	- $pass_frag = substr( $pass, 8, 4 );
487	-
488	- $key = md5( $this->get_site_id() . $pass_frag . '\|' . $expiration );
489	$hash = hash_hmac( 'md5', $this->get_site_id() . '\|' . $expiration, $key);
490
491	if ( $hmac != $hash ) {
	@@ -510,10 +525,7 @@ class Password_Protected {
510	*/
511	function generate_auth_cookie( $expiration, $scheme = 'auth' ) {
512
513	- $~~pass~~ = md5( ~~get_option~~( '~~password_protected_password~~' ) );
514	- $pass_frag = substr( $pass, 8, 4 );
515	-
516	- $key = md5( $this->get_site_id() . $pass_frag . '\|' . $expiration );
517	$hash = hash_hmac( 'md5', $this->get_site_id() . '\|' . $expiration, $key );
518	$cookie = $this->get_site_id() . '\|' . $expiration . '\|' . $hash;
519


4	Plugin Name: Password Protected
5	Plugin URI: https://wordpress.org/plugins/password-protected/
6	Description: A very simple way to quickly password protect your WordPress site with a single password. Please note: This plugin does not restrict access to uploaded files and images and does not work on WP Engine or with some caching setups.
7	+ Version: 2.0.1
8	Author: Ben Huson
9	Text Domain: password-protected
10	Author URI: http://github.com/benhuson/password-protected/

42
43	class Password_Protected {
44
45	+ var $version = '2.0.1';
46	var $admin = null;
47	var $errors = null;
48

60	add_filter( 'password_protected_is_active', array( $this, 'allow_ip_addresses' ) );
61
62	add_action( 'init', array( $this, 'disable_caching' ), 1 );
63	+ add_action( 'init', array( $this, 'maybe_process_logout' ), 1 );
64	add_action( 'init', array( $this, 'maybe_process_login' ), 1 );
65	add_action( 'wp', array( $this, 'disable_feeds' ) );
66	add_action( 'template_redirect', array( $this, 'maybe_show_login' ), -1 );

249
250	}
251
252	+ /**
253	+ * Maybe Process Logout
254	+ */
255	+ function maybe_process_logout() {
256	+
257	+ if ( isset( $_REQUEST['password-protected'] ) && $_REQUEST['password-protected'] == 'logout' ) {
258	+
259	+ $this->logout();
260	+
261	+ if ( isset( $_REQUEST['redirect_to'] ) ) {
262	+ $redirect_to = esc_url_raw( $_REQUEST['redirect_to'], array( 'http', 'https' ) );
263	+ } else {
264	+ $redirect_to = home_url( '/' );
265	+ }
266	+
267	+ wp_redirect( $redirect_to );
268	+ exit();
269	+
270	+ }
271	+
272	+ }
273	+
274	/**
275	* Maybe Process Login
276	*/

302
303	}
304
















305	}
306
307	/**

460
461	}
462
463	+ /**
464	+ * Get Hashed Password
465	+ *
466	+ * @return string Hashed password.
467	+ */
468	+ function get_hashed_password() {
469	+
470	+ return md5( get_option( 'password_protected_password' ) . wp_salt() );
471	+
472	+ }
473	+
474	/**
475	* Validate Auth Cookie
476	*

500	return false;
501	}
502
503	+ $key = md5( $this->get_site_id() . $this->get_hashed_password() . '\|' . $expiration );



504	$hash = hash_hmac( 'md5', $this->get_site_id() . '\|' . $expiration, $key);
505
506	if ( $hmac != $hash ) {

525	*/
526	function generate_auth_cookie( $expiration, $scheme = 'auth' ) {
527
528	+ $key = md5( $this->get_site_id() . $this->get_hashed_password() . '\|' . $expiration );



529	$hash = hash_hmac( 'md5', $this->get_site_id() . '\|' . $expiration, $key );
530	$cookie = $this->get_site_id() . '\|' . $expiration . '\|' . $hash;
531

readme.txt CHANGED Viewed

	@@ -2,8 +2,8 @@
2	Contributors: husobj
3	Tags: password, protect, password protect, login
4	Requires at least: 3.5
5	- Tested up to: 4.1.1
6	- Stable tag: 2.0
7	License: GPLv2 or later
8
9	A very simple way to quickly password protect your WordPress site with a single password.
	@@ -77,6 +77,10 @@ More instructions can be found at [wp-translations.org](http://wp-translations.o
77
78	== Changelog ==
79




80	= 2.0 =
81	* Added [password_protected_logout_link](https://github.com/benhuson/password-protected/wiki/password_protected_logout_link-Shortcode) shortcode.
82	* Load 'password-protected-login.css' in theme folder if it exists.


2	Contributors: husobj
3	Tags: password, protect, password protect, login
4	Requires at least: 3.5
5	+ Tested up to: 4.2.3
6	+ Stable tag: 2.0.1
7	License: GPLv2 or later
8
9	A very simple way to quickly password protect your WordPress site with a single password.

77
78	== Changelog ==
79
80	+ = 2.0.1 =
81	+ * Security fix: Use a more complex password hash for cookie key. Props Marcin Bury, [Securitum](http://securitum.pl).
82	+ * Split logout functionality into separate function.
83	+
84	= 2.0 =
85	* Added [password_protected_logout_link](https://github.com/benhuson/password-protected/wiki/password_protected_logout_link-Shortcode) shortcode.
86	* Load 'password-protected-login.css' in theme folder if it exists.