Rename wp-login.php - Version 1.0

Version Description

Initial version.

Release Info

Developer	avryl
Plugin	Rename wp-login.php
Version	1.0
Comparing to
See all releases

Version 1.0

Files changed (4) hide show

index.php +1 -0
readme.txt +42 -0
rename-wp-login.php +126 -0
wp-login.php +761 -0

index.php ADDED Viewed

	@@ -0,0 +1 @@


1	+ <?php // Silence is golden.

readme.txt ADDED Viewed

	@@ -0,0 +1,42 @@


1	+ === Plugin Name ===
2	+ Contributors: avryl
3	+ Tags: rename, login, wp-login, wp-login.php, brute force, attacks
4	+ Requires at least: 3.5
5	+ Tested up to: 3.6
6	+ Stable tag: trunk
7	+ License: GPLv2 or later
8	+ License URI: http://www.gnu.org/licenses/gpl-2.0.html
9	+
10	+ Rename wp-login, and block it to prevent brute force attacks.
11	+
12	+ == Description ==
13	+
14	+ This plugin renames `wp-login.php` to whatever you want. The default is `login` if no such page already exists. Otherwise it will append a number, e.g. `login-1`. You can change this option under ‘Settings’ › ‘Permalinks’ › ‘Login’.
15	+
16	+ What are the benefits? Not only does it allow you to further customise your login page, it also prevents brute force attacks that are targeted specifically to the standard `wp-login.php`. `wp-login.php` will be blocked and returns a 404 status.
17	+
18	+ If you’re using a page caching plugin like W3 Total Cache or WP Super Cache, add the word you rename `wp-login.php` to (e.g. `login`) to the list of pages not to cache. For W3 Total Cache go to ‘Performance’ › ‘Page Cache’ › ‘Advanced’ › ‘Never cache the following pages’, add your new login page on a new line and save all settings. For WP Super Cache go to ‘Settings’ › ‘WP Super Cache’ › ‘Advanced’ › ‘Accepted Filenames & Rejected URIs’, add your new login page on a new line and save.
19	+
20	+ This plugin works with plugins that customise or hook into the standard login screen. It’s not yet tested on installs that force SSL or use the multisite feature.
21	+
22	+ == Installation ==
23	+
24	+ 1. Go to ‘Plugins’ › ‘Add New’.
25	+ 2. Search for ‘Rename wp-login’.
26	+ 3. Look for this plugin, download and activate it.
27	+ 4. The page will redirect you to the settings. Rename `wp-login.php` in the section ‘Login’.
28	+ 5. You can change this option any time you want, just go back to ‘Settings’ › ‘Permalinks’ › ‘Login’.
29	+
30	+ == Screenshots ==
31	+
32	+ 1. This screen shot description corresponds to screenshot-1.(png\|jpg\|jpeg\|gif). Note that the screenshot is taken from
33	+ the /assets directory or the directory that contains the stable readme.txt (tags or trunk). Screenshots in the /assets
34	+ directory take precedence. For example, `/assets/screenshot-1.png` would win over `/tags/4.3/screenshot-1.png`
35	+ (or jpg, jpeg, gif).
36	+
37	+ == Changelog ==
38	+
39	+ = 1.0 =
40	+ * Initial version.
41	+
42	+ == Upgrade Notice ==

rename-wp-login.php ADDED Viewed

	@@ -0,0 +1,126 @@


1	+ <?php
2	+ /*
3	+ Plugin Name: Rename wp-login
4	+ Plugin URI: http://wordpress.org/plugins/rename-wp-login/
5	+ Description: Rename wp-login, and block it to prevent brute force attacks.
6	+ Author: avryl
7	+ Author URI: http://profiles.wordpress.org/avryl/
8	+ Version: 1.0
9	+ Text Domain: rename-wp-login
10	+ License: GPLv2 or later
11	+ License URI: http://www.gnu.org/licenses/gpl-2.0.html
12	+ */
13	+
14	+ register_uninstall_hook(__FILE__, 'rwl_uninstall');
15	+ function rwl_uninstall() {
16	+ delete_option('rwl_page');
17	+ }
18	+
19	+ register_activation_hook(__FILE__, 'rwl_activation');
20	+ function rwl_activation() {
21	+ add_option('rwl_redirect', '1');
22	+ }
23	+
24	+ add_action('init', 'rwl_init');
25	+ function rwl_init() {
26	+ if (!get_option('rwl_page') \|\| get_option('rwl_page') == '') {
27	+ update_option('rwl_page', wp_unique_post_slug('login', 0, 'publish', 'page', 0));
28	+ }
29	+ }
30	+
31	+ add_action('login_init', 'rwl_login_init');
32	+ function rwl_login_init() {
33	+ global $wp_query, $post;
34	+ if (!$post) {
35	+ status_header(404);
36	+ $wp_query->set_404();
37	+ if (file_exists(TEMPLATEPATH . '/404.php')) {
38	+ require_once(TEMPLATEPATH . '/404.php');
39	+ } else {
40	+ require_once(TEMPLATEPATH . '/index.php');
41	+ }
42	+ exit;
43	+ }
44	+ }
45	+
46	+ add_action('wp', 'rwl_wp');
47	+ function rwl_wp() {
48	+ global $wp_query, $post, $wp;
49	+ if ($wp_query->is_404 && $wp->request == get_option('rwl_page')) {
50	+ $post = new stdClass();
51	+ $post->ID = 0;
52	+ $wp_query->queried_object = $post;
53	+ $wp_query->queried_object_id = 0;
54	+ $wp_query->post = $post;
55	+ $wp_query->found_posts = 1;
56	+ $wp_query->post_count = 1;
57	+ $wp_query->is_singular = true;
58	+ $wp_query->is_404 = false;
59	+ $wp_query->posts = array($post);
60	+ $wp_query->is_page = true;
61	+ require_once(dirname(__FILE__) . '/wp-login.php');
62	+ exit;
63	+ }
64	+ }
65	+
66	+ add_action('admin_init', 'rwl_admin_init');
67	+ function rwl_admin_init() {
68	+ add_settings_section('rename-wp-login-section', 'Login', '__return_false', 'permalink');
69	+ add_settings_field('rwl-page', '<label for="rwl-page-input">Rename wp-login.php</label>', 'rwl_page', 'permalink', 'rename-wp-login-section');
70	+ if (!empty($_POST['rwl_page'])) {
71	+ update_option('rwl_page', wp_unique_post_slug($_POST['rwl_page'], 0, 'publish', 'page', 0));
72	+ }
73	+ if (get_option('rwl_redirect') == '1') {
74	+ delete_option('rwl_redirect');
75	+ wp_redirect(admin_url('options-permalink.php#rwl-page-input'));
76	+ }
77	+ }
78	+
79	+ function rwl_page() {
80	+ echo '<code>' . site_url() . '/</code> <input id="rwl-page-input" type="text" name="rwl_page" value="' . get_option('rwl_page') . '" /> <code>/</code>';
81	+ }
82	+
83	+ add_filter('plugin_action_links_' . plugin_basename(__FILE__), 'rwl_plugin_action_links');
84	+ function rwl_plugin_action_links($links) {
85	+ array_unshift($links, '<a href="options-permalink.php#rwl-page-input">Settings</a>');
86	+ return $links;
87	+ }
88	+
89	+ add_filter('site_url', 'rwl_filter_site_url', 10, 4);
90	+ function rwl_filter_site_url($url, $path, $scheme, $blog_id) {
91	+ return (strpos($path, 'wp-login.php') !== false && $scheme == 'login_post') ? site_url() . '/' . get_option('rwl_page') . '/' . str_replace('wp-login.php', '', $path) : $url;
92	+ }
93	+
94	+ add_filter('login_url', 'rwl_filter_login_url', 10, 2);
95	+ function rwl_filter_login_url($login_url, $redirect = '') {
96	+ $login_url = site_url() . '/' . get_option('rwl_page') . '/';
97	+ if (!empty($redirect))
98	+ $login_url = add_query_arg('redirect_to', urlencode($redirect), $login_url);
99	+ return $login_url;
100	+ }
101	+
102	+ add_filter('logout_url', 'rwl_filter_logout_url', 10, 2);
103	+ function rwl_filter_logout_url($login_url, $redirect = '') {
104	+ $args = array('action' => 'logout');
105	+ if (!empty($redirect)) {
106	+ $args['redirect_to'] = urlencode($redirect);
107	+ }
108	+ $logout_url = add_query_arg($args, site_url() . '/' . get_option('rwl_page') . '/');
109	+ $logout_url = wp_nonce_url($logout_url, 'log-out');
110	+ return $logout_url;
111	+ }
112	+
113	+ add_filter('lostpassword_url', 'rwl_filter_lostpassword_url', 10, 2);
114	+ function rwl_filter_lostpassword_url($lostpassword_url, $redirect = '') {
115	+ $args = array( 'action' => 'lostpassword' );
116	+ if (!empty($redirect)) {
117	+ $args['redirect_to'] = $redirect;
118	+ }
119	+ $lostpassword_url = add_query_arg($args, site_url() . '/' . get_option('rwl_page') . '/');
120	+ return $lostpassword_url;
121	+ }
122	+
123	+ add_filter('register_url', 'rwl_filter_register_url');
124	+ function rwl_filter_register_url($register_url) {
125	+ return site_url() . '/' . get_option('rwl_page') . '/?action=register';
126	+ }

wp-login.php ADDED Viewed

	@@ -0,0 +1,761 @@


1	+ <?php
2	+
3	+ // Redirect to https login if forced to use SSL
4	+ if ( force_ssl_admin() && ! is_ssl() ) {
5	+ if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
6	+ wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
7	+ exit();
8	+ } else {
9	+ wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
10	+ exit();
11	+ }
12	+ }
13	+
14	+ /**
15	+ * Outputs the header for the login page.
16	+ *
17	+ * @uses do_action() Calls the 'login_head' for outputting HTML in the Log In
18	+ * header.
19	+ * @uses apply_filters() Calls 'login_headerurl' for the top login link.
20	+ * @uses apply_filters() Calls 'login_headertitle' for the top login title.
21	+ * @uses apply_filters() Calls 'login_message' on the message to display in the
22	+ * header.
23	+ * @uses $error The error global, which is checked for displaying errors.
24	+ *
25	+ * @param string $title Optional. WordPress Log In Page title to display in
26	+ * <title/> element.
27	+ * @param string $message Optional. Message to display in header.
28	+ * @param WP_Error $wp_error Optional. WordPress Error Object
29	+ */
30	+ function login_header($title = 'Log In', $message = '', $wp_error = '') {
31	+ global $error, $interim_login, $current_site, $action;
32	+
33	+ // Don't index any of these forms
34	+ add_action( 'login_head', 'wp_no_robots' );
35	+
36	+ if ( empty($wp_error) )
37	+ $wp_error = new WP_Error();
38	+
39	+ // Shake it!
40	+ $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
41	+ $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
42	+
43	+ if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
44	+ add_action( 'login_head', 'wp_shake_js', 12 );
45	+
46	+ ?><!DOCTYPE html>
47	+ <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
48	+ <head>
49	+ <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
50	+ <title><?php bloginfo('name'); ?> &rsaquo; <?php echo $title; ?></title>
51	+ <?php
52	+
53	+ wp_admin_css( 'wp-admin', true );
54	+ wp_admin_css( 'colors-fresh', true );
55	+
56	+ if ( wp_is_mobile() ) { ?>
57	+ <meta name="viewport" content="width=320, initial-scale=0.9, maximum-scale=1.0, user-scalable=0" /><?php
58	+ }
59	+
60	+ // Remove all stored post data on logging out.
61	+ // This could be added by add_action('login_head'...) like wp_shake_js()
62	+ // but maybe better if it's not removable by plugins
63	+ if ( 'loggedout' == $wp_error->get_error_code() ) {
64	+ ?>
65	+ <script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script>
66	+ <?php
67	+ }
68	+
69	+ do_action( 'login_enqueue_scripts' );
70	+ do_action( 'login_head' );
71	+
72	+ if ( is_multisite() ) {
73	+ $login_header_url = network_home_url();
74	+ $login_header_title = $current_site->site_name;
75	+ } else {
76	+ $login_header_url = __( 'http://wordpress.org/' );
77	+ $login_header_title = __( 'Powered by WordPress' );
78	+ }
79	+
80	+ $login_header_url = apply_filters( 'login_headerurl', $login_header_url );
81	+ $login_header_title = apply_filters( 'login_headertitle', $login_header_title );
82	+
83	+ $classes = array( 'login-action-' . $action, 'wp-core-ui' );
84	+ if ( wp_is_mobile() )
85	+ $classes[] = 'mobile';
86	+ if ( is_rtl() )
87	+ $classes[] = 'rtl';
88	+ if ( $interim_login ) {
89	+ $classes[] = 'interim-login';
90	+ ?>
91	+ <style type="text/css">html{background-color: transparent;}</style>
92	+ <?php
93	+
94	+ if ( 'success' === $interim_login )
95	+ $classes[] = 'interim-login-success';
96	+ }
97	+
98	+ $classes = apply_filters( 'login_body_class', $classes, $action );
99	+
100	+ ?>
101	+ </head>
102	+ <body class="login <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
103	+ <div id="login">
104	+ <h1><a href="<?php echo esc_url( $login_header_url ); ?>" title="<?php echo esc_attr( $login_header_title ); ?>"><?php bloginfo( 'name' ); ?></a></h1>
105	+ <?php
106	+
107	+ unset( $login_header_url, $login_header_title );
108	+
109	+ $message = apply_filters('login_message', $message);
110	+ if ( !empty( $message ) )
111	+ echo $message . "\n";
112	+
113	+ // In case a plugin uses $error rather than the $wp_errors object
114	+ if ( !empty( $error ) ) {
115	+ $wp_error->add('error', $error);
116	+ unset($error);
117	+ }
118	+
119	+ if ( $wp_error->get_error_code() ) {
120	+ $errors = '';
121	+ $messages = '';
122	+ foreach ( $wp_error->get_error_codes() as $code ) {
123	+ $severity = $wp_error->get_error_data($code);
124	+ foreach ( $wp_error->get_error_messages($code) as $error ) {
125	+ if ( 'message' == $severity )
126	+ $messages .= ' ' . $error . "<br />\n";
127	+ else
128	+ $errors .= ' ' . $error . "<br />\n";
129	+ }
130	+ }
131	+ if ( !empty($errors) )
132	+ echo '<div id="login_error">' . apply_filters('login_errors', $errors) . "</div>\n";
133	+ if ( !empty($messages) )
134	+ echo '<p class="message">' . apply_filters('login_messages', $messages) . "</p>\n";
135	+ }
136	+ } // End of login_header()
137	+
138	+ /**
139	+ * Outputs the footer for the login page.
140	+ *
141	+ * @param string $input_id Which input to auto-focus
142	+ */
143	+ function login_footer($input_id = '') {
144	+ global $interim_login;
145	+
146	+ // Don't allow interim logins to navigate away from the page.
147	+ if ( ! $interim_login ): ?>
148	+ <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Are you lost?' ); ?>"><?php printf( __( '← Back to %s' ), get_bloginfo( 'title', 'display' ) ); ?></a></p>
149	+ <?php endif; ?>
150	+
151	+ </div>
152	+
153	+ <?php if ( !empty($input_id) ) : ?>
154	+ <script type="text/javascript">
155	+ try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){}
156	+ if(typeof wpOnload=='function')wpOnload();
157	+ </script>
158	+ <?php endif; ?>
159	+
160	+ <?php do_action('login_footer'); ?>
161	+ <div class="clear"></div>
162	+ </body>
163	+ </html>
164	+ <?php
165	+ }
166	+
167	+ function wp_shake_js() {
168	+ if ( wp_is_mobile() )
169	+ return;
170	+ ?>
171	+ <script type="text/javascript">
172	+ addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
173	+ function s(id,pos){g(id).left=pos+'px';}
174	+ function g(id){return document.getElementById(id).style;}
175	+ function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}
176	+ addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});
177	+ </script>
178	+ <?php
179	+ }
180	+
181	+ /**
182	+ * Handles sending password retrieval email to user.
183	+ *
184	+ * @uses $wpdb WordPress Database object
185	+ *
186	+ * @return bool\|WP_Error True: when finish. WP_Error on error
187	+ */
188	+ function retrieve_password() {
189	+ global $wpdb, $current_site;
190	+
191	+ $errors = new WP_Error();
192	+
193	+ if ( empty( $_POST['user_login'] ) ) {
194	+ $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.'));
195	+ } else if ( strpos( $_POST['user_login'], '@' ) ) {
196	+ $user_data = get_user_by( 'email', trim( $_POST['user_login'] ) );
197	+ if ( empty( $user_data ) )
198	+ $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
199	+ } else {
200	+ $login = trim($_POST['user_login']);
201	+ $user_data = get_user_by('login', $login);
202	+ }
203	+
204	+ do_action('lostpassword_post');
205	+
206	+ if ( $errors->get_error_code() )
207	+ return $errors;
208	+
209	+ if ( !$user_data ) {
210	+ $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or e-mail.'));
211	+ return $errors;
212	+ }
213	+
214	+ // redefining user_login ensures we return the right case in the email
215	+ $user_login = $user_data->user_login;
216	+ $user_email = $user_data->user_email;
217	+
218	+ do_action('retreive_password', $user_login); // Misspelled and deprecated
219	+ do_action('retrieve_password', $user_login);
220	+
221	+ $allow = apply_filters('allow_password_reset', true, $user_data->ID);
222	+
223	+ if ( ! $allow )
224	+ return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
225	+ else if ( is_wp_error($allow) )
226	+ return $allow;
227	+
228	+ $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
229	+ if ( empty($key) ) {
230	+ // Generate something random for a key...
231	+ $key = wp_generate_password(20, false);
232	+ do_action('retrieve_password_key', $user_login, $key);
233	+ // Now insert the new md5 key into the db
234	+ $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
235	+ }
236	+ $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
237	+ $message .= network_home_url( '/' ) . "\r\n\r\n";
238	+ $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
239	+ $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
240	+ $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
241	+ $message .= '<' . site_url() . '/' . get_option('rwl_page') . '/' . "?action=rp&key=$key&login=" . rawurlencode($user_login) . ">\r\n";
242	+
243	+ if ( is_multisite() )
244	+ $blogname = $GLOBALS['current_site']->site_name;
245	+ else
246	+ // The blogname option is escaped with esc_html on the way into the database in sanitize_option
247	+ // we want to reverse this for the plain text arena of emails.
248	+ $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
249	+
250	+ $title = sprintf( __('[%s] Password Reset'), $blogname );
251	+
252	+ $title = apply_filters('retrieve_password_title', $title);
253	+ $message = apply_filters('retrieve_password_message', $message, $key);
254	+
255	+ if ( $message && !wp_mail($user_email, $title, $message) )
256	+ wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') );
257	+
258	+ return true;
259	+ }
260	+
261	+ /**
262	+ * Retrieves a user row based on password reset key and login
263	+ *
264	+ * @uses $wpdb WordPress Database object
265	+ *
266	+ * @param string $key Hash to validate sending user's password
267	+ * @param string $login The user login
268	+ * @return object\|WP_Error User's database row on success, error object for invalid keys
269	+ */
270	+ function check_password_reset_key($key, $login) {
271	+ global $wpdb;
272	+
273	+ $key = preg_replace('/[^a-z0-9]/i', '', $key);
274	+
275	+ if ( empty( $key ) \|\| !is_string( $key ) )
276	+ return new WP_Error('invalid_key', __('Invalid key'));
277	+
278	+ if ( empty($login) \|\| !is_string($login) )
279	+ return new WP_Error('invalid_key', __('Invalid key'));
280	+
281	+ $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s AND user_login = %s", $key, $login));
282	+
283	+ if ( empty( $user ) )
284	+ return new WP_Error('invalid_key', __('Invalid key'));
285	+
286	+ return $user;
287	+ }
288	+
289	+ /**
290	+ * Handles resetting the user's password.
291	+ *
292	+ * @param object $user The user
293	+ * @param string $new_pass New password for the user in plaintext
294	+ */
295	+ function reset_password($user, $new_pass) {
296	+ do_action('password_reset', $user, $new_pass);
297	+
298	+ wp_set_password($new_pass, $user->ID);
299	+
300	+ wp_password_change_notification($user);
301	+ }
302	+
303	+ /**
304	+ * Handles registering a new user.
305	+ *
306	+ * @param string $user_login User's username for logging in
307	+ * @param string $user_email User's email address to send password and add
308	+ * @return int\|WP_Error Either user's ID or error on failure.
309	+ */
310	+ function register_new_user( $user_login, $user_email ) {
311	+ $errors = new WP_Error();
312	+
313	+ $sanitized_user_login = sanitize_user( $user_login );
314	+ $user_email = apply_filters( 'user_registration_email', $user_email );
315	+
316	+ // Check the username
317	+ if ( $sanitized_user_login == '' ) {
318	+ $errors->add( 'empty_username', __( '<strong>ERROR</strong>: Please enter a username.' ) );
319	+ } elseif ( ! validate_username( $user_login ) ) {
320	+ $errors->add( 'invalid_username', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
321	+ $sanitized_user_login = '';
322	+ } elseif ( username_exists( $sanitized_user_login ) ) {
323	+ $errors->add( 'username_exists', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ) );
324	+ }
325	+
326	+ // Check the e-mail address
327	+ if ( $user_email == '' ) {
328	+ $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please type your e-mail address.' ) );
329	+ } elseif ( ! is_email( $user_email ) ) {
330	+ $errors->add( 'invalid_email', __( '<strong>ERROR</strong>: The email address isn’t correct.' ) );
331	+ $user_email = '';
332	+ } elseif ( email_exists( $user_email ) ) {
333	+ $errors->add( 'email_exists', __( '<strong>ERROR</strong>: This email is already registered, please choose another one.' ) );
334	+ }
335	+
336	+ do_action( 'register_post', $sanitized_user_login, $user_email, $errors );
337	+
338	+ $errors = apply_filters( 'registration_errors', $errors, $sanitized_user_login, $user_email );
339	+
340	+ if ( $errors->get_error_code() )
341	+ return $errors;
342	+
343	+ $user_pass = wp_generate_password( 12, false);
344	+ $user_id = wp_create_user( $sanitized_user_login, $user_pass, $user_email );
345	+ if ( ! $user_id ) {
346	+ $errors->add( 'registerfail', sprintf( __( '<strong>ERROR</strong>: Couldn’t register you… please contact the <a href="mailto:%s">webmaster</a> !' ), get_option( 'admin_email' ) ) );
347	+ return $errors;
348	+ }
349	+
350	+ update_user_option( $user_id, 'default_password_nag', true, true ); //Set up the Password change nag.
351	+
352	+ wp_new_user_notification( $user_id, $user_pass );
353	+
354	+ return $user_id;
355	+ }
356	+
357	+ //
358	+ // Main
359	+ //
360	+
361	+ $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
362	+ $errors = new WP_Error();
363	+
364	+ if ( isset($_GET['key']) )
365	+ $action = 'resetpass';
366	+
367	+ // validate action so as to default to the login screen
368	+ if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ), true ) && false === has_filter( 'login_form_' . $action ) )
369	+ $action = 'login';
370	+
371	+ nocache_headers();
372	+
373	+ header('Content-Type: '.get_bloginfo('html_type').'; charset='.get_bloginfo('charset'));
374	+
375	+ if ( defined( 'RELOCATE' ) && RELOCATE ) { // Move flag is set
376	+ if ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != $_SERVER['PHP_SELF']) )
377	+ $_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] );
378	+
379	+ $url = dirname( set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] ) );
380	+ if ( $url != get_option( 'siteurl' ) )
381	+ update_option( 'siteurl', $url );
382	+ }
383	+
384	+ //Set a cookie now to see if they are supported by the browser.
385	+ setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
386	+ if ( SITECOOKIEPATH != COOKIEPATH )
387	+ setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
388	+
389	+ // allow plugins to override the default actions, and to add extra actions if they want
390	+ do_action( 'login_init' );
391	+ do_action( 'login_form_' . $action );
392	+
393	+ $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
394	+ $interim_login = isset($_REQUEST['interim-login']);
395	+
396	+ switch ($action) {
397	+
398	+ case 'postpass' :
399	+ require_once ABSPATH . 'wp-includes/class-phpass.php';
400	+ $hasher = new PasswordHash( 8, true );
401	+
402	+ // 10 days
403	+ setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
404	+
405	+ wp_safe_redirect( wp_get_referer() );
406	+ exit();
407	+
408	+ break;
409	+
410	+ case 'logout' :
411	+ check_admin_referer('log-out');
412	+ wp_logout();
413	+
414	+ $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : site_url() . '/' . get_option('rwl_page') . '/' . '?loggedout=true';
415	+ wp_safe_redirect( $redirect_to );
416	+ exit();
417	+
418	+ break;
419	+
420	+ case 'lostpassword' :
421	+ case 'retrievepassword' :
422	+
423	+ if ( $http_post ) {
424	+ $errors = retrieve_password();
425	+ if ( !is_wp_error($errors) ) {
426	+ $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : site_url() . '/' . get_option('rwl_page') . '/' . '?checkemail=confirm';
427	+ wp_safe_redirect( $redirect_to );
428	+ exit();
429	+ }
430	+ }
431	+
432	+ if ( isset($_GET['error']) && 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.'));
433	+ $redirect_to = apply_filters( 'lostpassword_redirect', !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '' );
434	+
435	+ do_action('lost_password');
436	+ login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
437	+
438	+ $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
439	+
440	+ ?>
441	+
442	+ <form name="lostpasswordform" id="lostpasswordform" action="<?php echo site_url() . '/' . get_option('rwl_page') . '/' . '?action=lostpassword'; ?>" method="post">
443	+ <p>
444	+ <label for="user_login" ><?php _e('Username or E-mail:') ?><br />
445	+ <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
446	+ </p>
447	+ <?php do_action('lostpassword_form'); ?>
448	+ <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
449	+ <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Get New Password'); ?>" /></p>
450	+ </form>
451	+
452	+ <p id="nav">
453	+ <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e('Log in') ?></a>
454	+ <?php if ( get_option( 'users_can_register' ) ) : ?>
455	+ \| <?php echo apply_filters( 'register', sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ) ); ?>
456	+ <?php endif; ?>
457	+ </p>
458	+
459	+ <?php
460	+ login_footer('user_login');
461	+ break;
462	+
463	+ case 'resetpass' :
464	+ case 'rp' :
465	+ $user = check_password_reset_key($_GET['key'], $_GET['login']);
466	+
467	+ if ( is_wp_error($user) ) {
468	+ wp_redirect( site_url() . '/' . get_option('rwl_page') . '/' . '?action=lostpassword&error=invalidkey' );
469	+ exit;
470	+ }
471	+
472	+ $errors = new WP_Error();
473	+
474	+ if ( isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2'] )
475	+ $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) );
476	+
477	+ do_action( 'validate_password_reset', $errors, $user );
478	+
479	+ if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
480	+ reset_password($user, $_POST['pass1']);
481	+ login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
482	+ login_footer();
483	+ exit;
484	+ }
485	+
486	+ wp_enqueue_script('utils');
487	+ wp_enqueue_script('user-profile');
488	+
489	+ login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors );
490	+
491	+ ?>
492	+ <form name="resetpassform" id="resetpassform" action="<?php echo site_url() . '/' . get_option('rwl_page') . '/' . '?action=resetpass&key=' . urlencode( $_GET['key'] ) . '&login=' . urlencode( $_GET['login'] ); ?>" method="post" autocomplete="off">
493	+ <input type="hidden" id="user_login" value="<?php echo esc_attr( $_GET['login'] ); ?>" autocomplete="off" />
494	+
495	+ <p>
496	+ <label for="pass1"><?php _e('New password') ?><br />
497	+ <input type="password" name="pass1" id="pass1" class="input" size="20" value="" autocomplete="off" /></label>
498	+ </p>
499	+ <p>
500	+ <label for="pass2"><?php _e('Confirm new password') ?><br />
501	+ <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="off" /></label>
502	+ </p>
503	+
504	+ <div id="pass-strength-result" class="hide-if-no-js"><?php _e('Strength indicator'); ?></div>
505	+ <p class="description indicator-hint"><?php _e('Hint: The password should be at least seven characters long. To make it stronger, use upper and lower case letters, numbers and symbols like ! " ? $ % ^ & ).'); ?></p>
506	+
507	+ <br class="clear" />
508	+ <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Reset Password'); ?>" /></p>
509	+ </form>
510	+
511	+ <p id="nav">
512	+ <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
513	+ <?php if ( get_option( 'users_can_register' ) ) : ?>
514	+ \| <?php echo apply_filters( 'register', sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ) ); ?>
515	+ <?php endif; ?>
516	+ </p>
517	+
518	+ <?php
519	+ login_footer('user_pass');
520	+ break;
521	+
522	+ case 'register' :
523	+ if ( is_multisite() ) {
524	+ // Multisite uses wp-signup.php
525	+ wp_redirect( apply_filters( 'wp_signup_location', network_site_url('wp-signup.php') ) );
526	+ exit;
527	+ }
528	+
529	+ if ( !get_option('users_can_register') ) {
530	+ wp_redirect( site_url() . '/' . get_option('rwl_page') . '/' . '?registration=disabled' );
531	+ exit();
532	+ }
533	+
534	+ $user_login = '';
535	+ $user_email = '';
536	+ if ( $http_post ) {
537	+ $user_login = $_POST['user_login'];
538	+ $user_email = $_POST['user_email'];
539	+ $errors = register_new_user($user_login, $user_email);
540	+ if ( !is_wp_error($errors) ) {
541	+ $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : site_url() . '/' . get_option('rwl_page') . '/' . '?checkemail=registered';
542	+ wp_safe_redirect( $redirect_to );
543	+ exit();
544	+ }
545	+ }
546	+
547	+ $redirect_to = apply_filters( 'registration_redirect', !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '' );
548	+ login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>', $errors);
549	+ ?>
550	+
551	+ <form name="registerform" id="registerform" action="<?php echo site_url() . '/' . get_option('rwl_page') . '/' . '?action=register'; ?>" method="post">
552	+ <p>
553	+ <label for="user_login"><?php _e('Username') ?><br />
554	+ <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>
555	+ </p>
556	+ <p>
557	+ <label for="user_email"><?php _e('E-mail') ?><br />
558	+ <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(wp_unslash($user_email)); ?>" size="25" /></label>
559	+ </p>
560	+ <?php do_action('register_form'); ?>
561	+ <p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
562	+ <br class="clear" />
563	+ <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
564	+ <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Register'); ?>" /></p>
565	+ </form>
566	+
567	+ <p id="nav">
568	+ <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> \|
569	+ <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>" title="<?php esc_attr_e( 'Password Lost and Found' ) ?>"><?php _e( 'Lost your password?' ); ?></a>
570	+ </p>
571	+
572	+ <?php
573	+ login_footer('user_login');
574	+ break;
575	+
576	+ case 'login' :
577	+ default:
578	+ $secure_cookie = '';
579	+ $customize_login = isset( $_REQUEST['customize-login'] );
580	+ if ( $customize_login )
581	+ wp_enqueue_script( 'customize-base' );
582	+
583	+ // If the user wants ssl but the session is not ssl, force a secure cookie.
584	+ if ( !empty($_POST['log']) && !force_ssl_admin() ) {
585	+ $user_name = sanitize_user($_POST['log']);
586	+ if ( $user = get_user_by('login', $user_name) ) {
587	+ if ( get_user_option('use_ssl', $user->ID) ) {
588	+ $secure_cookie = true;
589	+ force_ssl_admin(true);
590	+ }
591	+ }
592	+ }
593	+
594	+ if ( isset( $_REQUEST['redirect_to'] ) ) {
595	+ $redirect_to = $_REQUEST['redirect_to'];
596	+ // Redirect to https if user wants ssl
597	+ if ( $secure_cookie && false !== strpos($redirect_to, 'wp-admin') )
598	+ $redirect_to = preg_replace('\|^http://\|', 'https://', $redirect_to);
599	+ } else {
600	+ $redirect_to = admin_url();
601	+ }
602	+
603	+ $reauth = empty($_REQUEST['reauth']) ? false : true;
604	+
605	+ // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure
606	+ // cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting
607	+ // the admin via http or https.
608	+ if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
609	+ $secure_cookie = false;
610	+
611	+ $user = wp_signon('', $secure_cookie);
612	+
613	+ $redirect_to = apply_filters('login_redirect', $redirect_to, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user);
614	+
615	+ if ( !is_wp_error($user) && !$reauth ) {
616	+ if ( $interim_login ) {
617	+ $message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
618	+ $interim_login = 'success';
619	+ login_header( '', $message ); ?>
620	+ </div>
621	+ <?php do_action( 'login_footer' ); ?>
622	+ <?php if ( $customize_login ) : ?>
623	+ <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
624	+ <?php endif; ?>
625	+ </body></html>
626	+ <?php exit;
627	+ }
628	+
629	+ if ( ( empty( $redirect_to ) \|\| $redirect_to == 'wp-admin/' \|\| $redirect_to == admin_url() ) ) {
630	+ // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile.
631	+ if ( is_multisite() && !get_active_blog_for_user($user->ID) && !is_super_admin( $user->ID ) )
632	+ $redirect_to = user_admin_url();
633	+ elseif ( is_multisite() && !$user->has_cap('read') )
634	+ $redirect_to = get_dashboard_url( $user->ID );
635	+ elseif ( !$user->has_cap('edit_posts') )
636	+ $redirect_to = admin_url('profile.php');
637	+ }
638	+ wp_safe_redirect($redirect_to);
639	+ exit();
640	+ }
641	+
642	+ $errors = $user;
643	+ // Clear errors if loggedout is set.
644	+ if ( !empty($_GET['loggedout']) \|\| $reauth )
645	+ $errors = new WP_Error();
646	+
647	+ // If cookies are disabled we can't log in even with a valid user+pass
648	+ if ( isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE]) )
649	+ $errors->add('test_cookie', __("<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href='http://www.google.com/cookies.html'>enable cookies</a> to use WordPress."));
650	+
651	+ if ( $interim_login ) {
652	+ if ( ! $errors->get_error_code() )
653	+ $errors->add('expired', __('Session expired. Please log in again. You will not move away from this page.'), 'message');
654	+ } else {
655	+ // Some parts of this script use the main login form to display a message
656	+ if ( isset($_GET['loggedout']) && true == $_GET['loggedout'] )
657	+ $errors->add('loggedout', __('You are now logged out.'), 'message');
658	+ elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] )
659	+ $errors->add('registerdisabled', __('User registration is currently not allowed.'));
660	+ elseif ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] )
661	+ $errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message');
662	+ elseif ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] )
663	+ $errors->add('newpass', __('Check your e-mail for your new password.'), 'message');
664	+ elseif ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] )
665	+ $errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message');
666	+ elseif ( strpos( $redirect_to, 'about.php?updated' ) )
667	+ $errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to experience the awesomeness.' ), 'message' );
668	+ }
669	+
670	+ $errors = apply_filters( 'wp_login_errors', $errors, $redirect_to );
671	+
672	+ // Clear any stale cookies.
673	+ if ( $reauth )
674	+ wp_clear_auth_cookie();
675	+
676	+ login_header(__('Log In'), '', $errors);
677	+
678	+ $user_login = '';
679	+
680	+ if ( isset($_POST['log']) )
681	+ $user_login = ( 'incorrect_password' == $errors->get_error_code() \|\| 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : '';
682	+ $rememberme = ! empty( $_POST['rememberme'] );
683	+ ?>
684	+
685	+ <form name="loginform" id="loginform" action="<?php echo site_url() . '/' . get_option('rwl_page') . '/'; ?>" method="post">
686	+ <p>
687	+ <label for="user_login"><?php _e('Username') ?><br />
688	+ <input type="text" name="log" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
689	+ </p>
690	+ <p>
691	+ <label for="user_pass"><?php _e('Password') ?><br />
692	+ <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
693	+ </p>
694	+ <?php do_action('login_form'); ?>
695	+ <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" <?php checked( $rememberme ); ?> /> <?php esc_attr_e('Remember Me'); ?></label></p>
696	+ <p class="submit">
697	+ <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Log In'); ?>" />
698	+ <?php if ( $interim_login ) { ?>
699	+ <input type="hidden" name="interim-login" value="1" />
700	+ <?php } else { ?>
701	+ <input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect_to); ?>" />
702	+ <?php } ?>
703	+ <?php if ( $customize_login ) : ?>
704	+ <input type="hidden" name="customize-login" value="1" />
705	+ <?php endif; ?>
706	+ <input type="hidden" name="testcookie" value="1" />
707	+ </p>
708	+ </form>
709	+
710	+ <?php if ( ! $interim_login ) { ?>
711	+ <p id="nav">
712	+ <?php if ( ! isset( $_GET['checkemail'] ) \|\| ! in_array( $_GET['checkemail'], array( 'confirm', 'newpass' ) ) ) : ?>
713	+ <?php if ( get_option( 'users_can_register' ) ) : ?>
714	+ <?php echo apply_filters( 'register', sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ) ); ?> \|
715	+ <?php endif; ?>
716	+ <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>" title="<?php esc_attr_e( 'Password Lost and Found' ); ?>"><?php _e( 'Lost your password?' ); ?></a>
717	+ <?php endif; ?>
718	+ </p>
719	+ <?php } ?>
720	+
721	+ <script type="text/javascript">
722	+ function wp_attempt_focus(){
723	+ setTimeout( function(){ try{
724	+ <?php if ( $user_login \|\| $interim_login ) { ?>
725	+ d = document.getElementById('user_pass');
726	+ d.value = '';
727	+ <?php } else { ?>
728	+ d = document.getElementById('user_login');
729	+ <?php if ( 'invalid_username' == $errors->get_error_code() ) { ?>
730	+ if( d.value != '' )
731	+ d.value = '';
732	+ <?php
733	+ }
734	+ }?>
735	+ d.focus();
736	+ d.select();
737	+ } catch(e){}
738	+ }, 200);
739	+ }
740	+
741	+ <?php $error = ''; if ( !$error ) { ?>
742	+ wp_attempt_focus();
743	+ <?php } ?>
744	+ if(typeof wpOnload=='function')wpOnload();
745	+ <?php if ( $interim_login ) { ?>
746	+ (function(){
747	+ try {
748	+ var i, links = document.getElementsByTagName('a');
749	+ for ( i in links ) {
750	+ if ( links[i].href )
751	+ links[i].target = '_blank';
752	+ }
753	+ } catch(e){}
754	+ }());
755	+ <?php } ?>
756	+ </script>
757	+
758	+ <?php
759	+ login_footer();
760	+ break;
761	+ } // end action switch