Rename wp-login.php - Version 2.2.2

Version Description

Download this release

Release Info

Developer avryl
Plugin Icon 128x128 Rename wp-login.php
Version 2.2.2
Comparing to
See all releases

Code changes from version 1.0 to 2.2.2

Files changed (5) hide show
  1. index.php +3 -1
  2. readme.md +127 -0
  3. readme.txt +111 -21
  4. rename-wp-login.php +516 -103
  5. wp-login.php → rwl-login.php +350 -182
index.php CHANGED
@@ -1 +1,3 @@
1
- <?php // Silence is golden.
 
 
1
+ <?php
2
+
3
+ // Silence is golden.
readme.md ADDED
@@ -0,0 +1,127 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # Rename wp-login.php
2
+
3
+ **Contributors:** avryl
4
+ **Tags:** rename, login, wp-login, wp-login.php, brute force attacks, custom login url, security
5
+ **Requires at least:** 3.8
6
+ **Tested up to:** 3.8.1
7
+ **Stable tag:** 2.2.2
8
+ **License:** GPLv2 or later
9
+ **License URI:** http://www.gnu.org/licenses/gpl-2.0.html
10
+
11
+ Change wp-login.php to anything you want. It can also prevent a lot of brute force attacks.
12
+
13
+ ## Description
14
+
15
+ *Rename wp-login.php* is a very light plugin that lets you easily and safely change wp-login.php to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before.
16
+
17
+ ### Compatibility
18
+
19
+ Requires WordPress 3.8 or higher. All login related things such as the registration form, lost password form, login widget and expired sessions just keep working.
20
+
21
+ It’s also compatible with any plugin that hooks in the login form, including
22
+
23
+ * BuddyPress,
24
+ * bbPress,
25
+ * Limit Login Attempts,
26
+ * and User Switching.
27
+
28
+ Obviously it doesn’t work with plugins that *hardcoded* wp-login.php.
29
+
30
+ This also works with multisite! Activating it for a network allows you to set a networkwide default. Individual sites can still rename their login page to something else.
31
+
32
+ If you’re using a **page caching plugin** you should add the slug of the new login url to the list of pages not to cache. For W3 Total Cache and WP Super Cache this plugin will give you a message with a link to the field you should update.
33
+
34
+ ### Benefits
35
+
36
+ Not only does it allow you to further customise your login page, it also prevents brute force attacks that are targeted specifically to wp-login.php. Both the wp-login.php page and the wp-admin directory (if not logged in) become inaccessible.
37
+
38
+ While you could use this plugin to prevent a lot of brute force attacks, it does not mean you don’t need a strong password. Read [this codex article](http://codex.wordpress.org/Brute_Force_Attacks) for more information on how to protect your website.
39
+
40
+ Of course, if you want to keep your login page secret, you should make sure there aren’t any links pointing to it on your website.
41
+
42
+ ## Installation
43
+
44
+ 1. Go to Plugins › Add New.
45
+ 2. Search for *Rename wp-login.php*.
46
+ 3. Look for this plugin, download and activate it.
47
+ 4. The page will redirect you to the settings. Rename wp-login.php in there.
48
+ 5. You can change this option any time you want, just go back to Settings › Permalinks › Rename wp-login.php.
49
+
50
+ ## Frequently Asked Questions
51
+
52
+ ### I forgot my login url!
53
+
54
+ Either go to your MySQL database and look for the value of `rwl_page` in the options table, or remove the `rename-wp-login` folder from your `plugins` folder, log in through wp-login.php and reinstall the plugin.
55
+
56
+ ## Changelog
57
+
58
+ ### 2.2
59
+
60
+ * Fixed issue where requests redirect to the new login page.
61
+ * Trailing slash based on the permalink structure.
62
+
63
+ ### 2.1
64
+
65
+ * Works now with non-pretty permalinks!
66
+ * Gives a message when using W3 Total Cache or WP Super Cache to update options.
67
+
68
+ ### 2.0.1
69
+
70
+ * Prevents pretty redirects such as /login and /admin.
71
+ * Simplifies some code.
72
+ * Forces login page with trailing slash.
73
+ * Replaces a wp_redirect with wp_safe_redirect.
74
+ * Shows error message in the network admin if permalinks are not enabled for the main site.
75
+
76
+ ### 2.0
77
+
78
+ * This plugin can now be activated for a network and a networkwide default can be set.
79
+ * The plugin now hooks in after init to make sure any customisations to the login form are hooked in before it.
80
+ * Links should now be fixed when SSL is enabled.
81
+
82
+ ### 1.9
83
+
84
+ * wp-admin will now have a `wp_die()` message instead of a 404 template because this caused problems.
85
+ * Minimum version is now 3.8.
86
+ * Added updates from wp-login.php in 3.8.
87
+
88
+ ### 1.8
89
+
90
+ * OOP PHP.
91
+ * Requires WordPress 3.7 or higher.
92
+ * MultiViews compatible.
93
+
94
+ ### 1.7
95
+
96
+ * Made compatible with WordPress 3.7.
97
+
98
+ ### 1.6
99
+
100
+ * Fixed the login link when `site_url()` ≠ `home_url()`.
101
+ * Added a [mirror](https://github.com/avryl/rename-wp-login) on GitHub.
102
+
103
+ ### 1.5
104
+
105
+ * Made [User Switching](http://wordpress.org/plugins/user-switching/) compatible.
106
+
107
+ ### 1.4
108
+
109
+ * Faster page load.
110
+ * Fixed 404 error for permalink structures with a prefixed path. “Almost pretty” permalinks work now too.
111
+ * Code clean-up.
112
+
113
+ ### 1.3
114
+
115
+ * Prevents the plugin from working when there is no permalink structure.
116
+
117
+ ### 1.2
118
+
119
+ * Fixed status code custom login page.
120
+
121
+ ### 1.1
122
+
123
+ * Blocked access to wp-admin to prevent a redirect the the new login page.
124
+
125
+ ### 1.0
126
+
127
+ * Initial version.
readme.txt CHANGED
@@ -1,42 +1,132 @@
1
- === Plugin Name ===
 
2
  Contributors: avryl
3
- Tags: rename, login, wp-login, wp-login.php, brute force, attacks
4
- Requires at least: 3.5
5
- Tested up to: 3.6
6
- Stable tag: trunk
 
7
  License: GPLv2 or later
8
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
 
10
- Rename wp-login, and block it to prevent brute force attacks.
11
 
12
  == Description ==
13
 
14
- This plugin renames `wp-login.php` to whatever you want. The default is `login` if no such page already exists. Otherwise it will append a number, e.g. `login-1`. You can change this option under ‘Settings’ ‘Permalinks’ ‘Login’.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
15
 
16
- What are the benefits? Not only does it allow you to further customise your login page, it also prevents brute force attacks that are targeted specifically to the standard `wp-login.php`. `wp-login.php` will be blocked and returns a 404 status.
17
 
18
- If you’re using a page caching plugin like **W3 Total Cache** or **WP Super Cache**, add the word you rename `wp-login.php` to (e.g. `login`) to the list of pages not to cache. For W3 Total Cache go to ‘Performance’ › ‘Page Cache’ › ‘Advanced’ › ‘Never cache the following pages’, add your new login page on a new line and save all settings. For WP Super Cache go to ‘Settings’ ‘WP Super Cache’ › ‘Advanced’ › ‘Accepted Filenames & Rejected URIs’, add your new login page on a new line and save.
19
 
20
- This plugin works with plugins that customise or hook into the standard login screen. It’s not yet tested on installs that force SSL or use the multisite feature.
 
 
21
 
22
  == Installation ==
23
 
24
- 1. Go to PluginsAdd New’.
25
- 2. Search for Rename wp-login’.
26
  3. Look for this plugin, download and activate it.
27
- 4. The page will redirect you to the settings. Rename `wp-login.php` in the section ‘Login’.
28
- 5. You can change this option any time you want, just go back to SettingsPermalinks‘Login’.
 
 
29
 
30
- == Screenshots ==
31
 
32
- 1. This screen shot description corresponds to screenshot-1.(png|jpg|jpeg|gif). Note that the screenshot is taken from
33
- the /assets directory or the directory that contains the stable readme.txt (tags or trunk). Screenshots in the /assets
34
- directory take precedence. For example, `/assets/screenshot-1.png` would win over `/tags/4.3/screenshot-1.png`
35
- (or jpg, jpeg, gif).
36
 
37
  == Changelog ==
38
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
39
  = 1.0 =
40
- * Initial version.
41
 
42
- == Upgrade Notice ==
1
+ === Rename wp-login.php ===
2
+
3
  Contributors: avryl
4
+ Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=49WXVSPP2HUKG
5
+ Tags: rename, login, wp-login, wp-login.php, brute force attacks, custom login url, security
6
+ Requires at least: 3.8
7
+ Tested up to: 3.8.1
8
+ Stable tag: 2.2.2
9
  License: GPLv2 or later
10
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
 
12
+ Change wp-login.php to anything you want. It can also prevent a lot of brute force attacks.
13
 
14
  == Description ==
15
 
16
+ *Rename wp-login.php* is a very light plugin that lets you easily and safely change wp-login.php to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before.
17
+
18
+ = Compatibility =
19
+
20
+ Requires WordPress 3.8 or higher. All login related things such as the registration form, lost password form, login widget and expired sessions just keep working.
21
+
22
+ It’s also compatible with any plugin that hooks in the login form, including
23
+
24
+ * BuddyPress,
25
+ * bbPress,
26
+ * Limit Login Attempts,
27
+ * and User Switching.
28
+
29
+ Obviously it doesn’t work with plugins that *hardcoded* wp-login.php.
30
+
31
+ This also works with multisite! Activating it for a network allows you to set a networkwide default. Individual sites can still rename their login page to something else.
32
+
33
+ If you’re using a **page caching plugin** you should add the slug of the new login url to the list of pages not to cache. For W3 Total Cache and WP Super Cache this plugin will give you a message with a link to the field you should update.
34
+
35
+ = Benefits =
36
+
37
+ Not only does it allow you to further customise your login page, it also prevents brute force attacks that are targeted specifically to wp-login.php. Both the wp-login.php page and the wp-admin directory (if not logged in) become inaccessible.
38
 
39
+ While you could use this plugin to prevent a lot of brute force attacks, it does not mean you don’t need a strong password. Read [this codex article](http://codex.wordpress.org/Brute_Force_Attacks) for more information on how to protect your website.
40
 
41
+ Of course, if you want to keep your login page secret, you should make sure there aren’t any links pointing to it on your website.
42
 
43
+ = GitHub =
44
+
45
+ This plugin has a [mirror](https://github.com/avryl/rename-wp-login) on GitHub.
46
 
47
  == Installation ==
48
 
49
+ 1. Go to Plugins › Add New.
50
+ 2. Search for *Rename wp-login.php*.
51
  3. Look for this plugin, download and activate it.
52
+ 4. The page will redirect you to the settings. Rename wp-login.php there.
53
+ 5. You can change this option any time you want, just go back to Settings › Permalinks › Rename wp-login.php.
54
+
55
+ == Frequently Asked Questions ==
56
 
57
+ = I forgot my login url! =
58
 
59
+ Either go to your MySQL database and look for the value of `rwl_page` in the options table, or remove the `rename-wp-login` folder from your `plugins` folder, log in through wp-login.php and reinstall the plugin.
 
 
 
60
 
61
  == Changelog ==
62
 
63
+ = 2.2 =
64
+
65
+ * Fixed issue where requests redirect to the new login page.
66
+ * Trailing slash based on the permalink structure.
67
+
68
+ = 2.1 =
69
+
70
+ * Works now with non-pretty permalinks!
71
+ * Gives a message when using W3 Total Cache or WP Super Cache to update options.
72
+
73
+ = 2.0.1 =
74
+
75
+ * Prevents pretty redirects such as /login and /admin.
76
+ * Simplifies some code.
77
+ * Forces login page with trailing slash.
78
+ * Replaces a wp_redirect with wp_safe_redirect.
79
+ * Shows error message in the network admin if permalinks are not enabled for the main site.
80
+
81
+ = 2.0 =
82
+
83
+ * This plugin can now be activated for a network and a networkwide default can be set.
84
+ * The plugin now hooks in after init to make sure any customisations to the login form are hooked in before it.
85
+ * Links should now be fixed when SSL is enabled.
86
+
87
+ = 1.9 =
88
+
89
+ * wp-admin will now have a `wp_die()` message instead of a 404 template because this caused problems.
90
+ * Minimum version is now 3.8.
91
+ * Added updates from wp-login.php in 3.8.
92
+
93
+ = 1.8 =
94
+
95
+ * OOP PHP.
96
+ * Requires WordPress 3.7 or higher.
97
+ * MultiViews compatible.
98
+
99
+ = 1.7 =
100
+
101
+ * Made compatible with WordPress 3.7.
102
+
103
+ = 1.6 =
104
+
105
+ * Fixed the login link when `site_url()` ≠ `home_url()`.
106
+ * Added a [mirror](https://github.com/avryl/rename-wp-login) on GitHub.
107
+
108
+ = 1.5 =
109
+
110
+ * Made [User Switching](http://wordpress.org/plugins/user-switching/) compatible.
111
+
112
+ = 1.4 =
113
+
114
+ * Faster page load.
115
+ * Fixed 404 error for permalink structures with a prefixed path. “Almost pretty” permalinks work now too.
116
+ * Code clean-up.
117
+
118
+ = 1.3 =
119
+
120
+ * Prevents the plugin from working when there is no permalink structure.
121
+
122
+ = 1.2 =
123
+
124
+ * Fixed status code custom login page.
125
+
126
+ = 1.1 =
127
+
128
+ * Blocked access to wp-admin to prevent a redirect the the new login page.
129
+
130
  = 1.0 =
 
131
 
132
+ * Initial version.
rename-wp-login.php CHANGED
@@ -1,126 +1,539 @@
1
  <?php
 
2
  /*
3
- Plugin Name: Rename wp-login
4
  Plugin URI: http://wordpress.org/plugins/rename-wp-login/
5
- Description: Rename wp-login, and block it to prevent brute force attacks.
6
  Author: avryl
7
  Author URI: http://profiles.wordpress.org/avryl/
8
- Version: 1.0
9
  Text Domain: rename-wp-login
10
  License: GPLv2 or later
11
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
12
  */
13
 
14
- register_uninstall_hook(__FILE__, 'rwl_uninstall');
15
- function rwl_uninstall() {
16
- delete_option('rwl_page');
17
- }
18
 
19
- register_activation_hook(__FILE__, 'rwl_activation');
20
- function rwl_activation() {
21
- add_option('rwl_redirect', '1');
22
- }
23
 
24
- add_action('init', 'rwl_init');
25
- function rwl_init() {
26
- if (!get_option('rwl_page') || get_option('rwl_page') == '') {
27
- update_option('rwl_page', wp_unique_post_slug('login', 0, 'publish', 'page', 0));
28
- }
29
- }
30
 
31
- add_action('login_init', 'rwl_login_init');
32
- function rwl_login_init() {
33
- global $wp_query, $post;
34
- if (!$post) {
35
- status_header(404);
36
- $wp_query->set_404();
37
- if (file_exists(TEMPLATEPATH . '/404.php')) {
38
- require_once(TEMPLATEPATH . '/404.php');
39
- } else {
40
- require_once(TEMPLATEPATH . '/index.php');
41
- }
42
- exit;
43
- }
44
- }
45
 
46
- add_action('wp', 'rwl_wp');
47
- function rwl_wp() {
48
- global $wp_query, $post, $wp;
49
- if ($wp_query->is_404 && $wp->request == get_option('rwl_page')) {
50
- $post = new stdClass();
51
- $post->ID = 0;
52
- $wp_query->queried_object = $post;
53
- $wp_query->queried_object_id = 0;
54
- $wp_query->post = $post;
55
- $wp_query->found_posts = 1;
56
- $wp_query->post_count = 1;
57
- $wp_query->is_singular = true;
58
- $wp_query->is_404 = false;
59
- $wp_query->posts = array($post);
60
- $wp_query->is_page = true;
61
- require_once(dirname(__FILE__) . '/wp-login.php');
62
- exit;
63
- }
64
- }
65
 
66
- add_action('admin_init', 'rwl_admin_init');
67
- function rwl_admin_init() {
68
- add_settings_section('rename-wp-login-section', 'Login', '__return_false', 'permalink');
69
- add_settings_field('rwl-page', '<label for="rwl-page-input">Rename wp-login.php</label>', 'rwl_page', 'permalink', 'rename-wp-login-section');
70
- if (!empty($_POST['rwl_page'])) {
71
- update_option('rwl_page', wp_unique_post_slug($_POST['rwl_page'], 0, 'publish', 'page', 0));
72
- }
73
- if (get_option('rwl_redirect') == '1') {
74
- delete_option('rwl_redirect');
75
- wp_redirect(admin_url('options-permalink.php#rwl-page-input'));
76
- }
77
- }
78
 
79
- function rwl_page() {
80
- echo '<code>' . site_url() . '/</code> <input id="rwl-page-input" type="text" name="rwl_page" value="' . get_option('rwl_page') . '" /> <code>/</code>';
81
- }
82
 
83
- add_filter('plugin_action_links_' . plugin_basename(__FILE__), 'rwl_plugin_action_links');
84
- function rwl_plugin_action_links($links) {
85
- array_unshift($links, '<a href="options-permalink.php#rwl-page-input">Settings</a>');
86
- return $links;
87
- }
88
 
89
- add_filter('site_url', 'rwl_filter_site_url', 10, 4);
90
- function rwl_filter_site_url($url, $path, $scheme, $blog_id) {
91
- return (strpos($path, 'wp-login.php') !== false && $scheme == 'login_post') ? site_url() . '/' . get_option('rwl_page') . '/' . str_replace('wp-login.php', '', $path) : $url;
92
- }
93
 
94
- add_filter('login_url', 'rwl_filter_login_url', 10, 2);
95
- function rwl_filter_login_url($login_url, $redirect = '') {
96
- $login_url = site_url() . '/' . get_option('rwl_page') . '/';
97
- if (!empty($redirect))
98
- $login_url = add_query_arg('redirect_to', urlencode($redirect), $login_url);
99
- return $login_url;
100
- }
101
 
102
- add_filter('logout_url', 'rwl_filter_logout_url', 10, 2);
103
- function rwl_filter_logout_url($login_url, $redirect = '') {
104
- $args = array('action' => 'logout');
105
- if (!empty($redirect)) {
106
- $args['redirect_to'] = urlencode($redirect);
107
- }
108
- $logout_url = add_query_arg($args, site_url() . '/' . get_option('rwl_page') . '/');
109
- $logout_url = wp_nonce_url($logout_url, 'log-out');
110
- return $logout_url;
111
- }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
112
 
113
- add_filter('lostpassword_url', 'rwl_filter_lostpassword_url', 10, 2);
114
- function rwl_filter_lostpassword_url($lostpassword_url, $redirect = '') {
115
- $args = array( 'action' => 'lostpassword' );
116
- if (!empty($redirect)) {
117
- $args['redirect_to'] = $redirect;
118
  }
119
- $lostpassword_url = add_query_arg($args, site_url() . '/' . get_option('rwl_page') . '/');
120
- return $lostpassword_url;
121
- }
122
 
123
- add_filter('register_url', 'rwl_filter_register_url');
124
- function rwl_filter_register_url($register_url) {
125
- return site_url() . '/' . get_option('rwl_page') . '/?action=register';
126
- }
1
  <?php
2
+
3
  /*
4
+ Plugin Name: Rename wp-login.php
5
  Plugin URI: http://wordpress.org/plugins/rename-wp-login/
6
+ Description: Change wp-login.php to whatever you want. It can also prevent a lot of brute force attacks.
7
  Author: avryl
8
  Author URI: http://profiles.wordpress.org/avryl/
9
+ Version: 2.2.2
10
  Text Domain: rename-wp-login
11
  License: GPLv2 or later
12
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
13
  */
14
 
15
+ if ( ! class_exists( 'Rename_WP_Login' )
16
+ && defined( 'ABSPATH' ) ) {
 
 
17
 
18
+ class Rename_WP_Login {
 
 
 
19
 
20
+ private $wp_login_php;
 
 
 
 
 
21
 
22
+ private function basename() {
 
 
 
 
 
 
 
 
 
 
 
 
 
23
 
24
+ return plugin_basename( __FILE__ );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
25
 
26
+ }
 
 
 
 
 
 
 
 
 
 
 
27
 
28
+ private function path() {
 
 
29
 
30
+ return trailingslashit( dirname( __FILE__ ) );
 
 
 
 
31
 
32
+ }
 
 
 
33
 
34
+ private function use_trailing_slashes() {
 
 
 
 
 
 
35
 
36
+ return ( '/' === substr( get_option( 'permalink_structure' ), -1, 1 ) );
37
+
38
+ }
39
+
40
+ private function user_trailingslashit( $string ) {
41
+
42
+ return $this->use_trailing_slashes()
43
+ ? trailingslashit( $string )
44
+ : untrailingslashit( $string );
45
+
46
+ }
47
+
48
+ private function wp_template_loader() {
49
+
50
+ global $pagenow;
51
+
52
+ $pagenow = 'index.php';
53
+
54
+ if ( ! defined( 'WP_USE_THEMES' ) ) {
55
+
56
+ define( 'WP_USE_THEMES', true );
57
+
58
+ }
59
+
60
+ wp();
61
+
62
+ require_once( ABSPATH . WPINC . '/template-loader.php' );
63
+
64
+ die;
65
+
66
+ }
67
+
68
+ private function new_login_slug() {
69
+
70
+ if ( ( $slug = get_option( 'rwl_page' ) )
71
+ || ( is_multisite()
72
+ && is_plugin_active_for_network( $this->basename() )
73
+ && ( $slug = get_site_option( 'rwl_page', 'login' ) ) )
74
+ || ( $slug = 'login' ) ) {
75
+
76
+ return $slug;
77
+
78
+ }
79
+
80
+ }
81
+
82
+ public function new_login_url() {
83
+
84
+ if ( get_option( 'permalink_structure' ) ) {
85
+
86
+ return $this->user_trailingslashit( trailingslashit( home_url() ) . $this->new_login_slug() );
87
+
88
+ }
89
+
90
+ else {
91
+
92
+ return trailingslashit( home_url() ) . '?' . $this->new_login_slug();
93
+
94
+ }
95
+
96
+ }
97
+
98
+ public function __construct() {
99
+
100
+ global $wp_version;
101
+
102
+ if ( version_compare( $wp_version, '3.8', '<' ) ) {
103
+
104
+ add_action( 'admin_notices', array( $this, 'admin_notices_incompatible' ) );
105
+ add_action( 'network_admin_notices', array( $this, 'admin_notices_incompatible' ) );
106
+
107
+ return;
108
+
109
+ }
110
+
111
+ register_activation_hook( $this->basename(), array( $this, 'activate' ) );
112
+ register_uninstall_hook( $this->basename(), array( 'Rename_WP_Login', 'uninstall' ) );
113
+
114
+ add_action( 'admin_init', array( $this, 'admin_init' ) );
115
+ add_action( 'admin_notices', array( $this, 'admin_notices' ) );
116
+ add_action( 'network_admin_notices', array( $this, 'admin_notices' ) );
117
+
118
+ if ( is_multisite()
119
+ && ! function_exists( 'is_plugin_active_for_network' ) ) {
120
+
121
+ require_once( ABSPATH . '/wp-admin/includes/plugin.php' );
122
+
123
+ }
124
+
125
+ add_filter( 'plugin_action_links_' . $this->basename(), array( $this, 'plugin_action_links' ) );
126
+
127
+ if ( is_multisite()
128
+ && is_plugin_active_for_network( $this->basename() ) ) {
129
+
130
+ add_filter( 'network_admin_plugin_action_links_' . $this->basename(), array( $this, 'plugin_action_links' ) );
131
+
132
+ add_action( 'wpmu_options', array( $this, 'wpmu_options' ) );
133
+ add_action( 'update_wpmu_options', array( $this, 'update_wpmu_options' ) );
134
+
135
+ }
136
+
137
+ add_action( 'plugins_loaded', array( $this, 'plugins_loaded' ), 1 );
138
+ add_action( 'wp_loaded', array( $this, 'wp_loaded' ) );
139
+
140
+ add_filter( 'site_url', array( $this, 'filter_wp_login_php' ) );
141
+ add_filter( 'network_site_url', array( $this, 'filter_wp_login_php' ) );
142
+ add_filter( 'wp_redirect', array( $this, 'filter_wp_login_php' ) );
143
+
144
+ add_filter( 'site_option_welcome_email', array( $this, 'welcome_email' ) );
145
+
146
+ remove_action( 'template_redirect', 'wp_redirect_admin_locations', 1000 );
147
+
148
+ }
149
+
150
+ public function admin_notices_incompatible() {
151
+
152
+ echo '<div class="update-nag"><p>Please upgrade to the latest version of WordPress to activate <strong>Rename wp-login.php</strong>.</p></div>';
153
+
154
+ }
155
+
156
+ public function activate() {
157
+
158
+ add_option( 'rwl_redirect', '1' );
159
+
160
+ delete_option( 'rwl_admin' );
161
+
162
+ }
163
+
164
+ public static function uninstall() {
165
+
166
+ global $wpdb;
167
+
168
+ if ( is_multisite() ) {
169
+
170
+ $blogs = $wpdb->get_col( "SELECT blog_id FROM {$wpdb->blogs}" );
171
+
172
+ if ( $blogs ) {
173
+
174
+ foreach( $blogs as $blog ) {
175
+
176
+ switch_to_blog( $blog );
177
+
178
+ delete_option( 'rwl_page' );
179
+
180
+ }
181
+
182
+ restore_current_blog();
183
+
184
+ }
185
+
186
+ delete_site_option( 'rwl_page' );
187
+
188
+ }
189
+
190
+ else {
191
+
192
+ delete_option( 'rwl_page' );
193
+
194
+ }
195
+
196
+ }
197
+
198
+ public function wpmu_options() {
199
+
200
+ $out = '';
201
+
202
+ $out .= '<h3>Rename wp-login.php</h3>';
203
+ $out .= '<p>This option allows you to set a networkwide default, which can be overridden by individual sites. Simply go to to the site’s permalink settings to change the url.</p>';
204
+ $out .= '<p>Need help? Try the <a href="http://wordpress.org/support/plugin/rename-wp-login#postform" target="_blank">support forum</a>.</p>';
205
+ $out .= '<table class="form-table">';
206
+ $out .= '<tr valign="top">';
207
+ $out .= '<th scope="row">Networkwide default</th>';
208
+ $out .= '<td><input id="rwl-page-input" type="text" name="rwl_page" value="' . get_site_option( 'rwl_page', 'login' ) . '"></td>';
209
+ $out .= '</tr>';
210
+ $out .= '</table>';
211
+
212
+ echo $out;
213
+
214
+ }
215
+
216
+ public function update_wpmu_options() {
217
+
218
+ if ( ( $rwl_page = sanitize_title_with_dashes( $_POST['rwl_page'] ) )
219
+ && strpos( $rwl_page, 'wp-login' ) === false
220
+ && ! in_array( $rwl_page, $this->forbidden_slugs() ) ) {
221
+
222
+ update_site_option( 'rwl_page', $rwl_page );
223
+
224
+ }
225
+
226
+ }
227
+
228
+ public function admin_init() {
229
+
230
+ global $pagenow;
231
+
232
+ add_settings_section(
233
+ 'rename-wp-login-section',
234
+ 'Rename wp-login.php',
235
+ array( $this, 'rwl_section_desc' ),
236
+ 'permalink'
237
+ );
238
+
239
+ add_settings_field(
240
+ 'rwl-page',
241
+ '<label for="rwl-page">Login url</label>',
242
+ array( $this, 'rwl_page_input' ),
243
+ 'permalink',
244
+ 'rename-wp-login-section'
245
+ );
246
+
247
+ if ( isset( $_POST['rwl_page'] )
248
+ && $pagenow === 'options-permalink.php' ) {
249
+
250
+ if ( ( $rwl_page = sanitize_title_with_dashes( $_POST['rwl_page'] ) )
251
+ && strpos( $rwl_page, 'wp-login' ) === false
252
+ && ! in_array( $rwl_page, $this->forbidden_slugs() ) ) {
253
+
254
+ if ( $rwl_page === get_site_option( 'rwl_page', 'login' ) ) {
255
+
256
+ delete_option( 'rwl_page' );
257
+
258
+ }
259
+
260
+ else {
261
+
262
+ update_option( 'rwl_page', $rwl_page );
263
+
264
+ }
265
+
266
+ }
267
+
268
+ }
269
+
270
+ if ( get_option( 'rwl_redirect' ) ) {
271
+
272
+ delete_option( 'rwl_redirect' );
273
+
274
+ if ( is_multisite()
275
+ && is_super_admin()
276
+ && is_plugin_active_for_network( $this->basename() ) ) {
277
+
278
+ $redirect = network_admin_url( 'settings.php#rwl-page-input' );
279
+
280
+ }
281
+
282
+ else {
283
+
284
+ $redirect = admin_url( 'options-permalink.php#rwl-page-input' );
285
+
286
+ }
287
+
288
+ wp_safe_redirect( $redirect );
289
+
290
+ die;
291
+
292
+ }
293
+
294
+ }
295
+
296
+ public function rwl_section_desc() {
297
+
298
+ $out = '';
299
+
300
+ if ( ! is_multisite()
301
+ || is_super_admin() ) {
302
+
303
+ $out .= '<p>Need help? Try the <a href="http://wordpress.org/support/plugin/rename-wp-login#postform" target="_blank">support forum</a>.</p>';
304
+
305
+ }
306
+
307
+ if ( is_multisite()
308
+ && is_super_admin()
309
+ && is_plugin_active_for_network( $this->basename() ) ) {
310
+
311
+ $out .= '<p>To set a networkwide default, go to <a href="' . network_admin_url( 'settings.php#rwl-page-input' ) . '">Network Settings</a>.</p>';
312
+
313
+ }
314
+
315
+ echo $out;
316
+
317
+ }
318
+
319
+ public function rwl_page_input() {
320
+
321
+ if ( get_option( 'permalink_structure' ) ) {
322
+
323
+ echo '<code>' . trailingslashit( home_url() ) . '</code> <input id="rwl-page-input" type="text" name="rwl_page" value="' . $this->new_login_slug() . '">' . ( $this->use_trailing_slashes() ? ' <code>/</code>' : '' );
324
+
325
+ }
326
+
327
+ else {
328
+
329
+ echo '<code>' . trailingslashit( home_url() ) . '?</code> <input id="rwl-page-input" type="text" name="rwl_page" value="' . $this->new_login_slug() . '">';
330
+
331
+ }
332
+
333
+ }
334
+
335
+ public function admin_notices() {
336
+
337
+ global $pagenow, $cache_rejected_uri;
338
+
339
+ $out = '';
340
+
341
+ if ( ! is_network_admin()
342
+ && $pagenow === 'options-permalink.php'
343
+ && isset( $_GET['settings-updated'] ) ) {
344
+
345
+ $out .= '<div class="updated"><p>Your login page is now here: <strong><a href="' . $this->new_login_url() . '">' . $this->new_login_url() . '</a></strong>. Bookmark this page!</p></div>';
346
+
347
+ }
348
+
349
+ if ( current_user_can( 'manage_options' )
350
+ && function_exists( 'w3_instance' )
351
+ && ( $w3tc = w3_instance( 'W3_Config' ) )
352
+ && ( $w3tc = $w3tc->get_array( 'pgcache.reject.uri' ) )
353
+ && ! in_array( $this->new_login_slug(), $w3tc ) ) {
354
+
355
+ $admin_url = admin_url( 'admin.php?page=w3tc_pgcache#pgcache_reject_uri' );
356
+
357
+ $out .= '<div class="update-nag"><strong>W3 Total Cache</strong> is enabled on your website. To make sure <strong>Rename wp-login.php</strong> works correctly, you should add <strong>' . $this->new_login_slug() . '</strong> to <a href="' . $admin_url . '">Never cache the following pages</a>. This notice will disappear once you’ve done that correctly.</div>';
358
+
359
+ }
360
+
361
+ if ( current_user_can( 'manage_options' )
362
+ && is_array( $cache_rejected_uri )
363
+ && ! in_array( $this->new_login_slug(), $cache_rejected_uri ) ) {
364
+
365
+ $admin_url = is_network_admin() ? network_admin_url( 'settings.php?page=wpsupercache&tab=settings#rejecturi' ) : admin_url( 'options-general.php?page=wpsupercache&tab=settings#rejecturi' );
366
+
367
+ $out .= '<div class="update-nag"><strong>WP Super Cache</strong> is enabled on your website. To make sure <strong>Rename wp-login.php</strong> works correctly, you should add <strong>' . $this->new_login_slug() . '</strong> to <a href="' . $admin_url . '">Rejected URIs</a>. This notice will disappear once you’ve done that correctly.</div>';
368
+
369
+ }
370
+
371
+ echo $out;
372
+
373
+ }
374
+
375
+ public function plugin_action_links( $links ) {
376
+
377
+ if ( is_network_admin()
378
+ && is_plugin_active_for_network( $this->basename() ) ) {
379
+
380
+ array_unshift( $links, '<a href="' . network_admin_url( 'settings.php#rwl-page-input' ) . '">Settings</a>' );
381
+
382
+ }
383
+
384
+ elseif ( ! is_network_admin() ) {
385
+
386
+ array_unshift( $links, '<a href="' . admin_url( 'options-permalink.php#rwl-page-input' ) . '">Settings</a>' );
387
+
388
+ }
389
+
390
+ return $links;
391
+
392
+ }
393
+
394
+ public function plugins_loaded() {
395
+
396
+ global $pagenow;
397
+
398
+ if ( ! is_multisite()
399
+ && ( strpos( $_SERVER['REQUEST_URI'], 'wp-signup' ) !== false
400
+ || strpos( $_SERVER['REQUEST_URI'], 'wp-activate' ) ) !== false ) {
401
+
402
+ wp_die( __( 'This feature is not enabled.' ) );
403
+
404
+ }
405
+
406
+ $request = parse_url( $_SERVER['REQUEST_URI'] );
407
+
408
+ if ( ( strpos( $_SERVER['REQUEST_URI'], 'wp-login.php' ) !== false
409
+ || untrailingslashit( $request['path'] ) === site_url( 'wp-login', 'relative' ) )
410
+ && ! is_admin() ) {
411
+
412
+ $this->wp_login_php = true;
413
+
414
+ $_SERVER['REQUEST_URI'] = str_repeat( '-/', 10 );
415
+
416
+ $pagenow = 'index.php';
417
+
418
+ }
419
+
420
+ elseif ( untrailingslashit( $request['path'] ) === home_url( $this->new_login_slug(), 'relative' )
421
+ || ( ! get_option( 'permalink_structure' )
422
+ && isset( $_GET[$this->new_login_slug()] )
423
+ && empty( $_GET[$this->new_login_slug()] ) ) ) {
424
+
425
+ $pagenow = 'wp-login.php';
426
+
427
+ }
428
+
429
+ }
430
+
431
+ public function wp_loaded() {
432
+
433
+ global $pagenow;
434
+
435
+ if ( is_admin()
436
+ && ! is_user_logged_in()
437
+ && ! defined( 'DOING_AJAX' ) ) {
438
+
439
+ wp_die( __( 'You must log in to access the admin area.' ) );
440
+
441
+ }
442
+
443
+ $request = parse_url( $_SERVER['REQUEST_URI'] );
444
+
445
+ if ( $pagenow === 'wp-login.php'
446
+ && $request['path'] !== $this->user_trailingslashit( $request['path'] )
447
+ && get_option( 'permalink_structure' ) ) {
448
+
449
+ wp_safe_redirect( $this->user_trailingslashit( $this->new_login_url() )
450
+ . ( ! empty( $_SERVER['QUERY_STRING'] ) ? '?' . $_SERVER['QUERY_STRING'] : '' ) );
451
+
452
+ die;
453
+
454
+ }
455
+
456
+ elseif ( $this->wp_login_php ) {
457
+
458
+ if ( ( $referer = wp_get_referer() )
459
+ && strpos( $referer, 'wp-activate.php' ) !== false
460
+ && ( $referer = parse_url( $referer ) )
461
+ && ! empty( $referer['query'] ) ) {
462
+
463
+ parse_str( $referer['query'], $referer );
464
+
465
+ if ( ! empty( $referer['key'] )
466
+ && ( $result = wpmu_activate_signup( $referer['key'] ) )
467
+ && is_wp_error( $result )
468
+ && ( $result->get_error_code() === 'already_active'
469
+ || $result->get_error_code() === 'blog_taken' ) ) {
470
+
471
+ wp_safe_redirect( $this->new_login_url()
472
+ . ( ! empty( $_SERVER['QUERY_STRING'] ) ? '?' . $_SERVER['QUERY_STRING'] : '' ) );
473
+
474
+ die;
475
+
476
+ }
477
+
478
+ }
479
+
480
+ $this->wp_template_loader();
481
+
482
+ }
483
+
484
+ elseif ( $pagenow === 'wp-login.php' ) {
485
+
486
+ require_once( $this->path() . 'rwl-login.php' );
487
+
488
+ die;
489
+
490
+
491
+ }
492
+
493
+ }
494
+
495
+ public function filter_wp_login_php( $url ) {
496
+
497
+ if ( strpos( $url, 'wp-login.php' ) !== false ) {
498
+
499
+ $args = explode( '?', $url );
500
+
501
+ if ( isset( $args[1] ) ) {
502
+
503
+ parse_str( $args[1], $args );
504
+
505
+ $url = add_query_arg( $args, $this->new_login_url() );
506
+
507
+ }
508
+
509
+ else {
510
+
511
+ $url = $this->new_login_url();
512
+
513
+ }
514
+
515
+ }
516
+
517
+ return $url;
518
+
519
+ }
520
+
521
+ public function welcome_email( $value ) {
522
+
523
+ return $value = str_replace( 'wp-login.php', trailingslashit( get_site_option( 'rwl_page', 'login' ) ), $value );
524
+
525
+ }
526
+
527
+ public function forbidden_slugs() {
528
+
529
+ $wp = new WP;
530
+
531
+ return array_merge( $wp->public_query_vars, $wp->private_query_vars );
532
+
533
+ }
534
 
 
 
 
 
 
535
  }
 
 
 
536
 
537
+ new Rename_WP_Login;
538
+
539
+ }
 
wp-login.php → rwl-login.php RENAMED
@@ -1,4 +1,17 @@
1
  <?php
 
 
 
 
 
 
 
 
 
 
 
 
 
2
 
3
  // Redirect to https login if forced to use SSL
4
  if ( force_ssl_admin() && ! is_ssl() ) {
@@ -12,39 +25,46 @@ if ( force_ssl_admin() && ! is_ssl() ) {
12
  }
13
 
14
  /**
15
- * Outputs the header for the login page.
16
  *
17
- * @uses do_action() Calls the 'login_head' for outputting HTML in the Log In
18
- * header.
19
- * @uses apply_filters() Calls 'login_headerurl' for the top login link.
20
- * @uses apply_filters() Calls 'login_headertitle' for the top login title.
21
- * @uses apply_filters() Calls 'login_message' on the message to display in the
22
- * header.
23
- * @uses $error The error global, which is checked for displaying errors.
24
- *
25
- * @param string $title Optional. WordPress Log In Page title to display in
26
- * <title/> element.
27
- * @param string $message Optional. Message to display in header.
28
  * @param WP_Error $wp_error Optional. WordPress Error Object
29
  */
30
- function login_header($title = 'Log In', $message = '', $wp_error = '') {
31
- global $error, $interim_login, $current_site, $action;
32
 
33
  // Don't index any of these forms
34
  add_action( 'login_head', 'wp_no_robots' );
35
 
 
 
 
36
  if ( empty($wp_error) )
37
  $wp_error = new WP_Error();
38
 
39
  // Shake it!
40
  $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
 
 
 
 
 
 
 
41
  $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
42
 
43
  if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
44
  add_action( 'login_head', 'wp_shake_js', 12 );
45
 
46
  ?><!DOCTYPE html>
47
- <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
 
 
 
 
 
48
  <head>
49
  <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
50
  <title><?php bloginfo('name'); ?> &rsaquo; <?php echo $title; ?></title>
@@ -52,10 +72,7 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
52
 
53
  wp_admin_css( 'wp-admin', true );
54
  wp_admin_css( 'colors-fresh', true );
55
-
56
- if ( wp_is_mobile() ) { ?>
57
- <meta name="viewport" content="width=320, initial-scale=0.9, maximum-scale=1.0, user-scalable=0" /><?php
58
- }
59
 
60
  // Remove all stored post data on logging out.
61
  // This could be added by add_action('login_head'...) like wp_shake_js()
@@ -66,18 +83,42 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
66
  <?php
67
  }
68
 
 
 
 
 
 
69
  do_action( 'login_enqueue_scripts' );
 
 
 
 
 
70
  do_action( 'login_head' );
71
 
72
  if ( is_multisite() ) {
73
  $login_header_url = network_home_url();
74
- $login_header_title = $current_site->site_name;
75
  } else {
76
  $login_header_url = __( 'http://wordpress.org/' );
77
  $login_header_title = __( 'Powered by WordPress' );
78
  }
79
 
80
- $login_header_url = apply_filters( 'login_headerurl', $login_header_url );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
81
  $login_header_title = apply_filters( 'login_headertitle', $login_header_title );
82
 
83
  $classes = array( 'login-action-' . $action, 'wp-core-ui' );
@@ -95,6 +136,14 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
95
  $classes[] = 'interim-login-success';
96
  }
97
 
 
 
 
 
 
 
 
 
98
  $classes = apply_filters( 'login_body_class', $classes, $action );
99
 
100
  ?>
@@ -106,7 +155,14 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
106
 
107
  unset( $login_header_url, $login_header_title );
108
 
109
- $message = apply_filters('login_message', $message);
 
 
 
 
 
 
 
110
  if ( !empty( $message ) )
111
  echo $message . "\n";
112
 
@@ -128,10 +184,26 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
128
  $errors .= ' ' . $error . "<br />\n";
129
  }
130
  }
131
- if ( !empty($errors) )
132
- echo '<div id="login_error">' . apply_filters('login_errors', $errors) . "</div>\n";
133
- if ( !empty($messages) )
134
- echo '<p class="message">' . apply_filters('login_messages', $messages) . "</p>\n";
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
135
  }
136
  } // End of login_header()
137
 
@@ -157,7 +229,13 @@ function login_footer($input_id = '') {
157
  </script>
158
  <?php endif; ?>
159
 
160
- <?php do_action('login_footer'); ?>
 
 
 
 
 
 
161
  <div class="clear"></div>
162
  </body>
163
  </html>
@@ -178,6 +256,12 @@ addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.
178
  <?php
179
  }
180
 
 
 
 
 
 
 
181
  /**
182
  * Handles sending password retrieval email to user.
183
  *
@@ -186,7 +270,7 @@ addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.
186
  * @return bool|WP_Error True: when finish. WP_Error on error
187
  */
188
  function retrieve_password() {
189
- global $wpdb, $current_site;
190
 
191
  $errors = new WP_Error();
192
 
@@ -201,7 +285,12 @@ function retrieve_password() {
201
  $user_data = get_user_by('login', $login);
202
  }
203
 
204
- do_action('lostpassword_post');
 
 
 
 
 
205
 
206
  if ( $errors->get_error_code() )
207
  return $errors;
@@ -215,30 +304,66 @@ function retrieve_password() {
215
  $user_login = $user_data->user_login;
216
  $user_email = $user_data->user_email;
217
 
218
- do_action('retreive_password', $user_login); // Misspelled and deprecated
219
- do_action('retrieve_password', $user_login);
220
-
221
- $allow = apply_filters('allow_password_reset', true, $user_data->ID);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
222
 
223
  if ( ! $allow )
224
  return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
225
  else if ( is_wp_error($allow) )
226
  return $allow;
227
 
228
- $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
229
- if ( empty($key) ) {
230
- // Generate something random for a key...
231
- $key = wp_generate_password(20, false);
232
- do_action('retrieve_password_key', $user_login, $key);
233
- // Now insert the new md5 key into the db
234
- $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
 
 
 
 
 
 
 
 
 
 
235
  }
 
 
 
236
  $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
237
  $message .= network_home_url( '/' ) . "\r\n\r\n";
238
  $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
239
  $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
240
  $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
241
- $message .= '<' . site_url() . '/' . get_option('rwl_page') . '/' . "?action=rp&key=$key&login=" . rawurlencode($user_login) . ">\r\n";
242
 
243
  if ( is_multisite() )
244
  $blogname = $GLOBALS['current_site']->site_name;
@@ -249,8 +374,23 @@ function retrieve_password() {
249
 
250
  $title = sprintf( __('[%s] Password Reset'), $blogname );
251
 
252
- $title = apply_filters('retrieve_password_title', $title);
253
- $message = apply_filters('retrieve_password_message', $message, $key);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
254
 
255
  if ( $message && !wp_mail($user_email, $title, $message) )
256
  wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') );
@@ -258,102 +398,6 @@ function retrieve_password() {
258
  return true;
259
  }
260
 
261
- /**
262
- * Retrieves a user row based on password reset key and login
263
- *
264
- * @uses $wpdb WordPress Database object
265
- *
266
- * @param string $key Hash to validate sending user's password
267
- * @param string $login The user login
268
- * @return object|WP_Error User's database row on success, error object for invalid keys
269
- */
270
- function check_password_reset_key($key, $login) {
271
- global $wpdb;
272
-
273
- $key = preg_replace('/[^a-z0-9]/i', '', $key);
274
-
275
- if ( empty( $key ) || !is_string( $key ) )
276
- return new WP_Error('invalid_key', __('Invalid key'));
277
-
278
- if ( empty($login) || !is_string($login) )
279
- return new WP_Error('invalid_key', __('Invalid key'));
280
-
281
- $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s AND user_login = %s", $key, $login));
282
-
283
- if ( empty( $user ) )
284
- return new WP_Error('invalid_key', __('Invalid key'));
285
-
286
- return $user;
287
- }
288
-
289
- /**
290
- * Handles resetting the user's password.
291
- *
292
- * @param object $user The user
293
- * @param string $new_pass New password for the user in plaintext
294
- */
295
- function reset_password($user, $new_pass) {
296
- do_action('password_reset', $user, $new_pass);
297
-
298
- wp_set_password($new_pass, $user->ID);
299
-
300
- wp_password_change_notification($user);
301
- }
302
-
303
- /**
304
- * Handles registering a new user.
305
- *
306
- * @param string $user_login User's username for logging in
307
- * @param string $user_email User's email address to send password and add
308
- * @return int|WP_Error Either user's ID or error on failure.
309
- */
310
- function register_new_user( $user_login, $user_email ) {
311
- $errors = new WP_Error();
312
-
313
- $sanitized_user_login = sanitize_user( $user_login );
314
- $user_email = apply_filters( 'user_registration_email', $user_email );
315
-
316
- // Check the username
317
- if ( $sanitized_user_login == '' ) {
318
- $errors->add( 'empty_username', __( '<strong>ERROR</strong>: Please enter a username.' ) );
319
- } elseif ( ! validate_username( $user_login ) ) {
320
- $errors->add( 'invalid_username', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
321
- $sanitized_user_login = '';
322
- } elseif ( username_exists( $sanitized_user_login ) ) {
323
- $errors->add( 'username_exists', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ) );
324
- }
325
-
326
- // Check the e-mail address
327
- if ( $user_email == '' ) {
328
- $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please type your e-mail address.' ) );
329
- } elseif ( ! is_email( $user_email ) ) {
330
- $errors->add( 'invalid_email', __( '<strong>ERROR</strong>: The email address isn&#8217;t correct.' ) );
331
- $user_email = '';
332
- } elseif ( email_exists( $user_email ) ) {
333
- $errors->add( 'email_exists', __( '<strong>ERROR</strong>: This email is already registered, please choose another one.' ) );
334
- }
335
-
336
- do_action( 'register_post', $sanitized_user_login, $user_email, $errors );
337
-
338
- $errors = apply_filters( 'registration_errors', $errors, $sanitized_user_login, $user_email );
339
-
340
- if ( $errors->get_error_code() )
341
- return $errors;
342
-
343
- $user_pass = wp_generate_password( 12, false);
344
- $user_id = wp_create_user( $sanitized_user_login, $user_pass, $user_email );
345
- if ( ! $user_id ) {
346
- $errors->add( 'registerfail', sprintf( __( '<strong>ERROR</strong>: Couldn&#8217;t register you&hellip; please contact the <a href="mailto:%s">webmaster</a> !' ), get_option( 'admin_email' ) ) );
347
- return $errors;
348
- }
349
-
350
- update_user_option( $user_id, 'default_password_nag', true, true ); //Set up the Password change nag.
351
-
352
- wp_new_user_notification( $user_id, $user_pass );
353
-
354
- return $user_id;
355
- }
356
-
357
  //
358
  // Main
359
  //
@@ -386,8 +430,21 @@ setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
386
  if ( SITECOOKIEPATH != COOKIEPATH )
387
  setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
388
 
389
- // allow plugins to override the default actions, and to add extra actions if they want
 
 
 
 
390
  do_action( 'login_init' );
 
 
 
 
 
 
 
 
 
391
  do_action( 'login_form_' . $action );
392
 
393
  $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
@@ -399,8 +456,18 @@ case 'postpass' :
399
  require_once ABSPATH . 'wp-includes/class-phpass.php';
400
  $hasher = new PasswordHash( 8, true );
401
 
402
- // 10 days
403
- setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
 
 
 
 
 
 
 
 
 
 
404
 
405
  wp_safe_redirect( wp_get_referer() );
406
  exit();
@@ -411,7 +478,7 @@ case 'logout' :
411
  check_admin_referer('log-out');
412
  wp_logout();
413
 
414
- $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : site_url() . '/' . get_option('rwl_page') . '/' . '?loggedout=true';
415
  wp_safe_redirect( $redirect_to );
416
  exit();
417
 
@@ -423,37 +490,73 @@ case 'retrievepassword' :
423
  if ( $http_post ) {
424
  $errors = retrieve_password();
425
  if ( !is_wp_error($errors) ) {
426
- $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : site_url() . '/' . get_option('rwl_page') . '/' . '?checkemail=confirm';
427
  wp_safe_redirect( $redirect_to );
428
  exit();
429
  }
430
  }
431
 
432
- if ( isset($_GET['error']) && 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.'));
433
- $redirect_to = apply_filters( 'lostpassword_redirect', !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '' );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
434
 
435
- do_action('lost_password');
436
  login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
437
 
438
  $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
439
 
440
  ?>
441
 
442
- <form name="lostpasswordform" id="lostpasswordform" action="<?php echo site_url() . '/' . get_option('rwl_page') . '/' . '?action=lostpassword'; ?>" method="post">
443
  <p>
444
  <label for="user_login" ><?php _e('Username or E-mail:') ?><br />
445
  <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
446
  </p>
447
- <?php do_action('lostpassword_form'); ?>
 
 
 
 
 
 
448
  <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
449
  <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Get New Password'); ?>" /></p>
450
  </form>
451
 
452
  <p id="nav">
453
  <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e('Log in') ?></a>
454
- <?php if ( get_option( 'users_can_register' ) ) : ?>
455
- | <?php echo apply_filters( 'register', sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ) ); ?>
456
- <?php endif; ?>
 
 
 
 
 
 
 
 
 
 
457
  </p>
458
 
459
  <?php
@@ -465,7 +568,10 @@ case 'rp' :
465
  $user = check_password_reset_key($_GET['key'], $_GET['login']);
466
 
467
  if ( is_wp_error($user) ) {
468
- wp_redirect( site_url() . '/' . get_option('rwl_page') . '/' . '?action=lostpassword&error=invalidkey' );
 
 
 
469
  exit;
470
  }
471
 
@@ -474,6 +580,14 @@ case 'rp' :
474
  if ( isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2'] )
475
  $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) );
476
 
 
 
 
 
 
 
 
 
477
  do_action( 'validate_password_reset', $errors, $user );
478
 
479
  if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
@@ -489,7 +603,7 @@ case 'rp' :
489
  login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors );
490
 
491
  ?>
492
- <form name="resetpassform" id="resetpassform" action="<?php echo site_url() . '/' . get_option('rwl_page') . '/' . '?action=resetpass&key=' . urlencode( $_GET['key'] ) . '&login=' . urlencode( $_GET['login'] ); ?>" method="post" autocomplete="off">
493
  <input type="hidden" id="user_login" value="<?php echo esc_attr( $_GET['login'] ); ?>" autocomplete="off" />
494
 
495
  <p>
@@ -510,9 +624,13 @@ case 'rp' :
510
 
511
  <p id="nav">
512
  <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
513
- <?php if ( get_option( 'users_can_register' ) ) : ?>
514
- | <?php echo apply_filters( 'register', sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ) ); ?>
515
- <?php endif; ?>
 
 
 
 
516
  </p>
517
 
518
  <?php
@@ -521,13 +639,20 @@ break;
521
 
522
  case 'register' :
523
  if ( is_multisite() ) {
524
- // Multisite uses wp-signup.php
525
- wp_redirect( apply_filters( 'wp_signup_location', network_site_url('wp-signup.php') ) );
 
 
 
 
 
 
 
526
  exit;
527
  }
528
 
529
  if ( !get_option('users_can_register') ) {
530
- wp_redirect( site_url() . '/' . get_option('rwl_page') . '/' . '?registration=disabled' );
531
  exit();
532
  }
533
 
@@ -538,17 +663,25 @@ case 'register' :
538
  $user_email = $_POST['user_email'];
539
  $errors = register_new_user($user_login, $user_email);
540
  if ( !is_wp_error($errors) ) {
541
- $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : site_url() . '/' . get_option('rwl_page') . '/' . '?checkemail=registered';
542
  wp_safe_redirect( $redirect_to );
543
  exit();
544
  }
545
  }
546
 
547
- $redirect_to = apply_filters( 'registration_redirect', !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '' );
 
 
 
 
 
 
 
 
548
  login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>', $errors);
549
  ?>
550
 
551
- <form name="registerform" id="registerform" action="<?php echo site_url() . '/' . get_option('rwl_page') . '/' . '?action=register'; ?>" method="post">
552
  <p>
553
  <label for="user_login"><?php _e('Username') ?><br />
554
  <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>
@@ -557,7 +690,14 @@ case 'register' :
557
  <label for="user_email"><?php _e('E-mail') ?><br />
558
  <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(wp_unslash($user_email)); ?>" size="25" /></label>
559
  </p>
560
- <?php do_action('register_form'); ?>
 
 
 
 
 
 
 
561
  <p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
562
  <br class="clear" />
563
  <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
@@ -608,9 +748,23 @@ default:
608
  if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
609
  $secure_cookie = false;
610
 
611
- $user = wp_signon('', $secure_cookie);
612
-
613
- $redirect_to = apply_filters('login_redirect', $redirect_to, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
614
 
615
  if ( !is_wp_error($user) && !$reauth ) {
616
  if ( $interim_login ) {
@@ -618,7 +772,9 @@ default:
618
  $interim_login = 'success';
619
  login_header( '', $message ); ?>
620
  </div>
621
- <?php do_action( 'login_footer' ); ?>
 
 
622
  <?php if ( $customize_login ) : ?>
623
  <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
624
  <?php endif; ?>
@@ -644,10 +800,6 @@ default:
644
  if ( !empty($_GET['loggedout']) || $reauth )
645
  $errors = new WP_Error();
646
 
647
- // If cookies are disabled we can't log in even with a valid user+pass
648
- if ( isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE]) )
649
- $errors->add('test_cookie', __("<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href='http://www.google.com/cookies.html'>enable cookies</a> to use WordPress."));
650
-
651
  if ( $interim_login ) {
652
  if ( ! $errors->get_error_code() )
653
  $errors->add('expired', __('Session expired. Please log in again. You will not move away from this page.'), 'message');
@@ -667,6 +819,14 @@ default:
667
  $errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to experience the awesomeness.' ), 'message' );
668
  }
669
 
 
 
 
 
 
 
 
 
670
  $errors = apply_filters( 'wp_login_errors', $errors, $redirect_to );
671
 
672
  // Clear any stale cookies.
@@ -674,15 +834,13 @@ default:
674
  wp_clear_auth_cookie();
675
 
676
  login_header(__('Log In'), '', $errors);
677
-
678
- $user_login = '';
679
 
680
  if ( isset($_POST['log']) )
681
  $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : '';
682
  $rememberme = ! empty( $_POST['rememberme'] );
683
  ?>
684
 
685
- <form name="loginform" id="loginform" action="<?php echo site_url() . '/' . get_option('rwl_page') . '/'; ?>" method="post">
686
  <p>
687
  <label for="user_login"><?php _e('Username') ?><br />
688
  <input type="text" name="log" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
@@ -691,7 +849,14 @@ default:
691
  <label for="user_pass"><?php _e('Password') ?><br />
692
  <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
693
  </p>
694
- <?php do_action('login_form'); ?>
 
 
 
 
 
 
 
695
  <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" <?php checked( $rememberme ); ?> /> <?php esc_attr_e('Remember Me'); ?></label></p>
696
  <p class="submit">
697
  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Log In'); ?>" />
@@ -709,10 +874,13 @@ default:
709
 
710
  <?php if ( ! $interim_login ) { ?>
711
  <p id="nav">
712
- <?php if ( ! isset( $_GET['checkemail'] ) || ! in_array( $_GET['checkemail'], array( 'confirm', 'newpass' ) ) ) : ?>
713
- <?php if ( get_option( 'users_can_register' ) ) : ?>
714
- <?php echo apply_filters( 'register', sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ) ); ?> |
715
- <?php endif; ?>
 
 
 
716
  <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>" title="<?php esc_attr_e( 'Password Lost and Found' ); ?>"><?php _e( 'Lost your password?' ); ?></a>
717
  <?php endif; ?>
718
  </p>
@@ -738,7 +906,7 @@ d.select();
738
  }, 200);
739
  }
740
 
741
- <?php $error = ''; if ( !$error ) { ?>
742
  wp_attempt_focus();
743
  <?php } ?>
744
  if(typeof wpOnload=='function')wpOnload();
@@ -758,4 +926,4 @@ try {
758
  <?php
759
  login_footer();
760
  break;
761
- } // end action switch
1
  <?php
2
+ /**
3
+ * WordPress User Page
4
+ *
5
+ * Handles authentication, registering, resetting passwords, forgot password,
6
+ * and other user handling.
7
+ *
8
+ * @package WordPress
9
+ */
10
+
11
+ /** Make sure that the WordPress bootstrap has run before continuing. */
12
+ //require( dirname(__FILE__) . '/wp-load.php' );
13
+
14
+ global $error, $interim_login, $action, $user_login;
15
 
16
  // Redirect to https login if forced to use SSL
17
  if ( force_ssl_admin() && ! is_ssl() ) {
25
  }
26
 
27
  /**
28
+ * Output the login page header.
29
  *
30
+ * @param string $title Optional. WordPress Log In Page title to display in <title/> element. Default 'Log In'.
31
+ * @param string $message Optional. Message to display in header. Default empty.
32
+ * @param string $wp_error Optional. The error to pass. Default empty.
 
 
 
 
 
 
 
 
33
  * @param WP_Error $wp_error Optional. WordPress Error Object
34
  */
35
+ function login_header( $title = 'Log In', $message = '', $wp_error = '' ) {
36
+ global $error, $interim_login, $action;
37
 
38
  // Don't index any of these forms
39
  add_action( 'login_head', 'wp_no_robots' );
40
 
41
+ if ( wp_is_mobile() )
42
+ add_action( 'login_head', 'wp_login_viewport_meta' );
43
+
44
  if ( empty($wp_error) )
45
  $wp_error = new WP_Error();
46
 
47
  // Shake it!
48
  $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
49
+ /**
50
+ * Filter the error codes array for shaking the login form.
51
+ *
52
+ * @since 3.0.0
53
+ *
54
+ * @param array $shake_error_codes Error codes that shake the login form.
55
+ */
56
  $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
57
 
58
  if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
59
  add_action( 'login_head', 'wp_shake_js', 12 );
60
 
61
  ?><!DOCTYPE html>
62
+ <!--[if IE 8]>
63
+ <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" <?php language_attributes(); ?>>
64
+ <![endif]-->
65
+ <!--[if !(IE 8) ]><!-->
66
+ <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
67
+ <!--<![endif]-->
68
  <head>
69
  <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
70
  <title><?php bloginfo('name'); ?> &rsaquo; <?php echo $title; ?></title>
72
 
73
  wp_admin_css( 'wp-admin', true );
74
  wp_admin_css( 'colors-fresh', true );
75
+ wp_admin_css( 'ie', true );
 
 
 
76
 
77
  // Remove all stored post data on logging out.
78
  // This could be added by add_action('login_head'...) like wp_shake_js()
83
  <?php
84
  }
85
 
86
+ /**
87
+ * Enqueue scripts and styles for the login page.
88
+ *
89
+ * @since 3.1.0
90
+ */
91
  do_action( 'login_enqueue_scripts' );
92
+ /**
93
+ * Fires in the login page header after scripts are enqueued.
94
+ *
95
+ * @since 2.1.0
96
+ */
97
  do_action( 'login_head' );
98
 
99
  if ( is_multisite() ) {
100
  $login_header_url = network_home_url();
101
+ $login_header_title = get_current_site()->site_name;
102
  } else {
103
  $login_header_url = __( 'http://wordpress.org/' );
104
  $login_header_title = __( 'Powered by WordPress' );
105
  }
106
 
107
+ /**
108
+ * Filter link URL of the header logo above login form.
109
+ *
110
+ * @since 2.1.0
111
+ *
112
+ * @param string $login_header_url Login header logo URL.
113
+ */
114
+ $login_header_url = apply_filters( 'login_headerurl', $login_header_url );
115
+ /**
116
+ * Filter the title attribute of the header logo above login form.
117
+ *
118
+ * @since 2.1.0
119
+ *
120
+ * @param string $login_header_title Login header logo title attribute.
121
+ */
122
  $login_header_title = apply_filters( 'login_headertitle', $login_header_title );
123
 
124
  $classes = array( 'login-action-' . $action, 'wp-core-ui' );
136
  $classes[] = 'interim-login-success';
137
  }
138
 
139
+ /**
140
+ * Filter the login page body classes.
141
+ *
142
+ * @since 3.5.0
143
+ *
144
+ * @param array $classes An array of body classes.
145
+ * @param string $action The action that brought the visitor to the login page.
146
+ */
147
  $classes = apply_filters( 'login_body_class', $classes, $action );
148
 
149
  ?>
155
 
156
  unset( $login_header_url, $login_header_title );
157
 
158
+ /**
159
+ * Filter the message to display above the login form.
160
+ *
161
+ * @since 2.1.0
162
+ *
163
+ * @param string $message Login message text.
164
+ */
165
+ $message = apply_filters( 'login_message', $message );
166
  if ( !empty( $message ) )
167
  echo $message . "\n";
168
 
184
  $errors .= ' ' . $error . "<br />\n";
185
  }
186
  }
187
+ if ( ! empty( $errors ) ) {
188
+ /**
189
+ * Filter the error messages displayed above the login form.
190
+ *
191
+ * @since 2.1.0
192
+ *
193
+ * @param string $errors Login error message.
194
+ */
195
+ echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n";
196
+ }
197
+ if ( ! empty( $messages ) ) {
198
+ /**
199
+ * Filter instructional messages displayed above the login form.
200
+ *
201
+ * @since 2.5.0
202
+ *
203
+ * @param string $messages Login messages.
204
+ */
205
+ echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
206
+ }
207
  }
208
  } // End of login_header()
209
 
229
  </script>
230
  <?php endif; ?>
231
 
232
+ <?php
233
+ /**
234
+ * Fires in the login page footer.
235
+ *
236
+ * @since 3.1.0
237
+ */
238
+ do_action( 'login_footer' ); ?>
239
  <div class="clear"></div>
240
  </body>
241
  </html>
256
  <?php
257
  }
258
 
259
+ function wp_login_viewport_meta() {
260
+ ?>
261
+ <meta name="viewport" content="width=device-width" />
262
+ <?php
263
+ }
264
+
265
  /**
266
  * Handles sending password retrieval email to user.
267
  *
270
  * @return bool|WP_Error True: when finish. WP_Error on error
271
  */
272
  function retrieve_password() {
273
+ global $wpdb, $wp_hasher;
274
 
275
  $errors = new WP_Error();
276
 
285
  $user_data = get_user_by('login', $login);
286
  }
287
 
288
+ /**
289
+ * Fires before errors are returned from a password reset request.
290
+ *
291
+ * @since 2.1.0
292
+ */
293
+ do_action( 'lostpassword_post' );
294
 
295
  if ( $errors->get_error_code() )
296
  return $errors;
304
  $user_login = $user_data->user_login;
305
  $user_email = $user_data->user_email;
306
 
307
+ /**
308
+ * Fires before a new password is retrieved.
309
+ *
310
+ * @since 1.5.0
311
+ * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
312
+ *
313
+ * @param string $user_login The user login name.
314
+ */
315
+ do_action( 'retreive_password', $user_login );
316
+ /**
317
+ * Fires before a new password is retrieved.
318
+ *
319
+ * @since 1.5.1
320
+ *
321
+ * @param string $user_login The user login name.
322
+ */
323
+ do_action( 'retrieve_password', $user_login );
324
+
325
+ /**
326
+ * Filter whether to allow a password to be reset.
327
+ *
328
+ * @since 2.7.0
329
+ *
330
+ * @param bool true Whether to allow the password to be reset. Default true.
331
+ * @param int $user_data->ID The ID of the user attempting to reset a password.
332
+ */
333
+ $allow = apply_filters( 'allow_password_reset', true, $user_data->ID );
334
 
335
  if ( ! $allow )
336
  return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
337
  else if ( is_wp_error($allow) )
338
  return $allow;
339
 
340
+ // Generate something random for a password reset key.
341
+ $key = wp_generate_password( 20, false );
342
+
343
+ /**
344
+ * Fires when a password reset key is generated.
345
+ *
346
+ * @since 2.5.0
347
+ *
348
+ * @param string $user_login The username for the user.
349
+ * @param string $key The generated password reset key.
350
+ */
351
+ do_action( 'retrieve_password_key', $user_login, $key );
352
+
353
+ // Now insert the key, hashed, into the DB.
354
+ if ( empty( $wp_hasher ) ) {
355
+ require_once ABSPATH . 'wp-includes/class-phpass.php';
356
+ $wp_hasher = new PasswordHash( 8, true );
357
  }
358
+ $hashed = $wp_hasher->HashPassword( $key );
359
+ $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
360
+
361
  $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
362
  $message .= network_home_url( '/' ) . "\r\n\r\n";
363
  $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
364
  $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
365
  $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
366
+ $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
367
 
368
  if ( is_multisite() )
369
  $blogname = $GLOBALS['current_site']->site_name;
374
 
375
  $title = sprintf( __('[%s] Password Reset'), $blogname );
376
 
377
+ /**
378
+ * Filter the subject of the password reset email.
379
+ *
380
+ * @since 2.8.0
381
+ *
382
+ * @param string $title Default email title.
383
+ */
384
+ $title = apply_filters( 'retrieve_password_title', $title );
385
+ /**
386
+ * Filter the message body of the password reset mail.
387
+ *
388
+ * @since 2.8.0
389
+ *
390
+ * @param string $message Default mail message.
391
+ * @param string $key The activation key.
392
+ */
393
+ $message = apply_filters( 'retrieve_password_message', $message, $key );
394
 
395
  if ( $message && !wp_mail($user_email, $title, $message) )
396
  wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') );
398
  return true;
399
  }
400
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
401
  //
402
  // Main
403
  //
430
  if ( SITECOOKIEPATH != COOKIEPATH )
431
  setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
432
 
433
+ /**
434
+ * Fires when the login form is initialized.
435
+ *
436
+ * @since 3.2.0
437
+ */
438
  do_action( 'login_init' );
439
+ /**
440
+ * Fires before a specified login form action.
441
+ *
442
+ * The dynamic portion of the hook name, $action, refers to the action
443
+ * that brought the visitor to the login form. Actions include 'postpass',
444
+ * 'logout', 'lostpassword', etc.
445
+ *
446
+ * @since 2.8.0
447
+ */
448
  do_action( 'login_form_' . $action );
449
 
450
  $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
456
  require_once ABSPATH . 'wp-includes/class-phpass.php';
457
  $hasher = new PasswordHash( 8, true );
458
 
459
+ /**
460
+ * Filter the life span of the post password cookie.
461
+ *
462
+ * By default, the cookie expires 10 days from creation. To turn this
463
+ * into a session cookie, return 0.
464
+ *
465
+ * @since 3.7.0
466
+ *
467
+ * @param int $expires The expiry time, as passed to setcookie().
468
+ */
469
+ $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
470
+ setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH );
471
 
472
  wp_safe_redirect( wp_get_referer() );
473
  exit();
478
  check_admin_referer('log-out');
479
  wp_logout();
480
 
481
+ $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?loggedout=true';
482
  wp_safe_redirect( $redirect_to );
483
  exit();
484
 
490
  if ( $http_post ) {
491
  $errors = retrieve_password();
492
  if ( !is_wp_error($errors) ) {
493
+ $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm';
494
  wp_safe_redirect( $redirect_to );
495
  exit();
496
  }
497
  }
498
 
499
+ if ( isset( $_GET['error'] ) ) {
500
+ if ( 'invalidkey' == $_GET['error'] )
501
+ $errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) );
502
+ elseif ( 'expiredkey' == $_GET['error'] )
503
+ $errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) );
504
+ }
505
+
506
+ $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
507
+ /**
508
+ * Filter the URL redirected to after submitting the lostpassword/retrievepassword form.
509
+ *
510
+ * @since 3.0.0
511
+ *
512
+ * @param string $lostpassword_redirect The redirect destination URL.
513
+ */
514
+ $redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect );
515
+
516
+ /**
517
+ * Fires before the lost password form.
518
+ *
519
+ * @since 1.5.1
520
+ */
521
+ do_action( 'lost_password' );
522
 
 
523
  login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
524
 
525
  $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
526
 
527
  ?>
528
 
529
+ <form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post">
530
  <p>
531
  <label for="user_login" ><?php _e('Username or E-mail:') ?><br />
532
  <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
533
  </p>
534
+ <?php
535
+ /**
536
+ * Fires inside the lostpassword <form> tags, before the hidden fields.
537
+ *
538
+ * @since 2.1.0
539
+ */
540
+ do_action( 'lostpassword_form' ); ?>
541
  <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
542
  <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Get New Password'); ?>" /></p>
543
  </form>
544
 
545
  <p id="nav">
546
  <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e('Log in') ?></a>
547
+ <?php
548
+ if ( get_option( 'users_can_register' ) ) :
549
+ $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
550
+ /**
551
+ * Filter the registration URL below the login form.
552
+ *
553
+ * @since 1.5.0
554
+ *
555
+ * @param string $registration_url Registration URL.
556
+ */
557
+ echo ' | ' . apply_filters( 'register', $registration_url );
558
+ endif;
559
+ ?>
560
  </p>
561
 
562
  <?php
568
  $user = check_password_reset_key($_GET['key'], $_GET['login']);
569
 
570
  if ( is_wp_error($user) ) {
571
+ if ( $user->get_error_code() === 'expired_key' )
572
+ wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
573
+ else
574
+ wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
575
  exit;
576
  }
577
 
580
  if ( isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2'] )
581
  $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) );
582
 
583
+ /**
584
+ * Fires before the password reset procedure is validated.
585
+ *
586
+ * @since 3.5.0
587
+ *
588
+ * @param object $errors WP Error object.
589
+ * @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise.
590
+ */
591
  do_action( 'validate_password_reset', $errors, $user );
592
 
593
  if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
603
  login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors );
604
 
605
  ?>
606
+ <form name="resetpassform" id="resetpassform" action="<?php echo esc_url( site_url( 'wp-login.php?action=resetpass&key=' . urlencode( $_GET['key'] ) . '&login=' . urlencode( $_GET['login'] ), 'login_post' ) ); ?>" method="post" autocomplete="off">
607
  <input type="hidden" id="user_login" value="<?php echo esc_attr( $_GET['login'] ); ?>" autocomplete="off" />
608
 
609
  <p>
624
 
625
  <p id="nav">
626
  <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
627
+ <?php
628
+ if ( get_option( 'users_can_register' ) ) :
629
+ $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
630
+ /** This filter is documented in wp-login.php */
631
+ echo ' | ' . apply_filters( 'register', $registration_url );
632
+ endif;
633
+ ?>
634
  </p>
635
 
636
  <?php
639
 
640
  case 'register' :
641
  if ( is_multisite() ) {
642
+ $sign_up_url = network_site_url( 'wp-signup.php' );
643
+ /**
644
+ * Filter the Multisite sign up URL.
645
+ *
646
+ * @since 3.0.0
647
+ *
648
+ * @param string $sign_up_url The sign up URL.
649
+ */
650
+ wp_redirect( apply_filters( 'wp_signup_location', $sign_up_url ) );
651
  exit;
652
  }
653
 
654
  if ( !get_option('users_can_register') ) {
655
+ wp_redirect( site_url('wp-login.php?registration=disabled') );
656
  exit();
657
  }
658
 
663
  $user_email = $_POST['user_email'];
664
  $errors = register_new_user($user_login, $user_email);
665
  if ( !is_wp_error($errors) ) {
666
+ $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : 'wp-login.php?checkemail=registered';
667
  wp_safe_redirect( $redirect_to );
668
  exit();
669
  }
670
  }
671
 
672
+ $registration_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
673
+ /**
674
+ * Filter the registration redirect URL.
675
+ *
676
+ * @since 3.0.0
677
+ *
678
+ * @param string $registration_redirect The redirect destination URL.
679
+ */
680
+ $redirect_to = apply_filters( 'registration_redirect', $registration_redirect );
681
  login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>', $errors);
682
  ?>
683
 
684
+ <form name="registerform" id="registerform" action="<?php echo esc_url( site_url('wp-login.php?action=register', 'login_post') ); ?>" method="post">
685
  <p>
686
  <label for="user_login"><?php _e('Username') ?><br />
687
  <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>
690
  <label for="user_email"><?php _e('E-mail') ?><br />
691
  <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(wp_unslash($user_email)); ?>" size="25" /></label>
692
  </p>
693
+ <?php
694
+ /**
695
+ * Fires following the 'E-mail' field in the user registration form.
696
+ *
697
+ * @since 2.1.0
698
+ */
699
+ do_action( 'register_form' );
700
+ ?>
701
  <p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
702
  <br class="clear" />
703
  <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
748
  if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
749
  $secure_cookie = false;
750
 
751
+ // If cookies are disabled we can't log in even with a valid user+pass
752
+ if ( isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE]) )
753
+ $user = new WP_Error('test_cookie', __("<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href='http://www.google.com/cookies.html'>enable cookies</a> to use WordPress."));
754
+ else
755
+ $user = wp_signon('', $secure_cookie);
756
+
757
+ $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
758
+ /**
759
+ * Filter the login redirect URL.
760
+ *
761
+ * @since 3.0.0
762
+ *
763
+ * @param string $redirect_to The redirect destination URL.
764
+ * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter.
765
+ * @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise.
766
+ */
767
+ $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );
768
 
769
  if ( !is_wp_error($user) && !$reauth ) {
770
  if ( $interim_login ) {
772
  $interim_login = 'success';
773
  login_header( '', $message ); ?>
774
  </div>
775
+ <?php
776
+ /** This action is documented in wp-login.php */
777
+ do_action( 'login_footer' ); ?>
778
  <?php if ( $customize_login ) : ?>
779
  <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
780
  <?php endif; ?>
800
  if ( !empty($_GET['loggedout']) || $reauth )
801
  $errors = new WP_Error();
802
 
 
 
 
 
803
  if ( $interim_login ) {
804
  if ( ! $errors->get_error_code() )
805
  $errors->add('expired', __('Session expired. Please log in again. You will not move away from this page.'), 'message');
819
  $errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to experience the awesomeness.' ), 'message' );
820
  }
821
 
822
+ /**
823
+ * Filter the login page errors.
824
+ *
825
+ * @since 3.6.0
826
+ *
827
+ * @param object $errors WP Error object.
828
+ * @param string $redirect_to Redirect destination URL.
829
+ */
830
  $errors = apply_filters( 'wp_login_errors', $errors, $redirect_to );
831
 
832
  // Clear any stale cookies.
834
  wp_clear_auth_cookie();
835
 
836
  login_header(__('Log In'), '', $errors);
 
 
837
 
838
  if ( isset($_POST['log']) )
839
  $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : '';
840
  $rememberme = ! empty( $_POST['rememberme'] );
841
  ?>
842
 
843
+ <form name="loginform" id="loginform" action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" method="post">
844
  <p>
845
  <label for="user_login"><?php _e('Username') ?><br />
846
  <input type="text" name="log" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
849
  <label for="user_pass"><?php _e('Password') ?><br />
850
  <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
851
  </p>
852
+ <?php
853
+ /**
854
+ * Fires following the 'Password' field in the login form.
855
+ *
856
+ * @since 2.1.0
857
+ */
858
+ do_action( 'login_form' );
859
+ ?>
860
  <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" <?php checked( $rememberme ); ?> /> <?php esc_attr_e('Remember Me'); ?></label></p>
861
  <p class="submit">
862
  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Log In'); ?>" />
874
 
875
  <?php if ( ! $interim_login ) { ?>
876
  <p id="nav">
877
+ <?php if ( ! isset( $_GET['checkemail'] ) || ! in_array( $_GET['checkemail'], array( 'confirm', 'newpass' ) ) ) :
878
+ if ( get_option( 'users_can_register' ) ) :
879
+ $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
880
+ /** This filter is documented in wp-login.php */
881
+ echo apply_filters( 'register', $registration_url ) . ' | ';
882
+ endif;
883
+ ?>
884
  <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>" title="<?php esc_attr_e( 'Password Lost and Found' ); ?>"><?php _e( 'Lost your password?' ); ?></a>
885
  <?php endif; ?>
886
  </p>
906
  }, 200);
907
  }
908
 
909
+ <?php if ( !$error ) { ?>
910
  wp_attempt_focus();
911
  <?php } ?>
912
  if(typeof wpOnload=='function')wpOnload();
926
  <?php
927
  login_footer();
928
  break;
929
+ } // end action switch