Version Description
Security fix to stop XSS exploit
Also coded so should work with PHP 5.3 - although PHP 5.3. has been end of life for over two years it seems some hosts still use this. This is a security risk in its own right and sites using PHP 5.3 should try to upgrade to a supported version of PHP, but this change is for backward compatibility.
Download this release
Release Info
| Developer | fullworks |
| Plugin |  Stop User Enumeration |
| Version | 1.3.8 |
| Comparing to | |
| See all releases | |
Code changes from version 1.3.7 to 1.3.8
- readme.txt +9 -2
- settings/settings-general.php +1 -1
- stop-user-enumeration.php +13 -6
readme.txt
CHANGED
|
@@ -2,8 +2,8 @@
|
|
| 2 |
Contributors: fullworks
|
| 3 |
Tags: User Enumeration, Security, WPSCAN, fail2ban
|
| 4 |
Requires at least: 3.4
|
| 5 |
-
Tested up to: 4.
|
| 6 |
-
Stable tag: 1.3.
|
| 7 |
License: GPLv2 or later
|
| 8 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 9 |
|
|
@@ -53,6 +53,13 @@ Adjusted to your own requirements.
|
|
| 53 |
|
| 54 |
== Changelog ==
|
| 55 |
=
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 56 |
= 1.3.7 =
|
| 57 |
|
| 58 |
Fix to allow deprecated PHP Version 5.4 to work, as 5.4 seems to still be in common use despite end of life
|
| 2 |
Contributors: fullworks
|
| 3 |
Tags: User Enumeration, Security, WPSCAN, fail2ban
|
| 4 |
Requires at least: 3.4
|
| 5 |
+
Tested up to: 4.8
|
| 6 |
+
Stable tag: 1.3.8
|
| 7 |
License: GPLv2 or later
|
| 8 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 9 |
|
| 53 |
|
| 54 |
== Changelog ==
|
| 55 |
=
|
| 56 |
+
= 1.3.8 =
|
| 57 |
+
|
| 58 |
+
Security fix to stop XSS exploit
|
| 59 |
+
|
| 60 |
+
Also coded so should work with PHP 5.3 - although PHP 5.3. has been end of life for over two years it seems some hosts still use this. This is a security risk in its own right and
|
| 61 |
+
sites using PHP 5.3 should try to upgrade to a supported version of PHP, but this change is for backward compatibility.
|
| 62 |
+
|
| 63 |
= 1.3.7 =
|
| 64 |
|
| 65 |
Fix to allow deprecated PHP Version 5.4 to work, as 5.4 seems to still be in common use despite end of life
|
settings/settings-general.php
CHANGED
|
@@ -28,7 +28,7 @@ function sue_settings( $wpsf_settings ) {
|
|
| 28 |
),
|
| 29 |
array(
|
| 30 |
'id' => 'comment_jquery',
|
| 31 |
-
'title' => '
|
| 32 |
'desc' => 'This plugin uses jQuery to remove any numbers from a comment author name, this is because numbers trigger enumeration checking.
|
| 33 |
You can untick this if you do not use comments on your site or you use a different comment method than standard',
|
| 34 |
'type' => 'checkbox',
|
| 28 |
),
|
| 29 |
array(
|
| 30 |
'id' => 'comment_jquery',
|
| 31 |
+
'title' => 'Remove numbers from comment authors',
|
| 32 |
'desc' => 'This plugin uses jQuery to remove any numbers from a comment author name, this is because numbers trigger enumeration checking.
|
| 33 |
You can untick this if you do not use comments on your site or you use a different comment method than standard',
|
| 34 |
'type' => 'checkbox',
|
stop-user-enumeration.php
CHANGED
|
@@ -3,10 +3,10 @@
|
|
| 3 |
Plugin Name: Stop User Enumeration
|
| 4 |
Plugin URI: http://fullworks.net/wordpress-plugins/
|
| 5 |
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
| 6 |
-
Version: 1.3.
|
| 7 |
Author: Fullworks Digital Ltd
|
| 8 |
Author URI: http://fullworks.net/wordpress-plugins/
|
| 9 |
-
License: GPLv2 or later
|
| 10 |
*/
|
| 11 |
|
| 12 |
/*
|
|
@@ -101,7 +101,7 @@ class Stop_User_Enumeration_Plugin {
|
|
| 101 |
* Enqueue and register JavaScript files here.
|
| 102 |
*/
|
| 103 |
public function register_scripts() {
|
| 104 |
-
if($this->
|
| 105 |
wp_enqueue_script( 'comment_author', plugins_url( '/js/commentauthor.js' , __FILE__ ), array( 'jquery' ) );
|
| 106 |
}
|
| 107 |
}
|
|
@@ -117,7 +117,7 @@ class Stop_User_Enumeration_Plugin {
|
|
| 117 |
if ( ! is_user_logged_in() && isset($_REQUEST['author'])){
|
| 118 |
if( $this->ContainsNumbers($_REQUEST['author'])) {
|
| 119 |
$this->sue_log();
|
| 120 |
-
wp_die('forbidden - number in author name not allowed = ' . $_REQUEST['author']);
|
| 121 |
}
|
| 122 |
} elseif ( is_admin() ) {
|
| 123 |
$setting = wpsf_get_setting( 'sue_settings', 'general', 'stop_rest_user' );
|
|
@@ -131,8 +131,15 @@ class Stop_User_Enumeration_Plugin {
|
|
| 131 |
private function ContainsNumbers($String){
|
| 132 |
return preg_match('/\\d/', $String) > 0;
|
| 133 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 134 |
public function only_allow_logged_in_rest_access_to_users ($access) {
|
| 135 |
-
if($this->
|
| 136 |
if( preg_match('/users/', $_SERVER['REQUEST_URI']) !== 0 ) {
|
| 137 |
if( ! is_user_logged_in() ) {
|
| 138 |
$this->sue_log();
|
|
@@ -143,7 +150,7 @@ class Stop_User_Enumeration_Plugin {
|
|
| 143 |
return $access;
|
| 144 |
}
|
| 145 |
public function sue_log() {
|
| 146 |
-
if($this->
|
| 147 |
openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH);
|
| 148 |
syslog(LOG_INFO,"Attempted user enumeration from {$_SERVER['REMOTE_ADDR']}");
|
| 149 |
closelog();
|
| 3 |
Plugin Name: Stop User Enumeration
|
| 4 |
Plugin URI: http://fullworks.net/wordpress-plugins/
|
| 5 |
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
| 6 |
+
Version: 1.3.8
|
| 7 |
Author: Fullworks Digital Ltd
|
| 8 |
Author URI: http://fullworks.net/wordpress-plugins/
|
| 9 |
+
License: GPLv2 or later.
|
| 10 |
*/
|
| 11 |
|
| 12 |
/*
|
| 101 |
* Enqueue and register JavaScript files here.
|
| 102 |
*/
|
| 103 |
public function register_scripts() {
|
| 104 |
+
if($this->checkOption('general_comment_jquery') == 1 ) {
|
| 105 |
wp_enqueue_script( 'comment_author', plugins_url( '/js/commentauthor.js' , __FILE__ ), array( 'jquery' ) );
|
| 106 |
}
|
| 107 |
}
|
| 117 |
if ( ! is_user_logged_in() && isset($_REQUEST['author'])){
|
| 118 |
if( $this->ContainsNumbers($_REQUEST['author'])) {
|
| 119 |
$this->sue_log();
|
| 120 |
+
wp_die('forbidden - number in author name not allowed = ' . esc_html($_REQUEST['author']));
|
| 121 |
}
|
| 122 |
} elseif ( is_admin() ) {
|
| 123 |
$setting = wpsf_get_setting( 'sue_settings', 'general', 'stop_rest_user' );
|
| 131 |
private function ContainsNumbers($String){
|
| 132 |
return preg_match('/\\d/', $String) > 0;
|
| 133 |
}
|
| 134 |
+
private function checkOption($option){
|
| 135 |
+
$options=$this->wpsf->get_settings();
|
| 136 |
+
if($options[$option] == 1) {
|
| 137 |
+
return true;
|
| 138 |
+
}
|
| 139 |
+
return false;
|
| 140 |
+
}
|
| 141 |
public function only_allow_logged_in_rest_access_to_users ($access) {
|
| 142 |
+
if($this->checkOption('general_stop_rest_user') == 1 ) {
|
| 143 |
if( preg_match('/users/', $_SERVER['REQUEST_URI']) !== 0 ) {
|
| 144 |
if( ! is_user_logged_in() ) {
|
| 145 |
$this->sue_log();
|
| 150 |
return $access;
|
| 151 |
}
|
| 152 |
public function sue_log() {
|
| 153 |
+
if($this->checkOption('general_log_auth') == 1 ) {
|
| 154 |
openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH);
|
| 155 |
syslog(LOG_INFO,"Attempted user enumeration from {$_SERVER['REMOTE_ADDR']}");
|
| 156 |
closelog();
|
