Wordfence Security – Firewall & Malware Scan - Version 1.5.6

Version Description

  • Removed use of nonces and purely using 30 minute key for unlocking emails.
  • Fixed bug that caused admin emails to not get emailed when requesting unlocking email.
  • Fixed minor issue with undefined array in issues loop.
Download this release

Release Info

Developer mmaunder
Plugin Icon 128x128 Wordfence Security – Firewall & Malware Scan
Version 1.5.6
Comparing to
See all releases

Code changes from version 1.5.5 to 1.5.6

lib/wfIssues.php CHANGED
@@ -76,6 +76,9 @@ class wfIssues {
76
if($level == 2 && $this->totalCriticalIssues < 1 && $this->totalWarningIssues < 1){ return; }
77
if($level == 1 && $this->totalCriticalIssues < 1){ return; }
78
$emailedIssues = wfConfig::get_ser('emailedIssuesList', array());
79
$finalIssues = array();
80
foreach($this->newIssues as $newIssue){
81
$alreadyEmailed = false;
76
if($level == 2 && $this->totalCriticalIssues < 1 && $this->totalWarningIssues < 1){ return; }
77
if($level == 1 && $this->totalCriticalIssues < 1){ return; }
78
$emailedIssues = wfConfig::get_ser('emailedIssuesList', array());
79
+ if(! is_array($emailedIssues)){
80
+ $emailedIssues = array();
81
+ }
82
$finalIssues = array();
83
foreach($this->newIssues as $newIssue){
84
$alreadyEmailed = false;
lib/wfUnlockMsg.php CHANGED
@@ -1,6 +1,6 @@
1
If you are a site administrator and have been accidentally locked out, please enter your email in the box below and click "Send". If the email address you enter belongs to a known site administrator or someone set to receive Wordfence alerts, we will send you an email to help you regain access.
2
<br /><br />
3
- <form method="POST" action="<?php echo wfUtils::getSiteBaseURL(); ?>?_wfsf=unlockEmail&nonce=<?php echo wp_create_nonce('wp-ajax'); ?>">
4
<input type="text" size="50" name="email" value="" maxlength="255" />&nbsp;<input type="submit" name="s" value="Send me an unlock email" />
5
</form>
6
<br /><br />
1
If you are a site administrator and have been accidentally locked out, please enter your email in the box below and click "Send". If the email address you enter belongs to a known site administrator or someone set to receive Wordfence alerts, we will send you an email to help you regain access.
2
<br /><br />
3
+ <form method="POST" action="<?php echo wfUtils::getSiteBaseURL(); ?>?_wfsf=unlockEmail">
4
<input type="text" size="50" name="email" value="" maxlength="255" />&nbsp;<input type="submit" name="s" value="Send me an unlock email" />
5
</form>
6
<br /><br />
lib/wordfenceClass.php CHANGED
@@ -245,17 +245,14 @@ class wordfence {
245
public static function veryFirstAction(){
246
$wfFunc = $_GET['_wfsf'];
247
if($wfFunc == 'unlockEmail'){
248
- if(! wp_verify_nonce($_GET['nonce'], 'wp-ajax')){
249
- echo "Security token verification failed.";
250
- exit();
251
- }
252
$email = trim($_POST['email']);
253
global $wpdb;
254
$ws = $wpdb->get_results("SELECT ID, user_login FROM $wpdb->users");
255
$users = array();
256
foreach($ws as $user){
257
- if($user->user_level > 7){
258
- if($email == $user->user_email){
259
$found = true;
260
break;
261
}
@@ -276,7 +273,7 @@ class wordfence {
276
$content = wfUtils::tmpl('email_unlockRequest.php', array(
277
'siteName' => get_bloginfo('name', 'raw'),
278
'siteURL' => wfUtils::getSiteBaseURL(),
279
- 'unlockHref' => wfUtils::getSiteBaseURL() . '?_wfsf=unlockAccess&nonce=' . wp_create_nonce('wp-unlock') . '&key=' . $key,
280
'key' => $key,
281
'IP' => $IP
282
));
@@ -285,10 +282,6 @@ class wordfence {
285
echo "<html><body><h1>Your request was received</h1><p>We received a request to email \"$email\" instructions to unlock their access. If that is the email address of a site administrator or someone on the Wordfence alert list, then they have been emailed instructions on how to regain access to this sytem. The instructions we sent will expire 30 minutes from now.</body></html>";
286
exit();
287
} else if($wfFunc == 'unlockAccess'){
288
- if(! wp_verify_nonce($_GET['nonce'], 'wp-unlock')){
289
- echo "Security token verification failed.";
290
- exit();
291
- }
292
if(! preg_match('/^\d+\.\d+\.\d+\.\d+#x2F;', get_transient('wfunlock_' . $_GET['key']))){
293
echo "Invalid key provided for authentication.";
294
exit();
245
public static function veryFirstAction(){
246
$wfFunc = $_GET['_wfsf'];
247
if($wfFunc == 'unlockEmail'){
248
$email = trim($_POST['email']);
249
global $wpdb;
250
$ws = $wpdb->get_results("SELECT ID, user_login FROM $wpdb->users");
251
$users = array();
252
foreach($ws as $user){
253
+ $userDat = get_userdata($user->ID);
254
+ if($userDat->user_level > 7){
255
+ if($email == $userDat->user_email){
256
$found = true;
257
break;
258
}
273
$content = wfUtils::tmpl('email_unlockRequest.php', array(
274
'siteName' => get_bloginfo('name', 'raw'),
275
'siteURL' => wfUtils::getSiteBaseURL(),
276
+ 'unlockHref' => wfUtils::getSiteBaseURL() . '?_wfsf=unlockAccess&key=' . $key,
277
'key' => $key,
278
'IP' => $IP
279
));
282
echo "<html><body><h1>Your request was received</h1><p>We received a request to email \"$email\" instructions to unlock their access. If that is the email address of a site administrator or someone on the Wordfence alert list, then they have been emailed instructions on how to regain access to this sytem. The instructions we sent will expire 30 minutes from now.</body></html>";
283
exit();
284
} else if($wfFunc == 'unlockAccess'){
285
if(! preg_match('/^\d+\.\d+\.\d+\.\d+#x2F;', get_transient('wfunlock_' . $_GET['key']))){
286
echo "Invalid key provided for authentication.";
287
exit();
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: mmaunder
3
Tags: wordpress, security, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure
4
Requires at least: 3.3.1
5
Tested up to: 3.3.2
6
- Stable tag: 1.5.5
7
8
Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
9
@@ -152,6 +152,11 @@ or a theme, because often these have been updated to fix a security hole.
152
5. If you're technically minded, this is the under-the-hood view of Wordfence options where you can fine-tune your security settings.
153
154
== Changelog ==
155
= 1.5.5 =
156
* Added ability for admin's to unlock login and unblock their IP addresses if they're accidentally locked out by the firewall or login security. Uses two security tokens to prevent abuse.
157
* Admins can now also disable firewall and login security from the unlock-me email, just in case of emergency.
3
Tags: wordpress, security, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure
4
Requires at least: 3.3.1
5
Tested up to: 3.3.2
6
+ Stable tag: 1.5.6
7
8
Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
9
152
5. If you're technically minded, this is the under-the-hood view of Wordfence options where you can fine-tune your security settings.
153
154
== Changelog ==
155
+ = 1.5.6 =
156
+ * Removed use of nonces and purely using 30 minute key for unlocking emails.
157
+ * Fixed bug that caused admin emails to not get emailed when requesting unlocking email.
158
+ * Fixed minor issue with undefined array in issues loop.
159
+
160
= 1.5.5 =
161
* Added ability for admin's to unlock login and unblock their IP addresses if they're accidentally locked out by the firewall or login security. Uses two security tokens to prevent abuse.
162
* Admins can now also disable firewall and login security from the unlock-me email, just in case of emergency.
wordfence.php CHANGED
@@ -4,7 +4,7 @@ Plugin Name: Wordfence Security
4
Plugin URI: http://wordfence.com/
5
Description: Wordfence Security - Anti-virus and Firewall security plugin for WordPress
6
Author: Mark Maunder
7
- Version: 1.5.5
8
Author URI: http://wordfence.com/
9
*/
10
require_once('lib/wordfenceConstants.php');
4
Plugin URI: http://wordfence.com/
5
Description: Wordfence Security - Anti-virus and Firewall security plugin for WordPress
6
Author: Mark Maunder
7
+ Version: 1.5.6
8
Author URI: http://wordfence.com/
9
*/
10
require_once('lib/wordfenceConstants.php');