Wordfence Security – Firewall & Malware Scan - Version 5.2.6

Version Description

  • Fixed bug that caused country blocking and redirecting to an external URL to not work if the external URL's relative path matched the current page's relative path.
  • Made it clear that country blocking URL's require absolute URL's.
Download this release

Release Info

Developer mmaunder
Plugin Icon 128x128 Wordfence Security – Firewall & Malware Scan
Version 5.2.6
Comparing to
See all releases

Code changes from version 5.2.5 to 5.2.6

Files changed (5) hide show
  1. lib/menu_countryBlocking.php +3 -1
  2. lib/wfLog.php +6 -1
  3. lib/wfUtils.php +8 -1
  4. readme.txt +5 -1
  5. wordfence.php +2 -2
lib/menu_countryBlocking.php CHANGED
@@ -38,7 +38,9 @@ WFAD.countryMap = <?php echo json_encode($wfBulkCountries); ?>;
38
  <option value="redir"<?php if(wfConfig::get('cbl_action') == 'redir'){ echo ' selected'; } ?>>Redirect to the URL below</option>
39
  </select>
40
  </td></tr>
41
- <tr><th>URL to redirect blocked users to:</th><td><input type="text" id="wfRedirURL" value="<?php if(wfConfig::get('cbl_redirURL')){ echo wp_kses(wfConfig::get('cbl_redirURL'), array()); } ?>" /></td></tr>
 
 
42
  <tr><th>Block countries even if they are logged in:</th><td><input type="checkbox" id="wfLoggedInBlocked" value="1" <?php if(wfConfig::get('cbl_loggedInBlocked')){ echo 'checked'; } ?> /></td></tr>
43
  <tr><th>Block access to the login form:</th><td><input type="checkbox" id="wfLoginFormBlocked" value="1" <?php if(wfConfig::get('cbl_loginFormBlocked')){ echo 'checked'; } ?> /></td></tr>
44
  <tr><th>Block access to the rest of the site (outside the login form):</th><td><input type="checkbox" id="wfRestOfSiteBlocked" value="1" <?php if(wfConfig::get('cbl_restOfSiteBlocked')){ echo 'checked'; } ?> /></td></tr>
38
  <option value="redir"<?php if(wfConfig::get('cbl_action') == 'redir'){ echo ' selected'; } ?>>Redirect to the URL below</option>
39
  </select>
40
  </td></tr>
41
+ <tr><th>URL to redirect blocked users to:</th><td><input type="text" id="wfRedirURL" size="40" value="<?php if(wfConfig::get('cbl_redirURL')){ echo wp_kses(wfConfig::get('cbl_redirURL'), array()); } ?>" />
42
+ <br />
43
+ <span style="color: #999;">Must start with http:// for example http://yoursite.com/blocked/</span></td></tr>
44
  <tr><th>Block countries even if they are logged in:</th><td><input type="checkbox" id="wfLoggedInBlocked" value="1" <?php if(wfConfig::get('cbl_loggedInBlocked')){ echo 'checked'; } ?> /></td></tr>
45
  <tr><th>Block access to the login form:</th><td><input type="checkbox" id="wfLoginFormBlocked" value="1" <?php if(wfConfig::get('cbl_loginFormBlocked')){ echo 'checked'; } ?> /></td></tr>
46
  <tr><th>Block access to the rest of the site (outside the login form):</th><td><input type="checkbox" id="wfRestOfSiteBlocked" value="1" <?php if(wfConfig::get('cbl_restOfSiteBlocked')){ echo 'checked'; } ?> /></td></tr>
lib/wfLog.php CHANGED
@@ -720,7 +720,12 @@ class wfLog {
720
  if(strtoupper($blocked) == strtoupper($country)){ //At this point we know the user has been blocked
721
  if(wfConfig::get('cbl_action') == 'redir'){
722
  $redirURL = wfConfig::get('cbl_redirURL');
723
- if(wfUtils::extractBareURI($redirURL) == $bareRequestURI){ //Is this the URI we want to redirect to, then don't block it
 
 
 
 
 
724
  //Do nothing
725
  /* Uncomment the following if page components aren't loading for the page we redirect to.
726
  Uncommenting is not recommended because it means that anyone from a blocked country
720
  if(strtoupper($blocked) == strtoupper($country)){ //At this point we know the user has been blocked
721
  if(wfConfig::get('cbl_action') == 'redir'){
722
  $redirURL = wfConfig::get('cbl_redirURL');
723
+ $eRedirHost = wfUtils::extractHostname($redirURL);
724
+ $isExternalRedir = false;
725
+ if($eRedirHost && $eRedirHost != wfUtils::extractHostname(home_url())){ //It's an external redirect...
726
+ $isExternalRedir = true;
727
+ }
728
+ if( (! $isExternalRedir) && wfUtils::extractBareURI($redirURL) == $bareRequestURI){ //Is this the URI we want to redirect to, then don't block it
729
  //Do nothing
730
  /* Uncomment the following if page components aren't loading for the page we redirect to.
731
  Uncommenting is not recommended because it means that anyone from a blocked country
lib/wfUtils.php CHANGED
@@ -173,9 +173,16 @@ class wfUtils {
173
  return false;
174
  }
175
  }
 
 
 
 
 
 
 
176
  public static function getIP(){
177
  //For debugging.
178
- //return '105.2.33.57';
179
  //return self::makeRandomIP();
180
  $howGet = wfConfig::get('howGetIPs', false);
181
  if($howGet){
173
  return false;
174
  }
175
  }
176
+ public static function extractHostname($str){
177
+ if(preg_match('/https?:\/\/([a-zA-Z0-9\.\-]+)(?:\/|$)/i', $str, $matches)){
178
+ return strtolower($matches[1]);
179
+ } else {
180
+ return false;
181
+ }
182
+ }
183
  public static function getIP(){
184
  //For debugging.
185
+ //return '54.232.205.132';
186
  //return self::makeRandomIP();
187
  $howGet = wfConfig::get('howGetIPs', false);
188
  if($howGet){
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: mmaunder
3
  Tags: wordpress, security, performance, speed, caching, cache, caching plugin, wordpress cache, wordpress caching, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor, security, secure, htaccess, login, log, users, login alerts, lock, chmod, maintenance, plugin, private, privacy, protection, permissions, 503, base64, injection, code, encode, script, attack, hack, hackers, block, blocked, prevent, prevention, RFI, XSS, CRLF, CSRF, SQL Injection, vulnerability, website security, WordPress security, security log, logging, HTTP log, error log, login security, personal security, infrastructure security, firewall security, front-end security, web server security, proxy security, reverse proxy security, secure website, secure login, two factor security, maximum login security, heartbleed, heart bleed, heartbleed vulnerability, openssl vulnerability, nginx, litespeed, php5-fpm, woocommerce support, woocommerce caching
4
  Requires at least: 3.3.1
5
  Tested up to: 4.0
6
- Stable tag: 5.2.5
7
 
8
  Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.
9
 
@@ -163,6 +163,10 @@ cause a security hole on your site.
163
 
164
  == Changelog ==
165
 
 
 
 
 
166
  = 5.2.5 =
167
  * Security release. Update immediately. Thanks to Julio Potier.
168
  * Code hardening including improved sanitization and an additional nonce for unlock email form. Special thanks to Ryan Satterfield for the hard work.
3
  Tags: wordpress, security, performance, speed, caching, cache, caching plugin, wordpress cache, wordpress caching, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor, security, secure, htaccess, login, log, users, login alerts, lock, chmod, maintenance, plugin, private, privacy, protection, permissions, 503, base64, injection, code, encode, script, attack, hack, hackers, block, blocked, prevent, prevention, RFI, XSS, CRLF, CSRF, SQL Injection, vulnerability, website security, WordPress security, security log, logging, HTTP log, error log, login security, personal security, infrastructure security, firewall security, front-end security, web server security, proxy security, reverse proxy security, secure website, secure login, two factor security, maximum login security, heartbleed, heart bleed, heartbleed vulnerability, openssl vulnerability, nginx, litespeed, php5-fpm, woocommerce support, woocommerce caching
4
  Requires at least: 3.3.1
5
  Tested up to: 4.0
6
+ Stable tag: 5.2.6
7
 
8
  Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.
9
 
163
 
164
  == Changelog ==
165
 
166
+ = 5.2.6 =
167
+ * Fixed bug that caused country blocking and redirecting to an external URL to not work if the external URL's relative path matched the current page's relative path.
168
+ * Made it clear that country blocking URL's require absolute URL's.
169
+
170
  = 5.2.5 =
171
  * Security release. Update immediately. Thanks to Julio Potier.
172
  * Code hardening including improved sanitization and an additional nonce for unlock email form. Special thanks to Ryan Satterfield for the hard work.
wordfence.php CHANGED
@@ -4,13 +4,13 @@ Plugin Name: Wordfence Security
4
  Plugin URI: http://www.wordfence.com/
5
  Description: Wordfence Security - Anti-virus, Firewall and High Speed Cache
6
  Author: Wordfence
7
- Version: 5.2.5
8
  Author URI: http://www.wordfence.com/
9
  */
10
  if(defined('WP_INSTALLING') && WP_INSTALLING){
11
  return;
12
  }
13
- define('WORDFENCE_VERSION', '5.2.5');
14
  if(get_option('wordfenceActivated') != 1){
15
  add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
16
  }
4
  Plugin URI: http://www.wordfence.com/
5
  Description: Wordfence Security - Anti-virus, Firewall and High Speed Cache
6
  Author: Wordfence
7
+ Version: 5.2.6
8
  Author URI: http://www.wordfence.com/
9
  */
10
  if(defined('WP_INSTALLING') && WP_INSTALLING){
11
  return;
12
  }
13
+ define('WORDFENCE_VERSION', '5.2.6');
14
  if(get_option('wordfenceActivated') != 1){
15
  add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
16
  }