Wordfence Security – Firewall & Malware Scan - Version 6.1.9

Version Description

  • Fix: Using WP-CLI causes error Undefined index: SERVER_NAME.
  • Improvement: Hooked up restore/delete file scan tools to Filesystem API.
  • Fix: Reworked country blocking authentication check for access to XMLRPC.
  • Improvement: Added option to require cellphone sign-in on all admin accounts.
  • Improvement: Updated IPv6 GeoIP lite data.
  • Fix: Removed suPHP_ConfigPath from WAF installation process.
  • Fix: Prevent author names from being found through /wp-json/oembed.
  • Improvement: Added better solutions for fixing wordfence-waf.php, .user.ini, or .htaccess in scan.
  • Improvement: Added a method to view which files are currently used for WAF and to remove without reinstalling Wordfence.
  • Improvement: Changed rule compilation to use atomic writes.
  • Improvement: Removed security levels from Options page.
  • Improvement: Added option to disable ajaxwatcher (for whitelisting only for Admins) on the front end.
Download this release

Release Info

Developer wfmatt
Plugin Icon 128x128 Wordfence Security – Firewall & Malware Scan
Version 6.1.9
Comparing to
See all releases

Code changes from version 6.1.8 to 6.1.9

Files changed (23) hide show
  1. css/main.css +21 -1
  2. css/wordfenceBox.css +169 -0
  3. images/loading_large.gif +0 -0
  4. js/admin.ajaxWatcher.js +10 -7
  5. js/admin.js +24 -17
  6. lib/GeoIPv6.dat +0 -0
  7. lib/menu_options.php +1 -28
  8. lib/menu_scan.php +59 -0
  9. lib/menu_twoFactor.php +55 -22
  10. lib/menu_waf.php +35 -2
  11. lib/wfAPI.php +7 -6
  12. lib/wfConfig.php +101 -472
  13. lib/wfIssues.php +9 -1
  14. lib/wfLog.php +84 -38
  15. lib/wfScanEngine.php +46 -3
  16. lib/wfUtils.php +9 -5
  17. lib/wordfenceClass.php +568 -36
  18. lib/wordfenceScanner.php +46 -12
  19. lib/wordfenceURLHoover.php +2 -2
  20. readme.txt +15 -1
  21. vendor/wordfence/wf-waf/src/lib/rules.php +15 -1
  22. vendor/wordfence/wf-waf/src/lib/waf.php +4 -4
  23. wordfence.php +2 -2
css/main.css CHANGED
@@ -579,8 +579,16 @@ table.block-ranges-table tr td {
579
border: 1px solid #ffd975;
580
border-width: 1px 1px 1px 10px;
581
}
582
.wf-success-text,
583
- .wf-notice-text {
584
display: inline-block;
585
vertical-align: middle;
586
line-height: 1.3;
@@ -591,6 +599,9 @@ table.block-ranges-table tr td {
591
.wf-notice-text {
592
color: #6d798c;
593
}
594
.wf-success-text {
595
color: #11967A;
596
}
@@ -1008,6 +1019,15 @@ table.whitelist-table .edit-mode input.whitelist-edit {
1008
font-size: 14px;
1009
line-height: 1.3;
1010
}
1011
1012
pre.wf-pre {
1013
margin:8px 0 20px;
579
border: 1px solid #ffd975;
580
border-width: 1px 1px 1px 10px;
581
}
582
+ .wf-error {
583
+ margin: 12px 0;
584
+ padding: 8px;
585
+ background-color: #fff0f0;
586
+ border: 1px solid #dc3232;
587
+ border-width: 1px 1px 1px 10px;
588
+ }
589
.wf-success-text,
590
+ .wf-notice-text,
591
+ .wf-error-text {
592
display: inline-block;
593
vertical-align: middle;
594
line-height: 1.3;
599
.wf-notice-text {
600
color: #6d798c;
601
}
602
+ .wf-error-text {
603
+ color: #6d798c;
604
+ }
605
.wf-success-text {
606
color: #11967A;
607
}
1019
font-size: 14px;
1020
line-height: 1.3;
1021
}
1022
+ .wordfence-waiting {
1023
+ line-height: 32px;
1024
+ }
1025
+ .wordfence-waiting img {
1026
+ vertical-align: middle;
1027
+ }
1028
+ .wordfence-waiting span {
1029
+
1030
+ }
1031
1032
pre.wf-pre {
1033
margin:8px 0 20px;
css/wordfenceBox.css ADDED
@@ -0,0 +1,169 @@
1
+ /*
2
+ ColorBox Core Style:
3
+ The following CSS is consistent between example themes and should not be altered.
4
+ */
5
+ #wordfenceBox, #wfboxOverlay, #wfboxWrapper{position:absolute; top:0; left:0; z-index:9999; overflow:hidden;}
6
+ #wfboxOverlay{position:fixed; width:100%; height:100%;}
7
+ #wfboxMiddleLeft, #wfboxBottomLeft{clear:left;}
8
+ #wfboxContent{position:relative;}
9
+ #wfboxLoadedContent{overflow:auto;}
10
+ #wfboxTitle{margin:0;}
11
+ #wfboxLoadingOverlay, #wfboxLoadingGraphic{position:absolute; top:0; left:0; width:100%;}
12
+ #wfboxPrevious, #wfboxNext, #wfboxClose, #wfboxSlideshow{cursor:pointer;}
13
+ .wfboxPhoto{float:left; margin:auto; border:0; display:block;}
14
+ .wfboxIframe{width:100%; height:100%; display:block; border:0;}
15
+
16
+ /*
17
+ User Style:
18
+ Change the following styles to modify the appearance of ColorBox. They are
19
+ ordered & tabbed in a way that represents the nesting of the generated HTML.
20
+ */
21
+ #wfboxOverlay{
22
+ background: #777;
23
+ background: -webkit-radial-gradient(rgba(120, 120, 120, 0.8), rgba(100, 100, 100, 0.8) 50%, rgba(70, 70, 70, 1));
24
+ background: -moz-radial-gradient(rgba(120, 120, 120, 0.6), rgba(100, 100, 100, 0.8) 20%, rgba(70, 70, 70, 1));
25
+ }
26
+ #wordfenceBox {
27
+ color: #444;
28
+ font-family: "Open Sans", sans-serif;
29
+ font-size: 13px;
30
+ line-height: 1.4em;
31
+ }
32
+ #wfboxContent { background:#fff; overflow:hidden; padding: 0 0 8px; margin: 20px;
33
+ -webkit-border-radius: 3px 3px 2px 2px; -moz-border-radius: 3px 3px 2px 2px; border-radius: 3px 3px 2px 2px; /* border radius */
34
+ -webkit-box-shadow: 0 2px 4px rgba(0,0,0,.4); -moz-box-shadow: 0 2px 4px rgba(0,0,0,.4); box-shadow: 0 2px 4px rgba(0,0,0,.4); /* box shadow */
35
+ -webkit-background-clip: padding-box; /* smoother borders with webkit */ }
36
+ #wfboxError{padding:50px; border:1px solid #ccc;}
37
+ #wfboxLoadedContent {
38
+ /* margin-bottom:28px; */
39
+ /* MDM added: */ margin: 10px 20px 28px 20px; font-family: Arial; color: #333;
40
+ -webkit-border-radius: 2px 2px 0 0; -moz-border-radius: 2px 2px 0 0; border-radius: 2px 2px 0 0; /* border radius */
41
+ }
42
+ #wfboxTitle{position:absolute; bottom:8px; left:5px; text-align:center; width:100%; color:#949494;}
43
+ #wfboxCurrent{position:absolute; bottom:8px; left:63px; color:#949494; text-indent: -9999px;}
44
+ #wfboxSlideshow{position:absolute; bottom:8px; right:35px; color:#0092ef;}
45
+ #wfboxPrevious{position:absolute; bottom:5px; left:5px; background:url(../images/lightbox-controls.png) no-repeat -75px 0; width:25px; height:25px; text-indent:-9999px;}
46
+ #wfboxPrevious.hover{background-position:-75px -25px;}
47
+ #wfboxNext{position:absolute; bottom:5px; left:32px; background:url(../images/lightbox-controls.png) no-repeat -50px 0; width:25px; height:25px; text-indent:-9999px;}
48
+ #wfboxNext.hover{background-position:-50px -25px;}
49
+ #wfboxLoadingOverlay{background:url(../images/loading_background.png) no-repeat center center;}
50
+ #wfboxLoadingGraphic{background:url(../images/loading.gif) no-repeat center center;}
51
+ #wfboxClose{position:absolute; bottom:5px; right:5px; background:url(../images/lightbox-controls.png) no-repeat -25px 0; width:25px; height:25px; text-indent:-9999px;}
52
+ #wfboxClose.hover{background-position:-25px -25px;}
53
+
54
+ /*
55
+ The following fixes a problem where IE7+ replaces a PNG's alpha transparency with a black fill
56
+ when an alpha filter (opacity change) is set on the element or ancestor element.
57
+ */
58
+ .wfboxIE #wfboxTopLeft,
59
+ .wfboxIE #wfboxTopCenter,
60
+ .wfboxIE #wfboxTopRight,
61
+ .wfboxIE #wfboxBottomLeft,
62
+ .wfboxIE #wfboxBottomCenter,
63
+ .wfboxIE #wfboxBottomRight,
64
+ .wfboxIE #wfboxMiddleLeft,
65
+ .wfboxIE #wfboxMiddleRight {
66
+ filter: progid:DXImageTransform.Microsoft.gradient(startColorstr=#00FFFFFF,endColorstr=#00FFFFFF);
67
+ }
68
+
69
+ /*
70
+ Enforce our styles over any theme styling
71
+ */
72
+ #wordfenceBox, #wordfenceBox:before, #wordfenceBox:after {
73
+ -webkit-box-sizing: content-box;
74
+ -moz-box-sizing: content-box;
75
+ box-sizing: content-box;
76
+ }
77
+
78
+ #wordfenceBox h1, #wordfenceBox h2, #wordfenceBox h3, #wordfenceBox h4, #wordfenceBox h5, #wordfenceBox h6 {
79
+ display: block;
80
+ font-weight: 600
81
+ }
82
+
83
+ #wordfenceBox h1 {
84
+ font-size: 2em;
85
+ margin: .67em 0
86
+ }
87
+
88
+ #wordfenceBox h2, #wordfenceBox h3 {
89
+ font-size: 1.3em;
90
+ margin: 1em 0
91
+ }
92
+
93
+ #wordfenceBox h1, #wordfenceBox h2, #wordfenceBox h3 {
94
+ color: #23282d
95
+ }
96
+
97
+ #wordfenceBox p {
98
+ font-size: 13px;
99
+ line-height: 1.5;
100
+ margin: 1em 0;
101
+ }
102
+
103
+ #wordfenceBox .textright {
104
+ text-align: right;
105
+ }
106
+
107
+ #wordfenceBox .button, #wordfenceBox .button-primary, #wordfenceBox .button-secondary {
108
+ display: inline-block;
109
+ text-decoration: none;
110
+ font-size: 13px;
111
+ line-height: 26px;
112
+ height: 28px;
113
+ margin: 0;
114
+ padding: 0 10px 1px;
115
+ cursor: pointer;
116
+ border-width: 1px;
117
+ border-style: solid;
118
+ -webkit-appearance: none;
119
+ -webkit-border-radius: 3px;
120
+ border-radius: 3px;
121
+ white-space: nowrap;
122
+ -webkit-box-sizing: border-box;
123
+ -moz-box-sizing: border-box;
124
+ box-sizing: border-box
125
+ }
126
+
127
+ #wordfenceBox .button, #wordfenceBox .button-secondary {
128
+ color: #555;
129
+ border-color: #ccc;
130
+ background: #f7f7f7;
131
+ -webkit-box-shadow: 0 1px 0 #ccc;
132
+ box-shadow: 0 1px 0 #ccc;
133
+ vertical-align: top
134
+ }
135
+
136
+ #wordfenceBox p .button {
137
+ vertical-align: baseline;
138
+ font-family: Arial, san-serif;
139
+ font-weight: normal;
140
+ text-transform: none;
141
+ }
142
+
143
+ #wordfenceBox p code {
144
+ padding: 3px 5px 2px;
145
+ margin: 0 1px;
146
+ background: #eaeaea;
147
+ background: rgba(0,0,0,.07);
148
+ font-size: 13px;
149
+ }
150
+
151
+ #wordfenceBox .button-secondary:focus, #wordfenceBox .button-secondary:hover, #wordfenceBox .button.focus, #wordfenceBox .button.hover, #wordfenceBox .button:focus, #wordfenceBox .button:hover {
152
+ background: #fafafa;
153
+ border-color: #999;
154
+ color: #23282d
155
+ }
156
+
157
+ #wordfenceBox a.wfboxhelp {
158
+ float: left;
159
+ background-image: url(../images/help.png);
160
+ width: 12px;
161
+ height: 12px;
162
+ background-position: 0 0;
163
+ background-repeat: no-repeat;
164
+ padding: 0;
165
+ margin: 9px 0px;
166
+ text-decoration: none;
167
+ display: inline-block;
168
+ vertical-align: middle;
169
+ }
images/loading_large.gif ADDED
Binary file
js/admin.ajaxWatcher.js CHANGED
@@ -1,4 +1,4 @@
1
- (function($) {
2
if (!window['wordfenceAJAXWatcher']) {
3
window['wordfenceAJAXWatcher'] = {
4
blockWarningOpen: false,
@@ -27,15 +27,15 @@
27
}
28
29
wordfenceAJAXWatcher.blockWarningOpen = true;
30
- $.colorbox({
31
closeButton: false,
32
width: '400px',
33
- html: "<h3>Background Request Blocked</h3><p>A background request to WordPress was just blocked for the URL <code>" + requestURLEscaped + "</code>. If this occurred as a result of an intentional action, you may consider whitelisting the request to allow it in the future.</p><p class=\"textright\"><a href=\"#\" class=\"button\" id=\"background-block-whitelist\">Whitelist this action</a> <a href=\"#\" class=\"button\" id=\"background-block-dismiss\">Dismiss</a></p>",
34
onComplete: function() {
35
$('#background-block-dismiss').click(function(event) {
36
event.preventDefault();
37
event.stopPropagation();
38
- $.colorbox.close();
39
});
40
41
$('#background-block-whitelist').click(function(event) {
@@ -50,11 +50,11 @@
50
global: false,
51
success: function() {
52
alert('The request has been whitelisted. Please try it again.');
53
- $.colorbox.close();
54
},
55
error: function() {
56
alert('An error occurred when adding the request to the whitelist.');
57
- $.colorbox.close();
58
}
59
});
60
}
@@ -71,4 +71,7 @@
71
$(function() {
72
wordfenceAJAXWatcher.init();
73
});
74
- })(jQuery);
1
+ (function($, document, window) {
2
if (!window['wordfenceAJAXWatcher']) {
3
window['wordfenceAJAXWatcher'] = {
4
blockWarningOpen: false,
27
}
28
29
wordfenceAJAXWatcher.blockWarningOpen = true;
30
+ $.wordfenceBox({
31
closeButton: false,
32
width: '400px',
33
+ html: "<h3>Background Request Blocked</h3><p>Wordfence Firewall blocked a background request to WordPress for the URL <code>" + requestURLEscaped + "</code>. If this occurred as a result of an intentional action, you may consider whitelisting the request to allow it in the future.</p><p class=\"textright\"><a href=\"https://docs.wordfence.com/en/Web_Application_Firewall_-_Blocked_Ajax_Requests\" target=\"_blank\" class=\"wfboxhelp\"></a><a href=\"#\" class=\"button\" id=\"background-block-whitelist\">Whitelist this action</a> <a href=\"#\" class=\"button\" id=\"background-block-dismiss\">Dismiss</a></p>",
34
onComplete: function() {
35
$('#background-block-dismiss').click(function(event) {
36
event.preventDefault();
37
event.stopPropagation();
38
+ $.wordfenceBox.close();
39
});
40
41
$('#background-block-whitelist').click(function(event) {
50
global: false,
51
success: function() {
52
alert('The request has been whitelisted. Please try it again.');
53
+ $.wordfenceBox.close();
54
},
55
error: function() {
56
alert('An error occurred when adding the request to the whitelist.');
57
+ $.wordfenceBox.close();
58
}
59
});
60
}
71
$(function() {
72
wordfenceAJAXWatcher.init();
73
});
74
+
75
+ }(jQuery, document, window));
76
+
77
+ !function(t,e,i){function n(i,n,o){var r=e.createElement(i);return n&&(r.id=Z+n),o&&(r.style.cssText=o),t(r)}function o(){return i.innerHeight?i.innerHeight:t(i).height()}function r(e,i){i!==Object(i)&&(i={}),this.cache={},this.el=e,this.value=function(e){var n;return void 0===this.cache[e]&&(n=t(this.el).attr("data-wfbox-"+e),void 0!==n?this.cache[e]=n:void 0!==i[e]?this.cache[e]=i[e]:void 0!==X[e]&&(this.cache[e]=X[e])),this.cache[e]},this.get=function(e){var i=this.value(e);return t.isFunction(i)?i.call(this.el,this):i}}function h(t){var e=W.length,i=(A+t)%e;return 0>i?e+i:i}function a(t,e){return Math.round((/%/.test(t)?("x"===e?E.width():o())/100:1)*parseInt(t,10))}function s(t,e){return t.get("photo")||t.get("photoRegex").test(e)}function l(t,e){return t.get("retinaUrl")&&i.devicePixelRatio>1?e.replace(t.get("photoRegex"),t.get("retinaSuffix")):e}function d(t){"contains"in x[0]&&!x[0].contains(t.target)&&t.target!==v[0]&&(t.stopPropagation(),x.focus())}function c(t){c.str!==t&&(x.add(v).removeClass(c.str).addClass(t),c.str=t)}function g(e){A=0,e&&e!==!1&&"nofollow"!==e?(W=t("."+tt).filter(function(){var i=t.data(this,Y),n=new r(this,i);return n.get("rel")===e}),A=W.index(_.el),-1===A&&(W=W.add(_.el),A=W.length-1)):W=t(_.el)}function u(i){t(e).trigger(i),at.triggerHandler(i)}function f(i){var o;if(!G){if(o=t(i).data(Y),_=new r(i,o),g(_.get("rel")),!U){U=$=!0,c(_.get("className")),x.css({visibility:"hidden",display:"block",opacity:""}),I=n(st,"LoadedContent","width:0; height:0; overflow:hidden; visibility:hidden"),b.css({width:"",height:""}).append(I),j=T.height()+k.height()+b.outerHeight(!0)-b.height(),D=C.width()+H.width()+b.outerWidth(!0)-b.width(),N=I.outerHeight(!0),z=I.outerWidth(!0);var h=a(_.get("initialWidth"),"x"),s=a(_.get("initialHeight"),"y"),l=_.get("maxWidth"),f=_.get("maxHeight");_.w=Math.max((l!==!1?Math.min(h,a(l,"x")):h)-z-D,0),_.h=Math.max((f!==!1?Math.min(s,a(f,"y")):s)-N-j,0),I.css({width:"",height:_.h}),J.position(),u(et),_.get("onOpen"),O.add(F).hide(),x.focus(),_.get("trapFocus")&&e.addEventListener&&(e.addEventListener("focus",d,!0),at.one(rt,function(){e.removeEventListener("focus",d,!0)})),_.get("returnFocus")&&at.one(rt,function(){t(_.el).focus()})}var p=parseFloat(_.get("opacity"));v.css({opacity:p===p?p:"",cursor:_.get("overlayClose")?"pointer":"",visibility:"visible"}).show(),_.get("closeButton")?P.html(_.get("close")).appendTo(b):P.appendTo("<div/>"),w()}}function p(){x||(V=!1,E=t(i),x=n(st).attr({id:Y,"class":t.support.opacity===!1?Z+"IE":"",role:"dialog",tabindex:"-1"}).hide(),v=n(st,"Overlay").hide(),L=t([n(st,"LoadingOverlay")[0],n(st,"LoadingGraphic")[0]]),y=n(st,"Wrapper"),b=n(st,"Content").append(F=n(st,"Title"),R=n(st,"Current"),K=t('<button type="button"/>').attr({id:Z+"Previous"}),B=t('<button type="button"/>').attr({id:Z+"Next"}),S=t('<button type="button"/>').attr({id:Z+"Slideshow"}),L),P=t('<button type="button"/>').attr({id:Z+"Close"}),y.append(n(st).append(n(st,"TopLeft"),T=n(st,"TopCenter"),n(st,"TopRight")),n(st,!1,"clear:left").append(C=n(st,"MiddleLeft"),b,H=n(st,"MiddleRight")),n(st,!1,"clear:left").append(n(st,"BottomLeft"),k=n(st,"BottomCenter"),n(st,"BottomRight"))).find("div div").css({"float":"left"}),M=n(st,!1,"position:absolute; width:9999px; visibility:hidden; display:none; max-width:none;"),O=B.add(K).add(R).add(S)),e.body&&!x.parent().length&&t(e.body).append(v,x.append(y,M))}function m(){function i(t){t.which>1||t.shiftKey||t.altKey||t.metaKey||t.ctrlKey||(t.preventDefault(),f(this))}return x?(V||(V=!0,B.click(function(){J.next()}),K.click(function(){J.prev()}),P.click(function(){J.close()}),v.click(function(){_.get("overlayClose")&&J.close()}),t(e).bind("keydown."+Z,function(t){var e=t.keyCode;U&&_.get("escKey")&&27===e&&(t.preventDefault(),J.close()),U&&_.get("arrowKey")&&W[1]&&!t.altKey&&(37===e?(t.preventDefault(),K.click()):39===e&&(t.preventDefault(),B.click()))}),t.isFunction(t.fn.on)?t(e).on("click."+Z,"."+tt,i):t("."+tt).live("click."+Z,i)),!0):!1}function w(){var e,o,r,h=J.prep,d=++lt;if($=!0,q=!1,u(ht),u(it),_.get("onLoad"),_.h=_.get("height")?a(_.get("height"),"y")-N-j:_.get("innerHeight")&&a(_.get("innerHeight"),"y"),_.w=_.get("width")?a(_.get("width"),"x")-z-D:_.get("innerWidth")&&a(_.get("innerWidth"),"x"),_.mw=_.w,_.mh=_.h,_.get("maxWidth")&&(_.mw=a(_.get("maxWidth"),"x")-z-D,_.mw=_.w&&_.w<_.mw?_.w:_.mw),_.get("maxHeight")&&(_.mh=a(_.get("maxHeight"),"y")-N-j,_.mh=_.h&&_.h<_.mh?_.h:_.mh),e=_.get("href"),Q=setTimeout(function(){L.show()},100),_.get("inline")){var c=t(e).eq(0);r=t("<div>").hide().insertBefore(c),at.one(ht,function(){r.replaceWith(c)}),h(c)}else _.get("iframe")?h(" "):_.get("html")?h(_.get("html")):s(_,e)?(e=l(_,e),q=_.get("createImg"),t(q).addClass(Z+"Photo").bind("error."+Z,function(){h(n(st,"Error").html(_.get("imgError")))}).one("load",function(){d===lt&&setTimeout(function(){var e;_.get("retinaImage")&&i.devicePixelRatio>1&&(q.height=q.height/i.devicePixelRatio,q.width=q.width/i.devicePixelRatio),_.get("scalePhotos")&&(o=function(){q.height-=q.height*e,q.width-=q.width*e},_.mw&&q.width>_.mw&&(e=(q.width-_.mw)/q.width,o()),_.mh&&q.height>_.mh&&(e=(q.height-_.mh)/q.height,o())),_.h&&(q.style.marginTop=Math.max(_.mh-q.height,0)/2+"px"),W[1]&&(_.get("loop")||W[A+1])&&(q.style.cursor="pointer",t(q).bind("click."+Z,function(){J.next()})),q.style.width=q.width+"px",q.style.height=q.height+"px",h(q)},1)}),q.src=e):e&&M.load(e,_.get("data"),function(e,i){d===lt&&h("error"===i?n(st,"Error").html(_.get("xhrError")):t(this).contents())})}var v,x,y,b,T,C,H,k,W,E,I,M,L,F,R,S,B,K,P,O,_,j,D,N,z,A,q,U,$,G,Q,J,V,X={html:!1,photo:!1,iframe:!1,inline:!1,transition:"elastic",speed:300,fadeOut:300,width:!1,initialWidth:"600",innerWidth:!1,maxWidth:!1,height:!1,initialHeight:"450",innerHeight:!1,maxHeight:!1,scalePhotos:!0,scrolling:!0,opacity:.9,preloading:!0,className:!1,overlayClose:!0,escKey:!0,arrowKey:!0,top:!1,bottom:!1,left:!1,right:!1,fixed:!1,data:void 0,closeButton:!0,fastIframe:!0,open:!1,reposition:!0,loop:!0,slideshow:!1,slideshowAuto:!0,slideshowSpeed:2500,slideshowStart:"start slideshow",slideshowStop:"stop slideshow",photoRegex:/\.(gif|png|jp(e|g|eg)|bmp|ico|webp|jxr|svg)((#|\?).*)?#x2F;i,retinaImage:!1,retinaUrl:!1,retinaSuffix:"@2x.$1",current:"image {current} of {total}",previous:"previous",next:"next",close:"close",xhrError:"This content failed to load.",imgError:"This image failed to load.",returnFocus:!0,trapFocus:!0,onOpen:!1,onLoad:!1,onComplete:!1,onCleanup:!1,onClosed:!1,rel:function(){return this.rel},href:function(){return t(this).attr("href")},title:function(){return this.title},createImg:function(){var e=new Image,i=t(this).data("cbox-img-attrs");return"object"==typeof i&&t.each(i,function(t,i){e[t]=i}),e},createIframe:function(){var i=e.createElement("iframe"),n=t(this).data("cbox-iframe-attrs");return"object"==typeof n&&t.each(n,function(t,e){i[t]=e}),"frameBorder"in i&&(i.frameBorder=0),"allowTransparency"in i&&(i.allowTransparency="true"),i.name=(new Date).getTime(),i.allowFullscreen=!0,i}},Y="wordfenceBox",Z="wfbox",tt=Z+"Element",et=Z+"_open",it=Z+"_load",nt=Z+"_complete",ot=Z+"_cleanup",rt=Z+"_closed",ht=Z+"_purge",at=t("<a/>"),st="div",lt=0,dt={},ct=function(){function t(){clearTimeout(h)}function e(){(_.get("loop")||W[A+1])&&(t(),h=setTimeout(J.next,_.get("slideshowSpeed")))}function i(){S.html(_.get("slideshowStop")).unbind(s).one(s,n),at.bind(nt,e).bind(it,t),x.removeClass(a+"off").addClass(a+"on")}function n(){t(),at.unbind(nt,e).unbind(it,t),S.html(_.get("slideshowStart")).unbind(s).one(s,function(){J.next(),i()}),x.removeClass(a+"on").addClass(a+"off")}function o(){r=!1,S.hide(),t(),at.unbind(nt,e).unbind(it,t),x.removeClass(a+"off "+a+"on")}var r,h,a=Z+"Slideshow_",s="click."+Z;return function(){r?_.get("slideshow")||(at.unbind(ot,o),o()):_.get("slideshow")&&W[1]&&(r=!0,at.one(ot,o),_.get("slideshowAuto")?i():n(),S.show())}}();t[Y]||(t(p),J=t.fn[Y]=t[Y]=function(e,i){var n,o=this;return e=e||{},t.isFunction(o)&&(o=t("<a/>"),e.open=!0),o[0]?(p(),m()&&(i&&(e.onComplete=i),o.each(function(){var i=t.data(this,Y)||{};t.data(this,Y,t.extend(i,e))}).addClass(tt),n=new r(o[0],e),n.get("open")&&f(o[0])),o):o},J.position=function(e,i){function n(){T[0].style.width=k[0].style.width=b[0].style.width=parseInt(x[0].style.width,10)-D+"px",b[0].style.height=C[0].style.height=H[0].style.height=parseInt(x[0].style.height,10)-j+"px"}var r,h,s,l=0,d=0,c=x.offset();if(E.unbind("resize."+Z),x.css({top:-9e4,left:-9e4}),h=E.scrollTop(),s=E.scrollLeft(),_.get("fixed")?(c.top-=h,c.left-=s,x.css({position:"fixed"})):(l=h,d=s,x.css({position:"absolute"})),d+=_.get("right")!==!1?Math.max(E.width()-_.w-z-D-a(_.get("right"),"x"),0):_.get("left")!==!1?a(_.get("left"),"x"):Math.round(Math.max(E.width()-_.w-z-D,0)/2),l+=_.get("bottom")!==!1?Math.max(o()-_.h-N-j-a(_.get("bottom"),"y"),0):_.get("top")!==!1?a(_.get("top"),"y"):Math.round(Math.max(o()-_.h-N-j,0)/2),x.css({top:c.top,left:c.left,visibility:"visible"}),y[0].style.width=y[0].style.height="9999px",r={width:_.w+z+D,height:_.h+N+j,top:l,left:d},e){var g=0;t.each(r,function(t){return r[t]!==dt[t]?void(g=e):void 0}),e=g}dt=r,e||x.css(r),x.dequeue().animate(r,{duration:e||0,complete:function(){n(),$=!1,y[0].style.width=_.w+z+D+"px",y[0].style.height=_.h+N+j+"px",_.get("reposition")&&setTimeout(function(){E.bind("resize."+Z,J.position)},1),t.isFunction(i)&&i()},step:n})},J.resize=function(t){var e;U&&(t=t||{},t.width&&(_.w=a(t.width,"x")-z-D),t.innerWidth&&(_.w=a(t.innerWidth,"x")),I.css({width:_.w}),t.height&&(_.h=a(t.height,"y")-N-j),t.innerHeight&&(_.h=a(t.innerHeight,"y")),t.innerHeight||t.height||(e=I.scrollTop(),I.css({height:"auto"}),_.h=I.height()),I.css({height:_.h}),e&&I.scrollTop(e),J.position("none"===_.get("transition")?0:_.get("speed")))},J.prep=function(i){function o(){return _.w=_.w||I.width(),_.w=_.mw&&_.mw<_.w?_.mw:_.w,_.w}function a(){return _.h=_.h||I.height(),_.h=_.mh&&_.mh<_.h?_.mh:_.h,_.h}if(U){var d,g="none"===_.get("transition")?0:_.get("speed");I.remove(),I=n(st,"LoadedContent").append(i),I.hide().appendTo(M.show()).css({width:o(),overflow:_.get("scrolling")?"auto":"hidden"}).css({height:a()}).prependTo(b),M.hide(),t(q).css({"float":"none"}),c(_.get("className")),d=function(){function i(){t.support.opacity===!1&&x[0].style.removeAttribute("filter")}var n,o,a=W.length;U&&(o=function(){clearTimeout(Q),L.hide(),u(nt),_.get("onComplete")},F.html(_.get("title")).show(),I.show(),a>1?("string"==typeof _.get("current")&&R.html(_.get("current").replace("{current}",A+1).replace("{total}",a)).show(),B[_.get("loop")||a-1>A?"show":"hide"]().html(_.get("next")),K[_.get("loop")||A?"show":"hide"]().html(_.get("previous")),ct(),_.get("preloading")&&t.each([h(-1),h(1)],function(){var i,n=W[this],o=new r(n,t.data(n,Y)),h=o.get("href");h&&s(o,h)&&(h=l(o,h),i=e.createElement("img"),i.src=h)})):O.hide(),_.get("iframe")?(n=_.get("createIframe"),_.get("scrolling")||(n.scrolling="no"),t(n).attr({src:_.get("href"),"class":Z+"Iframe"}).one("load",o).appendTo(I),at.one(ht,function(){n.src="//about:blank"}),_.get("fastIframe")&&t(n).trigger("load")):o(),"fade"===_.get("transition")?x.fadeTo(g,1,i):i())},"fade"===_.get("transition")?x.fadeTo(g,0,function(){J.position(0,d)}):J.position(g,d)}},J.next=function(){!amp;&W[1]&&(_.get("loop")||W[A+1])&&(A=h(1),f(W[A]))},J.prev=function(){!amp;&W[1]&&(_.get("loop")||A)&&(A=h(-1),f(W[A]))},J.close=function(){U&&!G&&(G=!0,U=!1,u(ot),_.get("onCleanup"),E.unbind("."+Z),v.fadeTo(_.get("fadeOut")||0,0),x.stop().fadeTo(_.get("fadeOut")||0,0,function(){x.hide(),v.hide(),u(ht),I.remove(),setTimeout(function(){G=!1,u(rt),_.get("onClosed")},1)}))},J.remove=function(){x&&(x.stop(),t[Y].close(),x.stop(!1,!0).remove(),v.remove(),G=!1,x=null,t("."+tt).removeData(Y).removeClass(tt),t(e).unbind("click."+Z).unbind("keydown."+Z))},J.element=function(){return t(_.el)},J.settings=X)}(jQuery,document,window);
js/admin.js CHANGED
@@ -153,9 +153,6 @@
153
}
154
} else if (jQuery('#wordfenceMode_options').length > 0) {
155
this.mode = 'options';
156
- jQuery('.wfConfigElem').change(function() {
157
- jQuery('#securityLevel').val('CUSTOM');
158
- });
159
this.updateTicker(true);
160
startTicker = true;
161
if (this.needTour()) {
@@ -1030,7 +1027,11 @@
1030
issueID: issueID,
1031
forceDelete: force
1032
}, function(res) {
1033
- self.doneDeleteFile(res);
1034
});
1035
},
1036
doneDeleteFile: function(res) {
@@ -1154,7 +1155,11 @@
1154
this.ajax('wordfence_restoreFile', {
1155
issueID: issueID
1156
}, function(res) {
1157
- self.doneRestoreFile(res);
1158
});
1159
},
1160
doneRestoreFile: function(res) {
@@ -2102,7 +2107,9 @@
2102
}, function(res) {
2103
if (res.ok) {
2104
self.twoFacStatus('User added! Check the user\'s phone to get the activation code.');
2105
- jQuery('<div id="twoFacCont_' + res.userID + '">' + jQuery('#wfTwoFacUserTmpl').tmpl(res).html() + '</div>').prependTo(jQuery('#wfTwoFacUsers'));
2106
}
2107
});
2108
},
@@ -2113,9 +2120,10 @@
2113
code: code
2114
}, function(res) {
2115
if (res.ok) {
2116
- jQuery('#twoFacCont_' + res.userID).html(
2117
- jQuery('#wfTwoFacUserTmpl').tmpl(res)
2118
- );
2119
self.twoFacStatus('Cellphone Sign-in activated for user.');
2120
}
2121
});
@@ -2125,20 +2133,19 @@
2125
userID: userID
2126
}, function(res) {
2127
if (res.ok) {
2128
- jQuery('#twoFacCont_' + res.userID).fadeOut(function() {
2129
jQuery(this).remove();
2130
});
2131
}
2132
});
2133
},
2134
loadTwoFactor: function() {
2135
this.ajax('wordfence_loadTwoFactor', {}, function(res) {
2136
- if (res.users && res.users.length > 0) {
2137
- for (var i = 0; i < res.users.length; i++) {
2138
- jQuery('<div id="twoFacCont_' + res.users[i].userID + '">' +
2139
- jQuery('#wfTwoFacUserTmpl').tmpl(res.users[i]).html() + '</div>').appendTo(jQuery('#wfTwoFacUsers'));
2140
- }
2141
- }
2142
});
2143
},
2144
getQueryParam: function(name) {
@@ -2544,7 +2551,7 @@
2544
2545
wafConfigureAutoPrepend: function() {
2546
var self = this;
2547
- self.colorbox("400px", 'Backup .htaccess before continuing', 'We are about to change your <em>.htaccess</em> file. Please make a backup of this file proceeding'
2548
+ '<br/>'
2549
+ '<a href="' + WordfenceAdminVars.ajaxURL + '?action=wordfence_downloadHtaccess&nonce=' + self.nonce + '" onclick="jQuery(\'#wf-htaccess-confirm\').prop(\'disabled\', false); return true;">Click here to download a backup copy of your .htaccess file now</a>' +
2550
'<br /><br />' +
153
}
154
} else if (jQuery('#wordfenceMode_options').length > 0) {
155
this.mode = 'options';
156
this.updateTicker(true);
157
startTicker = true;
158
if (this.needTour()) {
1027
issueID: issueID,
1028
forceDelete: force
1029
}, function(res) {
1030
+ if (res.needsCredentials) {
1031
+ document.location.href = res.redirect;
1032
+ } else {
1033
+ self.doneDeleteFile(res);
1034
+ }
1035
});
1036
},
1037
doneDeleteFile: function(res) {
1155
this.ajax('wordfence_restoreFile', {
1156
issueID: issueID
1157
}, function(res) {
1158
+ if (res.needsCredentials) {
1159
+ document.location.href = res.redirect;
1160
+ } else {
1161
+ self.doneRestoreFile(res);
1162
+ }
1163
});
1164
},
1165
doneRestoreFile: function(res) {
2107
}, function(res) {
2108
if (res.ok) {
2109
self.twoFacStatus('User added! Check the user\'s phone to get the activation code.');
2110
+ var updatedTwoFac = jQuery('#wfTwoFacUserTmpl').tmpl({users: [res]});
2111
+ jQuery('#twoFactorUser-none').remove();
2112
+ jQuery('#wfTwoFacUsers > table > tbody:last-child').append(updatedTwoFac.find('tbody > tr'));
2113
}
2114
});
2115
},
2120
code: code
2121
}, function(res) {
2122
if (res.ok) {
2123
+ var updatedTwoFac = jQuery('#wfTwoFacUserTmpl').tmpl({users: [res]});
2124
+ updatedTwoFac.find('tbody > tr').each(function(index, element) {
2125
+ jQuery('#' + jQuery(element).attr('id')).replaceWith(element);
2126
+ });
2127
self.twoFacStatus('Cellphone Sign-in activated for user.');
2128
}
2129
});
2133
userID: userID
2134
}, function(res) {
2135
if (res.ok) {
2136
+ jQuery('#twoFactorUser-' + res.userID).fadeOut(function() {
2137
jQuery(this).remove();
2138
+
2139
+ if (jQuery('#wfTwoFacUsers > table > tbody:last-child').children().length == 0) {
2140
+ jQuery('#wfTwoFacUsers').html(jQuery('#wfTwoFacUserTmpl').tmpl({users: []}));
2141
+ }
2142
});
2143
}
2144
});
2145
},
2146
loadTwoFactor: function() {
2147
this.ajax('wordfence_loadTwoFactor', {}, function(res) {
2148
+ jQuery('#wfTwoFacUsers').html(jQuery('#wfTwoFacUserTmpl').tmpl(res));
2149
});
2150
},
2151
getQueryParam: function(name) {
2551
2552
wafConfigureAutoPrepend: function() {
2553
var self = this;
2554
+ self.colorbox("400px", 'Backup .htaccess before continuing', 'We are about to change your <em>.htaccess</em> file. Please make a backup of this file before proceeding.'
2555
+ '<br/>'
2556
+ '<a href="' + WordfenceAdminVars.ajaxURL + '?action=wordfence_downloadHtaccess&nonce=' + self.nonce + '" onclick="jQuery(\'#wf-htaccess-confirm\').prop(\'disabled\', false); return true;">Click here to download a backup copy of your .htaccess file now</a>' +
2557
'<br /><br />' +
lib/GeoIPv6.dat ADDED
Binary file
lib/menu_options.php CHANGED
@@ -1,9 +1,6 @@
1
<?php
2
$w = new wfConfig();
3
?>
4
- <script type="text/javascript">
5
- var WFSLevels = <?php echo json_encode(wfConfig::$securityLevels); ?>;
6
- </script>
7
<div class="wordfenceModeElem" id="wordfenceMode_options"></div>
8
<div class="wrap">
9
<?php require( 'menuHeader.php' ); ?>
@@ -198,30 +195,6 @@ $w = new wfConfig();
198
<tr>
199
<th colspan="2">&nbsp;</th>
200
</tr>
201
- <tr>
202
- <th>Security Level:<a href="http://docs.wordfence.com/en/Wordfence_options#Security_Level"
203
- target="_blank" class="wfhelp"></a></th>
204
- <td>
205
- <select id="securityLevel" name="securityLevel" onchange="WFAD.changeSecurityLevel(); return true;">
206
- <option value="0"<?php $w->sel( 'securityLevel', '0' ); ?>>Level 0: Disable all Wordfence
207
- security measures
208
- </option>
209
- <option value="1"<?php $w->sel( 'securityLevel', '1' ); ?>>Level 1: Light protection. Just the
210
- basics
211
- </option>
212
- <option value="2"<?php $w->sel( 'securityLevel', '2' ); ?>>Level 2: Medium protection. Suitable
213
- for most sites
214
- </option>
215
- <option value="3"<?php $w->sel( 'securityLevel', '3' ); ?>>Level 3: High security. Use this when
216
- an attack is imminent
217
- </option>
218
- <option value="4"<?php $w->sel( 'securityLevel', '4' ); ?>>Level 4: Lockdown. Protect the site
219
- against an attack in progress at the cost of inconveniencing some users
220
- </option>
221
- <option value="CUSTOM"<?php $w->sel( 'securityLevel', 'CUSTOM' ); ?>>Custom settings</option>
222
- </select>
223
- </td>
224
- </tr>
225
<tr>
226
<th>How does Wordfence get IPs:<a
227
href="http://docs.wordfence.com/en/Wordfence_options#How_does_Wordfence_get_IPs" target="_blank"
@@ -836,7 +809,7 @@ $w = new wfConfig();
836
name="loginSec_blockAdminReg" <?php $w->cb( 'loginSec_blockAdminReg' ); ?> /></td>
837
</tr>
838
<tr>
839
- <th>Prevent discovery of usernames through '/?author=N' scans<a
840
href="http://docs.wordfence.com/en/Wordfence_options#Prevent_discovery_of_usernames_through_.27.3F.2Fauthor.3DN.27_scans"
841
target="_blank" class="wfhelp"></a></th>
842
<td><input type="checkbox" id="loginSec_disableAuthorScan" class="wfConfigElem"
1
<?php
2
$w = new wfConfig();
3
?>
4
<div class="wordfenceModeElem" id="wordfenceMode_options"></div>
5
<div class="wrap">
6
<?php require( 'menuHeader.php' ); ?>
195
<tr>
196
<th colspan="2">&nbsp;</th>
197
</tr>
198
<tr>
199
<th>How does Wordfence get IPs:<a
200
href="http://docs.wordfence.com/en/Wordfence_options#How_does_Wordfence_get_IPs" target="_blank"
809
name="loginSec_blockAdminReg" <?php $w->cb( 'loginSec_blockAdminReg' ); ?> /></td>
810
</tr>
811
<tr>
812
+ <th>Prevent discovery of usernames through '/?author=N' scans and the oEmbed API<a
813
href="http://docs.wordfence.com/en/Wordfence_options#Prevent_discovery_of_usernames_through_.27.3F.2Fauthor.3DN.27_scans"
814
target="_blank" class="wfhelp"></a></th>
815
<td><input type="checkbox" id="loginSec_disableAuthorScan" class="wfConfigElem"
lib/menu_scan.php CHANGED
@@ -3,6 +3,29 @@ $sigUpdateTime = wfConfig::get('signatureUpdateTime');
3
?>
4
<div class="wordfenceModeElem" id="wordfenceMode_scan"></div>
5
<div class="wrap wordfence">
6
<?php require('menuHeader.php'); ?>
7
<?php $pageTitle = "Wordfence Scan"; $helpLink="http://docs.wordfence.com/en/Wordfence_scanning"; $helpLabel="Learn more about scanning"; include('pageTitle.php'); ?>
8
<div class="wordfenceWrap">
@@ -171,6 +194,8 @@ $sigUpdateTime = wfConfig::get('signatureUpdateTime');
171
</div>
172
</div>
173
</div>
174
</div>
175
<script type="text/x-jquery-template" id="issueTmpl_configReadable">
176
<div>
@@ -912,6 +937,40 @@ $sigUpdateTime = wfConfig::get('signatureUpdateTime');
912
</div>
913
</div>
914
</script>
915
916
<script type="text/x-jquery-template" id="issueTmpl_spamvertizeCheck">
917
<div>
3
?>
4
<div class="wordfenceModeElem" id="wordfenceMode_scan"></div>
5
<div class="wrap wordfence">
6
+
7
+ <?php
8
+ $nonce = filter_input(INPUT_GET, 'nonce', FILTER_SANITIZE_STRING);
9
+ if (!empty($promptForCredentials) && !empty($wpFilesystemActionCallback) && is_callable($wpFilesystemActionCallback)):
10
+ if (wp_verify_nonce($nonce, 'wp-ajax')) {
11
+ $relaxedOwnership = true;
12
+ $homePath = get_home_path();
13
+
14
+ if (!wordfence::requestFilesystemCredentials($filesystemCredentialsAdminURL, $homePath, $relaxedOwnership, true)) {
15
+ echo '</div>';
16
+ return;
17
+ }
18
+
19
+ call_user_func_array($wpFilesystemActionCallback,
20
+ !empty($wpFilesystemActionCallbackArgs) && is_array($wpFilesystemActionCallbackArgs) ? $wpFilesystemActionCallbackArgs : array());
21
+ } else {
22
+ printf("Security token has expired. Click <a href='%s'>here</a> to return to the scan page.", esc_url(network_admin_url('admin.php?page=Wordfence')));
23
+ }
24
+
25
+ ?>
26
+
27
+ <?php else: ?>
28
+
29
<?php require('menuHeader.php'); ?>
30
<?php $pageTitle = "Wordfence Scan"; $helpLink="http://docs.wordfence.com/en/Wordfence_scanning"; $helpLabel="Learn more about scanning"; include('pageTitle.php'); ?>
31
<div class="wordfenceWrap">
194
</div>
195
</div>
196
</div>
197
+ <?php endif ?>
198
+
199
</div>
200
<script type="text/x-jquery-template" id="issueTmpl_configReadable">
201
<div>
937
</div>
938
</div>
939
</script>
940
+ <script type="text/x-jquery-template" id="issueTmpl_checkGSB">
941
+ <div>
942
+ <div class="wfIssue">
943
+ <h2>${shortMsg}</h2>
944
+ <p>
945
+ <table border="0" class="wfIssue" cellspacing="0" cellpadding="0">
946
+ {{if ((typeof data.badURL !== 'undefined') && data.badURL)}}
947
+ <tr><th>Bad URL:</th><td><strong class="wfWarn">${data.badURL}</strong></td></tr>
948
+ {{/if}}
949
+ <tr><th>Issue first detected:</th><td>${timeAgo} ago.</td></tr>
950
+ <tr><th>Severity:</th><td>{{if severity == '1'}}Critical{{else}}Warning{{/if}}</td></tr>
951
+ <tr><th>Status</th><td>
952
+ {{if status == 'new' }}New{{/if}}
953
+ {{if status == 'ignoreC' }}This issue will be ignored until it changes.{{/if}}
954
+ {{if status == 'ignoreP' }}This issue is permanently ignored.{{/if}}
955
+ </td></tr>
956
+ </table>
957
+ </p>
958
+ <p>
959
+ {{html longMsg}}
960
+ </p>
961
+ <div class="wfIssueOptions">
962
+ {{if status == 'new'}}
963
+ <strong>Resolve:</strong>
964
+ <a href="#" onclick="WFAD.updateIssueStatus('${id}', 'delete'); return false;">I have fixed this issue</a>
965
+ <a href="#" onclick="WFAD.updateIssueStatus('${id}', 'ignoreP'); return false;">Ignore this problem</a>
966
+ {{/if}}
967
+ {{if status == 'ignoreP' || status == 'ignoreC'}}
968
+ <a href="#" onclick="WFAD.updateIssueStatus('${id}', 'delete'); return false;">Stop ignoring this issue</a>
969
+ {{/if}}
970
+ </div>
971
+ </div>
972
+ </div>
973
+ </script>
974
975
<script type="text/x-jquery-template" id="issueTmpl_spamvertizeCheck">
976
<div>
lib/menu_twoFactor.php CHANGED
@@ -27,42 +27,75 @@
27
<?php } ?>
28
29
<div class="wordfenceWrap" style="margin: 20px 20px 20px 30px;">
30
- <p style="width: 500px;">
31
- </p>
32
- <p>
33
- <table border="0">
34
<tr><td>Enter a username to enable Cellphone Sign-in:</td><td><input type="text" id="wfUsername" value="" size="20" /></td></tr>
35
- <tr><td>Enter a phone number where the code will be sent:</td><td><input type="text" id="wfPhone" value="" size="20" />Format: +1-123-555-5034</td></tr>
36
- <tr><td colspan="2"><input type="button" value="Enable Cellphone Sign-in" onclick="WFAD.addTwoFactor(jQuery('#wfUsername').val(), jQuery('#wfPhone').val());" /></td></tr>
37
- </table>
38
- </p>
39
<div style="height: 20px;">
40
<div id="wfTwoFacMsg" style="color: #F00;">
41
&nbsp;
42
</div>
43
</div>
44
<div id="wfTwoFacUsers">
45
46
</div>
47
</div>
48
</div>
49
50
<script type="text/x-jquery-template" id="wfTwoFacUserTmpl">
51
- <div>
52
- <table border="0"><tr>
53
- <td style="width: 100px;">${username}</td>
54
- <td style="width: 150px;">${phone}</td>
55
- <td>
56
- {{if status == 'activated'}}
57
- <span style="color: #0A0;">Cellphone Sign-in Enabled</span>
58
- {{else}}
59
- Enter activation code:<input type="text" id="wfActivate" size="4" /><input type="button" value="Activate" onclick="WFAD.twoFacActivate('${userID}', jQuery('#wfActivate').val());" />
60
- {{/if}}
61
- </td>
62
- <td>&nbsp;&nbsp;&nbsp;<a href="#" onclick="WFAD.delTwoFac('${userID}'); return false;">[Delete]</a></td>
63
- </tr>
64
</table>
65
- </div>
66
</script>
67
<script type="text/x-jquery-template" id="wfWelcomeTwoFactor">
68
<div>
27
<?php } ?>
28
29
<div class="wordfenceWrap" style="margin: 20px 20px 20px 30px;">
30
+ <h2>Enable Cellphone Sign-in</h2>
31
+ <p><em>Our Cellphone Sign-in uses a technique called "Two Factor Authentication" which is used by banks, government agencies and military world-wide as one of the most secure forms of remote system authentication. We recommend you enable Cellphone Sign-in for all Administrator level accounts.</em></p>
32
+ <table class="wfConfigForm">
33
<tr><td>Enter a username to enable Cellphone Sign-in:</td><td><input type="text" id="wfUsername" value="" size="20" /></td></tr>
34
+ <tr><td>Enter a phone number where the code will be sent:</td><td><input type="text" id="wfPhone" value="" size="20" /> Format: +1-123-555-5034</td></tr>
35
+ <tr><td colspan="2"><input type="button" class="button button-primary" value="Enable Cellphone Sign-in" onclick="WFAD.addTwoFactor(jQuery('#wfUsername').val(), jQuery('#wfPhone').val());" /></td></tr>
36
+ </table>
37
<div style="height: 20px;">
38
<div id="wfTwoFacMsg" style="color: #F00;">
39
&nbsp;
40
</div>
41
</div>
42
+
43
+ <h2>Cellphone Sign-in Users</h2>
44
<div id="wfTwoFacUsers">
45
46
</div>
47
+
48
+ <br>
49
+
50
+ <h2>Security Options</h2>
51
+ <table class="wfConfigForm">
52
+ <tr>
53
+ <td><input type="checkbox" id="loginSec_requireAdminTwoFactor" name="loginSec_requireAdminTwoFactor"<?php echo wfConfig::get('loginSec_requireAdminTwoFactor') ? ' checked' : ''; ?>></td>
54
+ <th>Require Cellphone Sign-in for all Administrators<a href="<?php echo $helpLink; ?>" target="_blank" class="wfhelp"></a><br>
55
+ <em>This setting requires at least one administrator to have Cellphone Sign-in enabled. On multisite, this option applies only to super admins.</em></th>
56
+ </tr>
57
+ </table>
58
+
59
+ <script type="text/javascript">
60
+ jQuery('#loginSec_requireAdminTwoFactor').on('click', function() {
61
+ WFAD.updateConfig('loginSec_requireAdminTwoFactor', jQuery('#loginSec_requireAdminTwoFactor').is(':checked') ? 1 : 0, function() {});
62
+ })
63
+ </script>
64
</div>
65
</div>
66
67
<script type="text/x-jquery-template" id="wfTwoFacUserTmpl">
68
+ <table class="wf-table">
69
+ <thead>
70
+ <tr>
71
+ <th style="width: 80px;"></th>
72
+ <th style="width: 100px;">User</th>
73
+ <th style="width: 150px;">Phone Number</th>
74
+ <th>Status</th>
75
+ </tr>
76
+ </thead>
77
+ <tbody>
78
+ {{each(idx, user) users}}
79
+ <tr id="twoFactorUser-${user.userID}">
80
+ <td style="white-space: nowrap; text-align: center;"><a href="#" class="button" onclick="WFAD.delTwoFac('${user.userID}'); return false;">Delete</a></td>
81
+ <td style="white-space: nowrap;">${user.username}</td>
82
+ <td style="white-space: nowrap;">${user.phone}</td>
83
+ <td style="white-space: nowrap;">
84
+ {{if user.status == 'activated'}}
85
+ <span style="color: #0A0;">Cellphone Sign-in Enabled</span>
86
+ {{else}}
87
+ Enter activation code: <input type="text" id="wfActivate-${user.userID}" size="6" /><input type="button" value="Activate" onclick="WFAD.twoFacActivate('${user.userID}', jQuery('#wfActivate-${user.userID}').val());" />
88
+ {{/if}}
89
+ </td>
90
+ </tr>
91
+ {{/each}}
92
+ {{if (users.length == 0)}}
93
+ <tr id="twoFactorUser-none">
94
+ <td colspan="4">No users currently have cellphone sign-in enabled.</td>
95
+ </tr>
96
+ {{/if}}
97
+ </tbody>
98
</table>
99
</script>
100
<script type="text/x-jquery-template" id="wfWelcomeTwoFactor">
101
<div>
lib/menu_waf.php CHANGED
@@ -2,6 +2,7 @@
2
$waf = wfWAF::getInstance();
3
$config = $waf->getStorageEngine();
4
$wafConfigURL = network_admin_url('admin.php?page=WordfenceWAF&wafAction=configureAutoPrepend');
5
/** @var array $wafData */
6
?>
7
<div class="wrap" id="paidWrap">
@@ -47,9 +48,15 @@ $wafConfigURL = network_admin_url('admin.php?page=WordfenceWAF&wafAction=configu
47
<?php elseif (!empty($wafActionContent)): ?>
48
<?php echo $wafActionContent ?>
49
50
- <p class="wf-notice"><em>If you cannot complete the setup process,
51
<a target="_blank" href="https://docs.wordfence.com/en/Web_Application_Firewall_Setup">click here for
52
help</a>.</em></p>
53
54
<?php else: ?>
55
@@ -246,6 +253,23 @@ $wafConfigURL = network_admin_url('admin.php?page=WordfenceWAF&wafAction=configu
246
</p>
247
248
<div id="waf-whitelisted-urls-wrapper"></div>
249
</div>
250
<?php endif ?>
251
<?php endif ?>
@@ -703,7 +727,16 @@ $wafConfigURL = network_admin_url('admin.php?page=WordfenceWAF&wafAction=configu
703
ruleEnabled: enabled
704
});
705
});
706
-
707
})(jQuery);
708
</script>
709
2
$waf = wfWAF::getInstance();
3
$config = $waf->getStorageEngine();
4
$wafConfigURL = network_admin_url('admin.php?page=WordfenceWAF&wafAction=configureAutoPrepend');
5
+ $wafRemoveURL = network_admin_url('admin.php?page=WordfenceWAF&wafAction=removeAutoPrepend');
6
/** @var array $wafData */
7
?>
8
<div class="wrap" id="paidWrap">
48
<?php elseif (!empty($wafActionContent)): ?>
49
<?php echo $wafActionContent ?>
50
51
+ <?php if (!empty($_REQUEST['wafAction']) && $_REQUEST['wafAction'] == 'removeAutoPrepend'): ?>
52
+ <p class="wf-notice"><em>If you cannot complete the uninstallation process,
53
+ <a target="_blank" href="https://docs.wordfence.com/en/Web_Application_Firewall_FAQ#How_can_I_remove_the_firewall_setup_manually.3F">click here for
54
+ help</a>.</em></p>
55
+ <?php else: ?>
56
+ <p class="wf-notice"><em>If you cannot complete the setup process,
57
<a target="_blank" href="https://docs.wordfence.com/en/Web_Application_Firewall_Setup">click here for
58
help</a>.</em></p>
59
+ <?php endif ?>
60
61
<?php else: ?>
62
253
</p>
254
255
<div id="waf-whitelisted-urls-wrapper"></div>
256
+
257
+ <p id="whitelist-monitor">
258
+ <strong>Monitor Background Requests for False Positives:</strong><br>
259
+ <label><input type="checkbox" id="monitor-front" name="monitor-front" value="1"<?php echo wfConfig::get('ajaxWatcherDisabled_front') ? '' : ' checked'; ?>>Front</label> &nbsp; <label><input type="checkbox" id="monitor-admin" name="monitor-admin" value="1"<?php echo wfConfig::get('ajaxWatcherDisabled_admin') ? '' : ' checked'; ?>>Admin Panel</label>
260
+ </p>
261
+ <br>
262
+
263
+ <?php if (WFWAF_AUTO_PREPEND) : ?>
264
+ <h2>Advanced Configuration</h2>
265
+
266
+ <p><strong>Remove Extended Protection<a href="https://docs.wordfence.com/en/Web_Application_Firewall_FAQ#How_can_I_remove_the_firewall_setup_manually.3F" target="_blank"
267
+ class="wfhelp"></a></strong><br>
268
+
269
+ <em>If you're moving to a new host or a new installation location, you may need to temporarily disable extended protection to avoid any file not found errors. Use this action to remove the configuration changes that enable extended protection mode or you can <a href="https://docs.wordfence.com/en/Web_Application_Firewall_FAQ#How_can_I_remove_the_firewall_setup_manually.3F" target="_blank">remove them manually</a>.</em></p>
270
+
271
+ <p><a href="<?php echo $wafRemoveURL; ?>" class="button button-small" id="waf-remove-extended">Remove Extended Protection</a></p>
272
+ <?php endif ?>
273
</div>
274
<?php endif ?>
275
<?php endif ?>
727
ruleEnabled: enabled
728
});
729
});
730
+
731
+ $('#monitor-front').on('click', function() {
732
+ var disabled = this.checked ? 0 : 1;
733
+ WFAD.updateConfig('ajaxWatcherDisabled_front', disabled);
734
+ })
735
+
736
+ $('#monitor-admin').on('click', function() {
737
+ var disabled = this.checked ? 0 : 1;
738
+ WFAD.updateConfig('ajaxWatcherDisabled_admin', disabled);
739
+ })
740
})(jQuery);
741
</script>
742
lib/wfAPI.php CHANGED
@@ -118,12 +118,13 @@ class wfAPI {
118
}
119
}
120
return self::buildQuery(array(
121
- 'v' => $this->wordpressVersion,
122
- 's' => $siteurl,
123
- 'k' => $this->APIKey,
124
- 'openssl' => function_exists('openssl_verify') && defined('OPENSSL_VERSION_NUMBER') ? OPENSSL_VERSION_NUMBER : '0.0.0',
125
- 'phpv' => phpversion(),
126
- 'betaFeed' => (int) wfConfig::get('betaThreatDefenseFeed'),
127
));
128
}
129
118
}
119
}
120
return self::buildQuery(array(
121
+ 'v' => $this->wordpressVersion,
122
+ 's' => $siteurl,
123
+ 'k' => $this->APIKey,
124
+ 'openssl' => function_exists('openssl_verify') && defined('OPENSSL_VERSION_NUMBER') ? OPENSSL_VERSION_NUMBER : '0.0.0',
125
+ 'phpv' => phpversion(),
126
+ 'betaFeed' => (int) wfConfig::get('betaThreatDefenseFeed'),
127
+ 'cacheType' => wfConfig::get('cacheType'),
128
));
129
}
130
lib/wfConfig.php CHANGED
@@ -8,482 +8,111 @@ class wfConfig {
8
private static $DB = false;
9
private static $tmpFileHeader = "<?php\n/* Wordfence temporary file security header */\necho \"Nothing to see here!\\n\"; exit(0);\n?>";
10
private static $tmpDirCache = false;
11
- public static $securityLevels = array(
12
- array( //level 0
13
- "checkboxes" => array(
14
- "alertOn_critical" => false,
15
- "alertOn_update" => false,
16
- "alertOn_warnings" => false,
17
- "alertOn_throttle" => false,
18
- "alertOn_block" => false,
19
- "alertOn_loginLockout" => false,
20
- "alertOn_lostPasswdForm" => false,
21
- "alertOn_adminLogin" => false,
22
- "alertOn_nonAdminLogin" => false,
23
- "liveTrafficEnabled" => true,
24
- "advancedCommentScanning" => false,
25
- "checkSpamIP" => false,
26
- "spamvertizeCheck" => false,
27
- "liveTraf_ignorePublishers" => true,
28
- //"perfLoggingEnabled" => false,
29
- "scheduledScansEnabled" => false,
30
- "scansEnabled_public" => false,
31
- "scansEnabled_heartbleed" => true,
32
- "scansEnabled_core" => false,
33
- "scansEnabled_themes" => false,
34
- "scansEnabled_plugins" => false,
35
- "scansEnabled_malware" => false,
36
- "scansEnabled_fileContents" => false,
37
- "scansEnabled_posts" => false,
38
- "scansEnabled_comments" => false,
39
- "scansEnabled_passwds" => false,
40
- "scansEnabled_diskSpace" => false,
41
- "scansEnabled_options" => false,
42
- "scansEnabled_wpscan_fullPathDisclosure" => true,
43
- "scansEnabled_wpscan_directoryListingEnabled" => true,
44
- "scansEnabled_dns" => false,
45
- "scansEnabled_scanImages" => false,
46
- "scansEnabled_highSense" => false,
47
- "scansEnabled_oldVersions" => false,
48
- "scansEnabled_suspiciousAdminUsers" => false,
49
- "firewallEnabled" => false,
50
- "blockFakeBots" => false,
51
- "autoBlockScanners" => false,
52
- "loginSecurityEnabled" => false,
53
- "loginSec_lockInvalidUsers" => false,
54
- "loginSec_maskLoginErrors" => false,
55
- "loginSec_blockAdminReg" => false,
56
- "loginSec_disableAuthorScan" => false,
57
- "other_hideWPVersion" => false,
58
- "other_noAnonMemberComments" => false,
59
- "other_blockBadPOST" => false,
60
- "other_scanComments" => false,
61
- "other_pwStrengthOnUpdate" => false,
62
- "other_WFNet" => true,
63
- "other_scanOutside" => false,
64
- "deleteTablesOnDeact" => false,
65
- "autoUpdate" => false,
66
- "disableCookies" => false,
67
- "startScansRemotely" => false,
68
- "disableConfigCaching" => false,
69
- "addCacheComment" => false,
70
- "disableCodeExecutionUploads" => false,
71
- "allowHTTPSCaching" => false,
72
- "debugOn" => false,
73
- 'email_summary_enabled' => true,
74
- 'email_summary_dashboard_widget_enabled' => true,
75
- 'ssl_verify' => true,
76
- ),
77
- "otherParams" => array(
78
- 'securityLevel' => '0',
79
- "alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'scan_exclude' => '', 'whitelisted' => '', 'bannedURLs' => '', 'maxExecutionTime' => '', 'howGetIPs' => '', 'actUpdateInterval' => '', 'alert_maxHourly' => 0, 'loginSec_userBlacklist' => '',
80
- 'liveTraf_maxRows' => 2000,
81
- "neverBlockBG" => "neverBlockVerified",
82
- "loginSec_countFailMins" => "5",
83
- "loginSec_lockoutMins" => "5",
84
- 'loginSec_strongPasswds' => '',
85
- 'loginSec_maxFailures' => "500",
86
- 'loginSec_maxForgotPasswd' => "500",
87
- 'maxGlobalRequests' => "DISABLED",
88
- 'maxGlobalRequests_action' => "throttle",
89
- 'maxRequestsCrawlers' => "DISABLED",
90
- 'maxRequestsCrawlers_action' => "throttle",
91
- 'maxRequestsHumans' => "DISABLED",
92
- 'maxRequestsHumans_action' => "throttle",
93
- 'max404Crawlers' => "DISABLED",
94
- 'max404Crawlers_action' => "throttle",
95
- 'max404Humans' => "DISABLED",
96
- 'max404Humans_action' => "throttle",
97
- 'maxScanHits' => "DISABLED",
98
- 'maxScanHits_action' => "throttle",
99
- 'blockedTime' => "300",
100
- 'email_summary_interval' => 'biweekly',
101
- 'email_summary_excluded_directories' => 'wp-content/cache,wp-content/wfcache,wp-content/plugins/wordfence/tmp',
102
- 'allowed404s' => "/favicon.ico\n/apple-touch-icon*.png\n/*@2x.png",
103
- )
104
),
105
- array( //level 1
106
- "checkboxes" => array(
107
- "alertOn_critical" => true,
108
- "alertOn_update" => false,
109
- "alertOn_warnings" => false,
110
- "alertOn_throttle" => false,
111
- "alertOn_block" => true,
112
- "alertOn_loginLockout" => true,
113
- "alertOn_lostPasswdForm" => false,
114
- "alertOn_adminLogin" => true,
115
- "alertOn_nonAdminLogin" => false,
116
- "liveTrafficEnabled" => true,
117
- "advancedCommentScanning" => false,
118
- "checkSpamIP" => false,
119
- "spamvertizeCheck" => false,
120
- "liveTraf_ignorePublishers" => true,
121
- //"perfLoggingEnabled" => false,
122
- "scheduledScansEnabled" => true,
123
- "scansEnabled_public" => false,
124
- "scansEnabled_heartbleed" => true,
125
- "scansEnabled_core" => true,
126
- "scansEnabled_themes" => false,
127
- "scansEnabled_plugins" => false,
128
- "scansEnabled_malware" => true,
129
- "scansEnabled_fileContents" => true,
130
- "scansEnabled_posts" => true,
131
- "scansEnabled_comments" => true,
132
- "scansEnabled_passwds" => true,
133
- "scansEnabled_diskSpace" => true,
134
- "scansEnabled_options" => true,
135
- "scansEnabled_wpscan_fullPathDisclosure" => true,
136
- "scansEnabled_wpscan_directoryListingEnabled" => true,
137
- "scansEnabled_dns" => true,
138
- "scansEnabled_scanImages" => false,
139
- "scansEnabled_highSense" => false,
140
- "scansEnabled_oldVersions" => true,
141
- "scansEnabled_suspiciousAdminUsers" => true,
142
- "firewallEnabled" => true,
143
- "blockFakeBots" => false,
144
- "autoBlockScanners" => true,
145
- "loginSecurityEnabled" => true,
146
- "loginSec_lockInvalidUsers" => false,
147
- "loginSec_maskLoginErrors" => true,
148
- "loginSec_blockAdminReg" => true,
149
- "loginSec_disableAuthorScan" => true,
150
- "other_hideWPVersion" => true,
151
- "other_noAnonMemberComments" => true,
152
- "other_blockBadPOST" => false,
153
- "other_scanComments" => true,
154
- "other_pwStrengthOnUpdate" => true,
155
- "other_WFNet" => true,
156
- "other_scanOutside" => false,
157
- "deleteTablesOnDeact" => false,
158
- "autoUpdate" => false,
159
- "disableCookies" => false,
160
- "startScansRemotely" => false,
161
- "disableConfigCaching" => false,
162
- "addCacheComment" => false,
163
- "disableCodeExecutionUploads" => false,
164
- "allowHTTPSCaching" => false,
165
- "debugOn" => false,
166
- 'email_summary_enabled' => true,
167
- 'email_summary_dashboard_widget_enabled' => true,
168
- 'ssl_verify' => true,
169
- ),
170
- "otherParams" => array(
171
- 'securityLevel' => '1',
172
- "alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'scan_exclude' => '', 'whitelisted' => '', 'bannedURLs' => '', 'maxExecutionTime' => '', 'howGetIPs' => '', 'actUpdateInterval' => '', 'alert_maxHourly' => 0, 'loginSec_userBlacklist' => '',
173
- 'liveTraf_maxRows' => 2000,
174
- "neverBlockBG" => "neverBlockVerified",
175
- "loginSec_countFailMins" => "5",
176
- "loginSec_lockoutMins" => "5",
177
- 'loginSec_strongPasswds' => 'pubs',
178
- 'loginSec_maxFailures' => "50",
179
- 'loginSec_maxForgotPasswd' => "50",
180
- 'maxGlobalRequests' => "DISABLED",
181
- 'maxGlobalRequests_action' => "throttle",
182
- 'maxRequestsCrawlers' => "DISABLED",
183
- 'maxRequestsCrawlers_action' => "throttle",
184
- 'maxRequestsHumans' => "DISABLED",
185
- 'maxRequestsHumans_action' => "throttle",
186
- 'max404Crawlers' => "DISABLED",
187
- 'max404Crawlers_action' => "throttle",
188
- 'max404Humans' => "DISABLED",
189
- 'max404Humans_action' => "throttle",
190
- 'maxScanHits' => "DISABLED",
191
- 'maxScanHits_action' => "throttle",
192
- 'blockedTime' => "300",
193
- 'email_summary_interval' => 'biweekly',
194
- 'email_summary_excluded_directories' => 'wp-content/cache,wp-content/wfcache,wp-content/plugins/wordfence/tmp',
195
- 'allowed404s' => "/favicon.ico\n/apple-touch-icon*.png\n/*@2x.png",
196
- )
197
- ),
198
- array( //level 2
199
- "checkboxes" => array(
200
- "alertOn_critical" => true,
201
- "alertOn_update" => false,
202
- "alertOn_warnings" => true,
203
- "alertOn_throttle" => false,
204
- "alertOn_block" => true,
205
- "alertOn_loginLockout" => true,
206
- "alertOn_lostPasswdForm" => true,
207
- "alertOn_adminLogin" => true,
208
- "alertOn_nonAdminLogin" => false,
209
- "liveTrafficEnabled" => true,
210
- "scansEnabled_checkReadableConfig" => true,
211
- "advancedCommentScanning" => false,
212
- "checkSpamIP" => false,
213
- "spamvertizeCheck" => false,
214
- "liveTraf_ignorePublishers" => true,
215
- //"perfLoggingEnabled" => false,
216
- "scheduledScansEnabled" => true,
217
- "scansEnabled_public" => false,
218
- "scansEnabled_heartbleed" => true,
219
- "scansEnabled_core" => true,
220
- "scansEnabled_themes" => false,
221
- "scansEnabled_plugins" => false,
222
- "scansEnabled_malware" => true,
223
- "scansEnabled_fileContents" => true,
224
- "scansEnabled_posts" => true,
225
- "scansEnabled_comments" => true,
226
- "scansEnabled_passwds" => true,
227
- "scansEnabled_diskSpace" => true,
228
- "scansEnabled_options" => true,
229
- "scansEnabled_wpscan_fullPathDisclosure" => true,
230
- "scansEnabled_wpscan_directoryListingEnabled" => true,
231
- "scansEnabled_dns" => true,
232
- "scansEnabled_scanImages" => false,
233
- "scansEnabled_highSense" => false,
234
- "scansEnabled_oldVersions" => true,
235
- "scansEnabled_suspiciousAdminUsers" => true,
236
- "firewallEnabled" => true,
237
- "blockFakeBots" => false,
238
- "autoBlockScanners" => true,
239
- "loginSecurityEnabled" => true,
240
- "loginSec_lockInvalidUsers" => false,
241
- "loginSec_maskLoginErrors" => true,
242
- "loginSec_blockAdminReg" => true,
243
- "loginSec_disableAuthorScan" => true,
244
- "other_hideWPVersion" => true,
245
- "other_noAnonMemberComments" => true,
246
- "other_blockBadPOST" => false,
247
- "other_scanComments" => true,
248
- "other_pwStrengthOnUpdate" => true,
249
- "other_WFNet" => true,
250
- "other_scanOutside" => false,
251
- "deleteTablesOnDeact" => false,
252
- "autoUpdate" => false,
253
- "disableCookies" => false,
254
- "startScansRemotely" => false,
255
- "disableConfigCaching" => false,
256
- "addCacheComment" => false,
257
- "disableCodeExecutionUploads" => false,
258
- "allowHTTPSCaching" => false,
259
- "debugOn" => false,
260
- 'email_summary_enabled' => true,
261
- 'email_summary_dashboard_widget_enabled' => true,
262
- 'ssl_verify' => true,
263
- ),
264
- "otherParams" => array(
265
- "scan_include_extra" => "",
266
- 'securityLevel' => '2',
267
- "alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'scan_exclude' => '', 'whitelisted' => '', 'bannedURLs' => '', 'maxExecutionTime' => '', 'howGetIPs' => '', 'actUpdateInterval' => '', 'alert_maxHourly' => 0, 'loginSec_userBlacklist' => '',
268
- 'liveTraf_maxRows' => 2000,
269
- "neverBlockBG" => "neverBlockVerified",
270
- "loginSec_countFailMins" => "240",
271
- "loginSec_lockoutMins" => "240",
272
- 'loginSec_strongPasswds' => 'pubs',
273
- 'loginSec_maxFailures' => "20",
274
- 'loginSec_maxForgotPasswd' => "20",
275
- 'maxGlobalRequests' => "DISABLED",
276
- 'maxGlobalRequests_action' => "throttle",
277
- 'maxRequestsCrawlers' => "DISABLED",
278
- 'maxRequestsCrawlers_action' => "throttle",
279
- 'maxRequestsHumans' => "DISABLED",
280
- 'maxRequestsHumans_action' => "throttle",
281
- 'max404Crawlers' => "DISABLED",
282
- 'max404Crawlers_action' => "throttle",
283
- 'max404Humans' => "DISABLED",
284
- 'max404Humans_action' => "throttle",
285
- 'maxScanHits' => "DISABLED",
286
- 'maxScanHits_action' => "throttle",
287
- 'blockedTime' => "300",
288
- 'email_summary_interval' => 'biweekly',
289
- 'email_summary_excluded_directories' => 'wp-content/cache,wp-content/wfcache,wp-content/plugins/wordfence/tmp',
290
- 'allowed404s' => "/favicon.ico\n/apple-touch-icon*.png\n/*@2x.png",
291
- )
292
- ),
293
- array( //level 3
294
- "checkboxes" => array(
295
- "alertOn_critical" => true,
296
- "alertOn_update" => false,
297
- "alertOn_warnings" => true,
298
- "alertOn_throttle" => false,
299
- "alertOn_block" => true,
300
- "alertOn_loginLockout" => true,
301
- "alertOn_lostPasswdForm" => true,
302
- "alertOn_adminLogin" => true,
303
- "alertOn_nonAdminLogin" => false,
304
- "liveTrafficEnabled" => true,
305
- "advancedCommentScanning" => false,
306
- "checkSpamIP" => false,
307
- "spamvertizeCheck" => false,
308
- "liveTraf_ignorePublishers" => true,
309
- //"perfLoggingEnabled" => false,
310
- "scheduledScansEnabled" => true,
311
- "scansEnabled_public" => false,
312
- "scansEnabled_heartbleed" => true,
313
- "scansEnabled_core" => true,
314
- "scansEnabled_themes" => false,
315
- "scansEnabled_plugins" => false,
316
- "scansEnabled_malware" => true,
317
- "scansEnabled_fileContents" => true,
318
- "scansEnabled_posts" => true,
319
- "scansEnabled_comments" => true,
320
- "scansEnabled_passwds" => true,
321
- "scansEnabled_diskSpace" => true,
322
- "scansEnabled_options" => true,
323
- "scansEnabled_wpscan_fullPathDisclosure" => true,
324
- "scansEnabled_wpscan_directoryListingEnabled" => true,
325
- "scansEnabled_dns" => true,
326
- "scansEnabled_scanImages" => false,
327
- "scansEnabled_highSense" => false,
328
- "scansEnabled_oldVersions" => true,
329
- "scansEnabled_suspiciousAdminUsers" => true,
330
- "firewallEnabled" => true,
331
- "blockFakeBots" => false,
332
- "autoBlockScanners" => true,
333
- "loginSecurityEnabled" => true,
334
- "loginSec_lockInvalidUsers" => false,
335
- "loginSec_maskLoginErrors" => true,
336
- "loginSec_blockAdminReg" => true,
337
- "loginSec_disableAuthorScan" => true,
338
- "other_hideWPVersion" => true,
339
- "other_noAnonMemberComments" => true,
340
- "other_blockBadPOST" => false,
341
- "other_scanComments" => true,
342
- "other_pwStrengthOnUpdate" => true,
343
- "other_WFNet" => true,
344
- "other_scanOutside" => false,
345
- "deleteTablesOnDeact" => false,
346
- "autoUpdate" => false,
347
- "disableCookies" => false,
348
- "startScansRemotely" => false,
349
- "disableConfigCaching" => false,
350
- "addCacheComment" => false,
351
- "disableCodeExecutionUploads" => false,
352
- "allowHTTPSCaching" => false,
353
- "debugOn" => false,
354
- 'email_summary_enabled' => true,
355
- 'email_summary_dashboard_widget_enabled' => true,
356
- 'ssl_verify' => true,
357
- ),
358
- "otherParams" => array(
359
- 'securityLevel' => '3',
360
- "alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'scan_exclude' => '', 'whitelisted' => '', 'bannedURLs' => '', 'maxExecutionTime' => '', 'howGetIPs' => '', 'actUpdateInterval' => '', 'alert_maxHourly' => 0, 'loginSec_userBlacklist' => '',
361
- 'liveTraf_maxRows' => 2000,
362
- "neverBlockBG" => "neverBlockVerified",
363
- "loginSec_countFailMins" => "1440",
364
- "loginSec_lockoutMins" => "1440",
365
- 'loginSec_strongPasswds' => 'all',
366
- 'loginSec_maxFailures' => "10",
367
- 'loginSec_maxForgotPasswd' => "10",
368
- 'maxGlobalRequests' => "960",
369
- 'maxGlobalRequests_action' => "throttle",
370
- 'maxRequestsCrawlers' => "960",
371
- 'maxRequestsCrawlers_action' => "throttle",
372
- 'maxRequestsHumans' => "60",
373
- 'maxRequestsHumans_action' => "throttle",
374
- 'max404Crawlers' => "60",
375
- 'max404Crawlers_action' => "throttle",
376
- 'max404Humans' => "60",
377
- 'max404Humans_action' => "throttle",
378
- 'maxScanHits' => "30",
379
- 'maxScanHits_action' => "throttle",
380
- 'blockedTime' => "1800",
381
- 'email_summary_interval' => 'biweekly',
382
- 'email_summary_excluded_directories' => 'wp-content/cache,wp-content/wfcache,wp-content/plugins/wordfence/tmp',
383
- 'allowed404s' => "/favicon.ico\n/apple-touch-icon*.png\n/*@2x.png",
384
- )
385
- ),
386
- array( //level 4
387
- "checkboxes" => array(
388
- "alertOn_critical" => true,
389
- "alertOn_update" => false,
390
- "alertOn_warnings" => true,
391
- "alertOn_throttle" => false,
392
- "alertOn_block" => true,
393
- "alertOn_loginLockout" => true,
394
- "alertOn_lostPasswdForm" => true,
395
- "alertOn_adminLogin" => true,
396
- "alertOn_nonAdminLogin" => false,
397
- "liveTrafficEnabled" => true,
398
- "advancedCommentScanning" => false,
399
- "checkSpamIP" => false,
400
- "spamvertizeCheck" => false,
401
- "liveTraf_ignorePublishers" => true,
402
- //"perfLoggingEnabled" => false,
403
- "scheduledScansEnabled" => true,
404
- "scansEnabled_public" => false,
405
- "scansEnabled_heartbleed" => true,
406
- "scansEnabled_core" => true,
407
- "scansEnabled_themes" => false,
408
- "scansEnabled_plugins" => false,
409
- "scansEnabled_malware" => true,
410
- "scansEnabled_fileContents" => true,
411
- "scansEnabled_posts" => true,
412
- "scansEnabled_comments" => true,
413
- "scansEnabled_passwds" => true,
414
- "scansEnabled_diskSpace" => true,
415
- "scansEnabled_options" => true,
416
- "scansEnabled_wpscan_fullPathDisclosure" => true,
417
- "scansEnabled_wpscan_directoryListingEnabled" => true,
418
- "scansEnabled_dns" => true,
419
- "scansEnabled_scanImages" => false,
420
- "scansEnabled_highSense" => false,
421
- "scansEnabled_oldVersions" => true,
422
- "scansEnabled_suspiciousAdminUsers" => true,
423
- "firewallEnabled" => true,
424
- "blockFakeBots" => true,
425
- "autoBlockScanners" => true,
426
- "loginSecurityEnabled" => true,
427
- "loginSec_lockInvalidUsers" => true,
428
- "loginSec_maskLoginErrors" => true,
429
- "loginSec_blockAdminReg" => true,
430
- "loginSec_disableAuthorScan" => true,
431
- "other_hideWPVersion" => true,
432
- "other_noAnonMemberComments" => true,
433
- "other_blockBadPOST" => false,
434
- "other_scanComments" => true,
435
- "other_pwStrengthOnUpdate" => true,
436
- "other_WFNet" => true,
437
- "other_scanOutside" => false,
438
- "deleteTablesOnDeact" => false,
439
- "autoUpdate" => false,
440
- "disableCookies" => false,
441
- "startScansRemotely" => false,
442
- "disableConfigCaching" => false,
443
- "addCacheComment" => false,
444
- "disableCodeExecutionUploads" => false,
445
- "allowHTTPSCaching" => false,
446
- "debugOn" => false,
447
- 'email_summary_enabled' => true,
448
- 'email_summary_dashboard_widget_enabled' => true,
449
- 'ssl_verify' => true,
450
- ),
451
- "otherParams" => array(
452
- 'securityLevel' => '4',
453
- "alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'scan_exclude' => '', 'whitelisted' => '', 'bannedURLs' => '', 'maxExecutionTime' => '', 'howGetIPs' => '', 'actUpdateInterval' => '', 'alert_maxHourly' => 0, 'loginSec_userBlacklist' => '',
454
- 'liveTraf_maxRows' => 2000,
455
- "neverBlockBG" => "neverBlockVerified",
456
- "loginSec_countFailMins" => "1440",
457
- "loginSec_lockoutMins" => "1440",
458
- 'loginSec_strongPasswds' => 'all',
459
- 'loginSec_maxFailures' => "5",
460
- 'loginSec_maxForgotPasswd' => "5",
461
- 'maxGlobalRequests' => "960",
462
- 'maxGlobalRequests_action' => "throttle",
463
- 'maxRequestsCrawlers' => "960",
464
- 'maxRequestsCrawlers_action' => "throttle",
465
- 'maxRequestsHumans' => "30",
466
- 'maxRequestsHumans_action' => "block",
467
- 'max404Crawlers' => "30",
468
- 'max404Crawlers_action' => "block",
469
- 'max404Humans' => "60",
470
- 'max404Humans_action' => "block",
471
- 'maxScanHits' => "10",
472
- 'maxScanHits_action' => "block",
473
- 'blockedTime' => "7200",
474
- 'email_summary_interval' => 'biweekly',
475
- 'email_summary_excluded_directories' => 'wp-content/cache,wp-content/wfcache,wp-content/plugins/wordfence/tmp',
476
- 'allowed404s' => "/favicon.ico\n/apple-touch-icon*.png\n/*@2x.png",
477
- )
478
)
479
);
480
public static function setDefaults(){
481
- foreach(self::$securityLevels[2]['checkboxes'] as $key => $val){
482
if(self::get($key) === false){
483
self::set($key, $val ? '1' : '0');
484
}
485
}
486
- foreach(self::$securityLevels[2]['otherParams'] as $key => $val){
487
if(self::get($key) === false){
488
self::set($key, $val);
489
}
@@ -504,10 +133,10 @@ class wfConfig {
504
}
505
public static function getExportableOptionsKeys(){
506
$ret = array();
507
- foreach(self::$securityLevels[2]['checkboxes'] as $key => $val){
508
$ret[] = $key;
509
}
510
- foreach(self::$securityLevels[2]['otherParams'] as $key => $val){
511
if($key != 'apiKey'){
512
$ret[] = $key;
513
}
@@ -519,10 +148,10 @@ class wfConfig {
519
}
520
public static function parseOptions(){
521
$ret = array();
522
- foreach(self::$securityLevels[2]['checkboxes'] as $key => $val){ //value is not used. We just need the keys for validation
523
$ret[$key] = isset($_POST[$key]) ? '1' : '0';
524
}
525
- foreach(self::$securityLevels[2]['otherParams'] as $key => $val){
526
if(isset($_POST[$key])){
527
$ret[$key] = stripslashes($_POST[$key]);
528
} else {
8
private static $DB = false;
9
private static $tmpFileHeader = "<?php\n/* Wordfence temporary file security header */\necho \"Nothing to see here!\\n\"; exit(0);\n?>";
10
private static $tmpDirCache = false;
11
+ public static $defaultConfig = array(
12
+ "checkboxes" => array(
13
+ "alertOn_critical" => true,
14
+ "alertOn_update" => false,
15
+ "alertOn_warnings" => true,
16
+ "alertOn_throttle" => false,
17
+ "alertOn_block" => true,
18
+ "alertOn_loginLockout" => true,
19
+ "alertOn_lostPasswdForm" => true,
20
+ "alertOn_adminLogin" => true,
21
+ "alertOn_nonAdminLogin" => false,
22
+ "liveTrafficEnabled" => true,
23
+ "scansEnabled_checkReadableConfig" => true,
24
+ "advancedCommentScanning" => false,
25
+ "checkSpamIP" => false,
26
+ "spamvertizeCheck" => false,
27
+ "liveTraf_ignorePublishers" => true,
28
+ //"perfLoggingEnabled" => false,
29
+ "scheduledScansEnabled" => true,
30
+ "scansEnabled_public" => false,
31
+ "scansEnabled_heartbleed" => true,
32
+ "scansEnabled_core" => true,
33
+ "scansEnabled_themes" => false,
34
+ "scansEnabled_plugins" => false,
35
+ "scansEnabled_malware" => true,
36
+ "scansEnabled_fileContents" => true,
37
+ "scansEnabled_posts" => true,
38
+ "scansEnabled_comments" => true,
39
+ "scansEnabled_passwds" => true,
40
+ "scansEnabled_diskSpace" => true,
41
+ "scansEnabled_options" => true,
42
+ "scansEnabled_wpscan_fullPathDisclosure" => true,
43
+ "scansEnabled_wpscan_directoryListingEnabled" => true,
44
+ "scansEnabled_dns" => true,
45
+ "scansEnabled_scanImages" => false,
46
+ "scansEnabled_highSense" => false,
47
+ "scansEnabled_oldVersions" => true,
48
+ "scansEnabled_suspiciousAdminUsers" => true,
49
+ "firewallEnabled" => true,
50
+ "blockFakeBots" => false,
51
+ "autoBlockScanners" => true,
52
+ "loginSecurityEnabled" => true,
53
+ "loginSec_lockInvalidUsers" => false,
54
+ "loginSec_maskLoginErrors" => true,
55
+ "loginSec_blockAdminReg" => true,
56
+ "loginSec_disableAuthorScan" => true,
57
+ "loginSec_disableOEmbedAuthor" => false,
58
+ "other_hideWPVersion" => true,
59
+ "other_noAnonMemberComments" => true,
60
+ "other_blockBadPOST" => false,
61
+ "other_scanComments" => true,
62
+ "other_pwStrengthOnUpdate" => true,
63
+ "other_WFNet" => true,
64
+ "other_scanOutside" => false,
65
+ "deleteTablesOnDeact" => false,
66
+ "autoUpdate" => false,
67
+ "disableCookies" => false,
68
+ "startScansRemotely" => false,
69
+ "disableConfigCaching" => false,
70
+ "addCacheComment" => false,
71
+ "disableCodeExecutionUploads" => false,
72
+ "allowHTTPSCaching" => false,
73
+ "debugOn" => false,
74
+ 'email_summary_enabled' => true,
75
+ 'email_summary_dashboard_widget_enabled' => true,
76
+ 'ssl_verify' => true,
77
+ 'ajaxWatcherDisabled_front' => false,
78
+ 'ajaxWatcherDisabled_admin' => false,
79
),
80
+ "otherParams" => array(
81
+ "scan_include_extra" => "",
82
+ // 'securityLevel' => '2',
83
+ "alertEmails" => "", "liveTraf_ignoreUsers" => "", "liveTraf_ignoreIPs" => "", "liveTraf_ignoreUA" => "", "apiKey" => "", "maxMem" => '256', 'scan_exclude' => '', 'whitelisted' => '', 'bannedURLs' => '', 'maxExecutionTime' => '', 'howGetIPs' => '', 'actUpdateInterval' => '', 'alert_maxHourly' => 0, 'loginSec_userBlacklist' => '',
84
+ 'liveTraf_maxRows' => 2000,
85
+ "neverBlockBG" => "neverBlockVerified",
86
+ "loginSec_countFailMins" => "240",
87
+ "loginSec_lockoutMins" => "240",
88
+ 'loginSec_strongPasswds' => 'pubs',
89
+ 'loginSec_maxFailures' => "20",
90
+ 'loginSec_maxForgotPasswd' => "20",
91
+ 'maxGlobalRequests' => "DISABLED",
92
+ 'maxGlobalRequests_action' => "throttle",
93
+ 'maxRequestsCrawlers' => "DISABLED",
94
+ 'maxRequestsCrawlers_action' => "throttle",
95
+ 'maxRequestsHumans' => "DISABLED",
96
+ 'maxRequestsHumans_action' => "throttle",
97
+ 'max404Crawlers' => "DISABLED",
98
+ 'max404Crawlers_action' => "throttle",
99
+ 'max404Humans' => "DISABLED",
100
+ 'max404Humans_action' => "throttle",
101
+ 'maxScanHits' => "DISABLED",
102
+ 'maxScanHits_action' => "throttle",
103
+ 'blockedTime' => "300",
104
+ 'email_summary_interval' => 'biweekly',
105
+ 'email_summary_excluded_directories' => 'wp-content/cache,wp-content/wfcache,wp-content/plugins/wordfence/tmp',
106
+ 'allowed404s' => "/favicon.ico\n/apple-touch-icon*.png\n/*@2x.png",
107
)
108
);
109
public static function setDefaults(){
110
+ foreach(self::$defaultConfig['checkboxes'] as $key => $val){
111
if(self::get($key) === false){
112
self::set($key, $val ? '1' : '0');
113
}
114
}
115
+ foreach(self::$defaultConfig['otherParams'] as $key => $val){
116
if(self::get($key) === false){
117
self::set($key, $val);
118
}
133
}
134
public static function getExportableOptionsKeys(){
135
$ret = array();
136
+ foreach(self::$defaultConfig['checkboxes'] as $key => $val){
137
$ret[] = $key;
138
}
139
+ foreach(self::$defaultConfig['otherParams'] as $key => $val){
140
if($key != 'apiKey'){
141
$ret[] = $key;
142
}
148
}
149
public static function parseOptions(){
150
$ret = array();
151
+ foreach(self::$defaultConfig['checkboxes'] as $key => $val){ //value is not used. We just need the keys for validation
152
$ret[$key] = isset($_POST[$key]) ? '1' : '0';
153
}
154
+ foreach(self::$defaultConfig['otherParams'] as $key => $val){
155
if(isset($_POST[$key])){
156
$ret[$key] = stripslashes($_POST[$key]);
157
} else {
lib/wfIssues.php CHANGED
@@ -153,6 +153,7 @@ class wfIssues {
153
'new' => array(),
154
'ignored' => array()
155
);
156
$q1 = $this->getDB()->querySelect("select * from " . $this->issuesTable . " order by time desc");
157
foreach($q1 as $i){
158
$i['data'] = unserialize($i['data']);
@@ -170,7 +171,14 @@ class wfIssues {
170
foreach($ret as $status => &$issueList){
171
for($i = 0; $i < sizeof($issueList); $i++){
172
if($issueList[$i]['type'] == 'file'){
173
- $localFile = ABSPATH . '/' . preg_replace('/^[\.\/]+/', '', $issueList[$i]['data']['file']);
174
if(file_exists($localFile)){
175
$issueList[$i]['data']['fileExists'] = true;
176
} else {
153
'new' => array(),
154
'ignored' => array()
155
);
156
+ $userIni = ini_get('user_ini.filename');
157
$q1 = $this->getDB()->querySelect("select * from " . $this->issuesTable . " order by time desc");
158
foreach($q1 as $i){
159
$i['data'] = unserialize($i['data']);
171
foreach($ret as $status => &$issueList){
172
for($i = 0; $i < sizeof($issueList); $i++){
173
if($issueList[$i]['type'] == 'file'){
174
+ $localFile = $issueList[$i]['data']['file'];
175
+ if ($localFile != '.htaccess' && $localFile != $userIni) {
176
+ $localFile = ABSPATH . '/' . preg_replace('/^[\.\/]+/', '', $localFile);
177
+ }
178
+ else {
179
+ $localFile = ABSPATH . '/' . $localFile;
180
+ }
181
+
182
if(file_exists($localFile)){
183
$issueList[$i]['data']['fileExists'] = true;
184
} else {
lib/wfLog.php CHANGED
@@ -952,44 +952,34 @@ class wfLog {
952
$skipCountryBlocking = true;
953
}
954
955
- if((! $skipCountryBlocking) && $blockedCountries && (! self::isCBLBypassCookieSet()) ){
956
- if(is_user_logged_in() && (! wfConfig::get('cbl_loggedInBlocked', false)) ){ //User is logged in and we're allowing logins
957
- //Do nothing
958
- } else if(strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false && (! wfConfig::get('cbl_loginFormBlocked', false)) ){ //It's the login form and we're allowing that
959
- //Do nothing
960
- } else if(strpos($_SERVER['REQUEST_URI'], '/wp-login.php') === false && (! wfConfig::get('cbl_restOfSiteBlocked', false)) ){ //It's the rest of the site and we're allowing that
961
- //Do nothing
962
- } else {
963
- if($country = wfUtils::IP2Country($IP) ){
964
- foreach(explode(',', $blockedCountries) as $blocked){
965
- if(strtoupper($blocked) == strtoupper($country)){ //At this point we know the user has been blocked
966
- if(wfConfig::get('cbl_action') == 'redir'){
967
- $redirURL = wfConfig::get('cbl_redirURL');
968
- $eRedirHost = wfUtils::extractHostname($redirURL);
969
- $isExternalRedir = false;
970
- if($eRedirHost && $eRedirHost != wfUtils::extractHostname(home_url())){ //It's an external redirect...
971
- $isExternalRedir = true;
972
- }
973
- if( (! $isExternalRedir) && wfUtils::extractBareURI($redirURL) == $bareRequestURI){ //Is this the URI we want to redirect to, then don't block it
974
- //Do nothing
975
- /* Uncomment the following if page components aren't loading for the page we redirect to.
976
- Uncommenting is not recommended because it means that anyone from a blocked country
977
- can crawl your site by sending the page blocked users are redirected to as the referer for every request.
978
- But it's your call.
979
- } else if(wfUtils::extractBareURI($_SERVER['HTTP_REFERER']) == $redirURL){ //If the referer the page we want to redirect to? Then this might be loading as a component so don't block.
980
- //Do nothing
981
- */
982
- } else {
983
- $this->redirect(wfConfig::get('cbl_redirURL'));
984
- }
985
- } else {
986
- $this->currentRequest->actionDescription = 'blocked access via country blocking';
987
- $this->do503(3600, "Access from your area has been temporarily limited for security reasons");
988
- wfConfig::inc('totalCountryBlocked');
989
- }
990
- }
991
- }
992
}
993
}
994
}
995
}
@@ -998,7 +988,7 @@ class wfLog {
998
$this->getDB()->queryWrite("update " . $this->blocksTable . " set lastAttempt=unix_timestamp(), blockedHits = blockedHits + 1 where IP=%s", $IPnum);
999
$now = $this->getDB()->querySingle("select unix_timestamp()");
1000
$secsToGo = ($rec['blockedTime'] + wfConfig::get('blockedTime')) - $now;
1001
- if(wfConfig::get('other_WFNet') && strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false){ //We're on the login page and this IP has been blocked
1002
wordfence::wfsnReportBlockedAttempt($IP, 'login');
1003
}
1004
$this->do503($secsToGo, $rec['reason']);
@@ -1021,6 +1011,49 @@ class wfLog {
1021
}
1022
return false;
1023
}
1024
private function takeBlockingAction($configVar, $reason){
1025
if($this->googleSafetyCheckOK()){
1026
$action = wfConfig::get($configVar . '_action');
@@ -1050,6 +1083,19 @@ class wfLog {
1050
return;
1051
}
1052
}
1053
public function do503($secsToGo, $reason){
1054
$this->initLogRequest();
1055
$this->currentRequest->statusCode = 403;
952
$skipCountryBlocking = true;
953
}
954
955
+ if (!$skipCountryBlocking && $blockedCountries && !self::isCBLBypassCookieSet()) {
956
+ // If everything is checked, make sure this always runs.
957
+ if (wfConfig::get('cbl_loggedInBlocked', false) &&
958
+ wfConfig::get('cbl_loginFormBlocked', false) &&
959
+ wfConfig::get('cbl_restOfSiteBlocked', false)) {
960
+ $this->checkForBlockedCountry();
961
+ }
962
+ // Block logged in users.
963
+ if (wfConfig::get('cbl_loggedInBlocked', false) && is_user_logged_in()) {
964
+ $this->checkForBlockedCountry();
965
+ }
966
+ // Block the login form itself and any attempt to authenticate.
967
+ if (wfConfig::get('cbl_loginFormBlocked', false)) {
968
+ if (self::isAuthRequest()) {
969
+ $this->checkForBlockedCountry();
970
}
971
+ add_filter('authenticate', array($this, 'checkForBlockedCountry'), 1, 0);
972
+ }
973
+ // Block requests that aren't to the login page, xmlrpc.php, or a user already logged in.
974
+ if (wfConfig::get('cbl_restOfSiteBlocked', false) &&
975
+ !self::isAuthRequest() && !defined('XMLRPC_REQUEST') && !is_user_logged_in()) {
976
+ $this->checkForBlockedCountry();
977
+ }
978
+ // XMLRPC is inaccesible when public portion of the site and auth is disabled.
979
+ if (wfConfig::get('cbl_loginFormBlocked', false) &&
980
+ wfConfig::get('cbl_restOfSiteBlocked', false) &&
981
+ defined('XMLRPC_REQUEST')) {
982
+ $this->checkForBlockedCountry();
983
}
984
}
985
}
988
$this->getDB()->queryWrite("update " . $this->blocksTable . " set lastAttempt=unix_timestamp(), blockedHits = blockedHits + 1 where IP=%s", $IPnum);
989
$now = $this->getDB()->querySingle("select unix_timestamp()");
990
$secsToGo = ($rec['blockedTime'] + wfConfig::get('blockedTime')) - $now;
991
+ if(wfConfig::get('other_WFNet') && self::isAuthRequest()){ //It's an auth request and this IP has been blocked
992
wordfence::wfsnReportBlockedAttempt($IP, 'login');
993
}
994
$this->do503($secsToGo, $rec['reason']);
1011
}
1012
return false;
1013
}
1014
+
1015
+ public function checkForBlockedCountry() {
1016
+ static $hasRun;
1017
+ if (isset($hasRun)) {
1018
+ return;
1019
+ }
1020
+ $hasRun = true;
1021
+
1022
+ $blockedCountries = wfConfig::get('cbl_countries', false);
1023
+ $bareRequestURI = wfUtils::extractBareURI($_SERVER['REQUEST_URI']);
1024
+ $IP = wfUtils::getIP();
1025
+ if($country = wfUtils::IP2Country($IP) ){
1026
+ foreach(explode(',', $blockedCountries) as $blocked){
1027
+ if(strtoupper($blocked) == strtoupper($country)){ //At this point we know the user has been blocked
1028
+ if(wfConfig::get('cbl_action') == 'redir'){
1029
+ $redirURL = wfConfig::get('cbl_redirURL');
1030
+ $eRedirHost = wfUtils::extractHostname($redirURL);
1031
+ $isExternalRedir = false;
1032
+ if($eRedirHost && $eRedirHost != wfUtils::extractHostname(home_url())){ //It's an external redirect...
1033
+ $isExternalRedir = true;
1034
+ }
1035
+ if( (! $isExternalRedir) && wfUtils::extractBareURI($redirURL) == $bareRequestURI){ //Is this the URI we want to redirect to, then don't block it
1036
+ //Do nothing
1037
+ /* Uncomment the following if page components aren't loading for the page we redirect to.
1038
+ Uncommenting is not recommended because it means that anyone from a blocked country
1039
+ can crawl your site by sending the page blocked users are redirected to as the referer for every request.
1040
+ But it's your call.
1041
+ } else if(wfUtils::extractBareURI($_SERVER['HTTP_REFERER']) == $redirURL){ //If the referer the page we want to redirect to? Then this might be loading as a component so don't block.
1042
+ //Do nothing
1043
+ */
1044
+ } else {
1045
+ $this->redirect(wfConfig::get('cbl_redirURL'));
1046
+ }
1047
+ } else {
1048
+ $this->currentRequest->actionDescription = 'blocked access via country blocking';
1049
+ wfConfig::inc('totalCountryBlocked');
1050
+ $this->do503(3600, "Access from your area has been temporarily limited for security reasons");
1051
+ }
1052
+ }
1053
+ }
1054
+ }
1055
+ }
1056
+
1057
private function takeBlockingAction($configVar, $reason){
1058
if($this->googleSafetyCheckOK()){
1059
$action = wfConfig::get($configVar . '_action');
1083
return;
1084
}
1085
}
1086
+
1087
+ /**
1088
+ * Test if the current request is for wp-login.php or xmlrpc.php
1089
+ *
1090
+ * @return boolean
1091
+ */
1092
+ private static function isAuthRequest() {
1093
+ if ((strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false)) {
1094
+ return true;
1095
+ }
1096
+ return false;
1097
+ }
1098
+
1099
public function do503($secsToGo, $reason){
1100
$this->initLogRequest();
1101
$this->currentRequest->statusCode = 403;
lib/wfScanEngine.php CHANGED
@@ -86,6 +86,7 @@ class wfScanEngine {
86
$this->jobList[] = 'publicSite';
87
$this->jobList[] = 'checkSpamvertized';
88
$this->jobList[] = 'checkSpamIP';
89
$this->jobList[] = 'heartbleed';
90
$this->jobList[] = 'knownFiles_init';
91
$this->jobList[] = 'knownFiles_main';
@@ -241,6 +242,48 @@ class wfScanEngine {
241
sleep(2);
242
}
243
}
244
245
private function scan_checkReadableConfig() {
246
$haveIssues = false;
@@ -466,7 +509,7 @@ class wfScanEngine {
466
467
468
private function scan_posts_init(){
469
- $this->statusIDX['posts'] = wordfence::statusStart('Scanning posts for URL\'s in Google\'s Safe Browsing List');
470
$blogsToScan = self::getBlogsToScan('posts');
471
$wfdb = new wfDB();
472
$this->hoover = new wordfenceURLHoover($this->apiKey, $this->wp_version);
@@ -573,7 +616,7 @@ class wfScanEngine {
573
wordfence::statusEnd($this->statusIDX['posts'], $haveIssues);
574
}
575
private function scan_comments_init(){
576
- $this->statusIDX['comments'] = wordfence::statusStart('Scanning comments for URL\'s in Google\'s Safe Browsing List');
577
$this->scanData = array();
578
$this->scanQueue = array();
579
$this->hoover = new wordfenceURLHoover($this->apiKey, $this->wp_version);
@@ -767,7 +810,7 @@ class wfScanEngine {
767
$this->userPasswdQueue = substr($this->userPasswdQueue, 4);
768
$userLogin = $wfdb->querySingle("select user_login from $wpdb->users where ID=%s", $userID);
769
if(! $userLogin){
770
- wordfence::status(2, 'error', "Could not get username for user with ID $userID when checking password strenght.");
771
continue;
772
}
773
wordfence::status(4, 'info', "Checking password strength for user $userLogin with ID $userID");
86
$this->jobList[] = 'publicSite';
87
$this->jobList[] = 'checkSpamvertized';
88
$this->jobList[] = 'checkSpamIP';
89
+ $this->jobList[] = 'checkGSB';
90
$this->jobList[] = 'heartbleed';
91
$this->jobList[] = 'knownFiles_init';
92
$this->jobList[] = 'knownFiles_main';
242
sleep(2);
243
}
244
}
245
+
246
+ private function scan_checkGSB(){
247
+ if(wfConfig::get('isPaid')){
248
+ $this->statusIDX['checkGSB'] = wordfence::statusStart("Checking if your site is on the Google Safe Browsing list");
249
+
250
+ $urlsToCheck = array(array(get_site_url()));
251
+ $haveIssues = false;
252
+ $badURLs = $this->api->call('check_bad_urls', array(), array( 'toCheck' => json_encode($urlsToCheck)) );
253
+ if (is_array($badURLs) && sizeof($badURLs) > 0) {
254
+ foreach ($badURLs as $id => $badSiteList) {
255
+ foreach ($badSiteList as $badSite) {
256
+ $url = $badSite[0];
257
+ $badList = $badSite[1];
258
+
259
+ if ($badList == 'goog-malware-shavar') {
260
+ $shortMsg = 'Your site is listed on Google\'s Safe Browsing malware list.';
261
+ $longMsg = "The URL " . esc_html($url) . " is on the malware list. More info available at <a href=\"http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=" . urlencode($url) . "&client=googlechrome&hl=en-US\" target=\"_blank\">Google Safe Browsing diagnostic page</a>.";
262
+ $gsb = $badList;
263
+ }
264
+ else if ($badList == 'googpub-phish-shavar') {
265
+ $shortMsg = 'Your site is listed on Google\'s Safe Browsing phishing list.';
266
+ $longMsg = "The URL " . esc_html($url) . " is on the phishing list. More info available at <a href=\"http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=" . urlencode($url) . "&client=googlechrome&hl=en-US\" target=\"_blank\">Google Safe Browsing diagnostic page</a>.";
267
+ $gsb = $badList;
268
+ }
269
+ else {
270
+ $shortMsg = 'Your site is listed on Google\'s Safe Browsing list.';
271
+ $longMsg = "The URL is: " . esc_html($url) . ". More info available at <a href=\"http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=" . urlencode($url) . "&client=googlechrome&hl=en-US\" target=\"_blank\">Google Safe Browsing diagnostic page</a>.";
272
+ $gsb = 'unknown';
273
+ }
274
+
275
+ $this->addIssue('checkGSB', 1, 'checkGSB', 'checkGSB' . $url, $shortMsg, $longMsg, array('badURL' => $url, 'gsb' => $gsb));
276
+ $haveIssues = true;
277
+ }
278
+ }
279
+ }
280
+
281
+ wordfence::statusEnd($this->statusIDX['checkGSB'], $haveIssues);
282
+ } else {
283
+ wordfence::statusPaidOnly("Checking if your site is on the Google Safe Browsing list is for paid members only");
284
+ sleep(2);
285
+ }
286
+ }
287
288
private function scan_checkReadableConfig() {
289
$haveIssues = false;
509
510
511
private function scan_posts_init(){
512
+ $this->statusIDX['posts'] = wordfence::statusStart('Scanning posts for URLs in Google\'s Safe Browsing List');
513
$blogsToScan = self::getBlogsToScan('posts');
514
$wfdb = new wfDB();
515
$this->hoover = new wordfenceURLHoover($this->apiKey, $this->wp_version);
616
wordfence::statusEnd($this->statusIDX['posts'], $haveIssues);
617
}
618
private function scan_comments_init(){
619
+ $this->statusIDX['comments'] = wordfence::statusStart('Scanning comments for URLs in Google\'s Safe Browsing List');
620
$this->scanData = array();
621
$this->scanQueue = array();
622
$this->hoover = new wordfenceURLHoover($this->apiKey, $this->wp_version);
810
$this->userPasswdQueue = substr($this->userPasswdQueue, 4);
811
$userLogin = $wfdb->querySingle("select user_login from $wpdb->users where ID=%s", $userID);
812
if(! $userLogin){
813
+ wordfence::status(2, 'error', "Could not get username for user with ID $userID when checking password strength.");
814
continue;
815
}
816
wordfence::status(4, 'info', "Checking password strength for user $userLogin with ID $userID");
lib/wfUtils.php CHANGED
@@ -634,14 +634,17 @@ class wfUtils {
634
public static function isValidIP($IP){
635
return filter_var($IP, FILTER_VALIDATE_IP) !== false;
636
}
637
- public static function getRequestedURL(){
638
- if(isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST']){
639
$host = $_SERVER['HTTP_HOST'];
640
- } else {
641
$host = $_SERVER['SERVER_NAME'];
642
}
643
$prefix = 'http';
644
- if( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] ){
645
$prefix = 'https';
646
}
647
return $prefix . '://' . $host . $_SERVER['REQUEST_URI'];
@@ -1008,10 +1011,11 @@ class wfUtils {
1008
if(! (function_exists('geoip_open') && function_exists('geoip_country_code_by_addr') && function_exists('geoip_country_code_by_addr_v6'))){
1009
require_once('wfGeoIP.php');
1010
}
1011
- $gi = geoip_open(dirname(__FILE__) . "/GeoIP.dat",GEOIP_STANDARD);
1012
if (filter_var($IP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) !== false) {
1013
$country = geoip_country_code_by_addr_v6($gi, $IP);
1014
} else {
1015
$country = geoip_country_code_by_addr($gi, $IP);
1016
}
1017
geoip_close($gi);
634
public static function isValidIP($IP){
635
return filter_var($IP, FILTER_VALIDATE_IP) !== false;
636
}
637
+ public static function getRequestedURL() {
638
+ if (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST']) {
639
$host = $_SERVER['HTTP_HOST'];
640
+ } else if (isset($_SERVER['SERVER_NAME']) && $_SERVER['SERVER_NAME']) {
641
$host = $_SERVER['SERVER_NAME'];
642
}
643
+ else {
644
+ return null;
645
+ }
646
$prefix = 'http';
647
+ if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']) {
648
$prefix = 'https';
649
}
650
return $prefix . '://' . $host . $_SERVER['REQUEST_URI'];
1011
if(! (function_exists('geoip_open') && function_exists('geoip_country_code_by_addr') && function_exists('geoip_country_code_by_addr_v6'))){
1012
require_once('wfGeoIP.php');
1013
}
1014
if (filter_var($IP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) !== false) {
1015
+ $gi = geoip_open(dirname(__FILE__) . "/GeoIPv6.dat", GEOIP_STANDARD);
1016
$country = geoip_country_code_by_addr_v6($gi, $IP);
1017
} else {
1018
+ $gi = geoip_open(dirname(__FILE__) . "/GeoIP.dat", GEOIP_STANDARD);
1019
$country = geoip_country_code_by_addr($gi, $IP);
1020
}
1021
geoip_close($gi);
lib/wordfenceClass.php CHANGED
@@ -588,8 +588,13 @@ SQL
588
add_action('init', 'wordfence::initAction');
589
add_action('template_redirect', 'wordfence::templateRedir', 1001);
590
add_action('shutdown', 'wordfence::shutdownAction');
591
- add_action('wp_enqueue_scripts', 'wordfence::enqueueAJAXWatcher');
592
- add_action('admin_enqueue_scripts', 'wordfence::enqueueAJAXWatcher');
593
594
if(version_compare(PHP_VERSION, '5.4.0') >= 0){
595
add_action('wp_authenticate','wordfence::authActionNew', 1, 2);
@@ -636,6 +641,10 @@ SQL
636
add_filter('get_the_generator_comment', 'wordfence::genFilter', 99, 2);
637
add_filter('get_the_generator_export', 'wordfence::genFilter', 99, 2);
638
add_filter('registration_errors', 'wordfence::registrationFilter', 99, 3);
639
640
// Change GoDaddy's limit login mu-plugin since it can interfere with the two factor auth message.
641
if (self::hasGDLimitLoginsMUPlugin()) {
@@ -715,9 +724,11 @@ SQL
715
return $URL;
716
}
717
public static function enqueueAJAXWatcher() {
718
- if (wfUtils::isAdmin()) {
719
- wp_enqueue_style('wordfence-colorbox-style', wfUtils::getBaseURL() . 'css/colorbox.css', '', WORDFENCE_VERSION);
720
- wp_enqueue_script('jquery.wfcolorbox', wfUtils::getBaseURL() . 'js/jquery.colorbox-min.js', array('jquery'), WORDFENCE_VERSION);
721
wp_enqueue_script('wordfenceAJAXjs', wfUtils::getBaseURL() . 'js/admin.ajaxWatcher.js', array('jquery'), WORDFENCE_VERSION);
722
}
723
}
@@ -1157,6 +1168,11 @@ SQL
1157
}
1158
return $errors;
1159
}
1160
public static function authenticateFilter($authUser, $username, $passwd){
1161
wfConfig::inc('totalLoginHits'); //The total hits to wp-login.php including logins, logouts and just hits.
1162
$IP = wfUtils::getIP();
@@ -1203,7 +1219,19 @@ SQL
1203
} //No user matches and has TF activated so let user sign in.
1204
}
1205
} else { //valid login with no code entered
1206
- foreach($twoFactorUsers as &$t){
1207
if($t[0] == $userDat->ID && $t[3] == 'activated'){ //Yup, enabled, so lets send the code
1208
$api = new wfAPI(wfConfig::get('apiKey'), wfUtils::getWPVersion());
1209
try {
@@ -1240,8 +1268,18 @@ SQL
1240
} else { //oops, our API returned an error.
1241
break; //Let them sign in without two factor because the API is broken and we don't want to lock users out of their own systems.
1242
}
1243
- } //User is not present in two factor list or is not activated. Sign in without twofactor.
1244
- } //Two facto users is empty. Sign in without two factor.
1245
}
1246
}
1247
}
@@ -2644,8 +2682,10 @@ SQL
2644
return array('errorMsg' => "Invalid bulk operation selected");
2645
}
2646
}
2647
- public static function ajax_deleteFile_callback(){
2648
- $issueID = intval($_POST['issueID']);
2649
$wfIssues = new wfIssues();
2650
$issue = $wfIssues->getIssueByID($issueID);
2651
if(! $issue){
@@ -2671,7 +2711,27 @@ SQL
2671
</p>",
2672
);
2673
}
2674
- if(@unlink($localFile)){
2675
$wfIssues->updateIssue($issueID, 'delete');
2676
return array(
2677
'ok' => 1,
@@ -2736,13 +2796,35 @@ SQL
2736
$issues->updateIssue($_POST['issueID'], 'delete');
2737
return array('ok' => 1);
2738
}
2739
- public static function ajax_restoreFile_callback(){
2740
- $issueID = intval($_POST['issueID']);
2741
$wfIssues = new wfIssues();
2742
$issue = $wfIssues->getIssueByID($issueID);
2743
if(! $issue){
2744
return array('cerrorMsg' => "We could not find that issue in our database.");
2745
}
2746
$dat = $issue['data'];
2747
$result = self::getWPFileContent($dat['file'], $dat['cType'], (isset($dat['cName']) ? $dat['cName'] : ''), (isset($dat['cVersion']) ? $dat['cVersion'] : ''));
2748
$file = $dat['file'];
@@ -2756,28 +2838,16 @@ SQL
2756
return array('cerrorMsg' => "An invalid file was specified for repair.");
2757
}
2758
$localFile = ABSPATH . '/' . preg_replace('/^[\.\/]+/', '', $file);
2759
- $fh = fopen($localFile, 'w');
2760
- if(! $fh){
2761
- $err = error_get_last();
2762
- if(preg_match('/Permission denied/i', $err['message'])){
2763
- $errMsg = "You don't have permission to repair that file. You need to either fix the file manually using FTP or change the file permissions and ownership so that your web server has write access to repair the file.";
2764
- } else {
2765
- $errMsg = "We could not write to that file. The error was: " . $err['message'];
2766
- }
2767
- return array('cerrorMsg' => $errMsg);
2768
- }
2769
- flock($fh, LOCK_EX);
2770
- $bytes = fwrite($fh, $result['fileContent']);
2771
- flock($fh, LOCK_UN);
2772
- fclose($fh);
2773
- if($bytes < 1){
2774
- return array('cerrorMsg' => "We could not write to that file. ($bytes bytes written) You may not have permission to modify files on your WordPress server.");
2775
}
2776
- $wfIssues->updateIssue($issueID, 'delete');
2777
return array(
2778
- 'ok' => 1,
2779
- 'file' => $localFile
2780
- );
2781
}
2782
public static function ajax_scan_callback(){
2783
self::status(4, 'info', "Ajax request received to start scan.");
@@ -3563,6 +3633,21 @@ HTML;
3563
}
3564
}
3565
}
3566
3567
if (!empty($_REQUEST['wafVerify']) && wp_verify_nonce($_REQUEST['wafVerify'], 'wfWAFAutoPrepend')) {
3568
if (is_multisite()) {
@@ -3571,6 +3656,14 @@ HTML;
3571
add_action('admin_notices', 'wordfence::wafAutoPrependVerify');
3572
}
3573
}
3574
}
3575
private static function setupAdminVars(){
3576
$updateInt = wfConfig::get('actUpdateInterval', 2);
@@ -3985,6 +4078,243 @@ $nginxIniWarning
3985
3986
$wafActionContent = sprintf('<div style="margin: 20px 0;">%s</div>', $wafActionContent);
3987
break;
3988
3989
case '':
3990
break;
@@ -4019,8 +4349,75 @@ $nginxIniWarning
4019
require 'menu_activity.php';
4020
}
4021
public static function menu_scan(){
4022
require 'menu_scan.php';
4023
}
4024
public static function status($level /* 1 has highest visibility */, $type /* info|error */, $msg){
4025
if($level > 3 && $level < 10 && (! self::isDebugOn())){ //level 10 and higher is for summary messages
4026
return false;
@@ -5152,6 +5549,21 @@ LIMIT %d", $lastSendTime, $limit));
5152
echo '<div class="notice notice-error"><p>The changes have not yet taken effect. If you are using LiteSpeed or IIS
5153
as your web server or CGI/FastCGI interface, you may need to wait a few minutes for the changes to take effect since the
5154
configuration files are sometimes cached. You also may need to select a different server configuration in order to
5155
complete this step, but wait for a few minutes before trying. You can try refreshing this page. </p></div>';
5156
}
5157
}
@@ -5226,6 +5638,44 @@ if (file_exists(%1$s)) {
5226
}
5227
wfWAF::getInstance()->getStorageEngine()->setConfig('cron', $cron);
5228
}
5229
}
5230
5231
class wfWAFAutoPrependHelper {
@@ -5364,9 +5814,6 @@ $userIniHtaccessDirectives
5364
5365
case 'apache-suphp':
5366
$autoPrependDirective = sprintf("# Wordfence WAF
5367
- <IfModule mod_suphp.c>
5368
- suPHP_ConfigPath '%s'
5369
- </IfModule>
5370
$userIniHtaccessDirectives
5371
# END Wordfence WAF
5372
", addcslashes($homePath, "'"));
@@ -5450,6 +5897,75 @@ auto_prepend_file = '%s'
5450
}
5451
}
5452
}