WP Hide & Security Enhancer - Version 1.4

Version Description

  • Fix: Allow only css files to be processed through the router to prevent other types from being displayed arbitrary.
  • Mu-loader updated version
  • Environment allowed path to limit css files processing
  • Include _get_plugin_data_markup_translate ratter WordPress method
  • Fix: replacement_exists returned wrong response since not using priority keys
  • Fix: Add media replacement, use correct replacement_exists function call
  • Router check for client HTTP_ACCEPT_ENCODING type to start ob_start using ob_gzhandler or not.
  • Update urls dynamically within stylesheets files e.g. include '../theme-name'
  • Use trailingslashit for theme / child new urls to make sure it match full url instead partial theme name (e.g. main-theme and main-theme-child)
  • Block wp-register.php
  • get_home_path rely on DIRECTORY_SEPARATOR for better compatibility
  • Check if plugin slug actually exists within all plugins list on re_plugin_path component
Download this release

Release Info

Developer nsp-code
Plugin Icon 128x128 WP Hide & Security Enhancer
Version 1.4
Comparing to
See all releases

Code changes from version 1.3.9.2 to 1.4

Files changed (11) hide show
  1. include/functions.class.php +88 -10
  2. include/update.class.php +31 -5
  3. include/wph.class.php +91 -7
  4. modules/components/rewrite-new_plugin_path.php +3 -0
  5. modules/components/rewrite-new_theme_path.php +2 -2
  6. modules/components/rewrite-new_upload_path.php +1 -1
  7. modules/components/rewrite-root-files.php +46 -0
  8. mu-loader/wp-hide-loader.php +1 -2
  9. readme.txt +16 -20
  10. router/file-process.php +74 -13
  11. wp-hide.php +3 -3
include/functions.class.php CHANGED
@@ -387,14 +387,17 @@
387
  if($pos !== FALSE)
388
  {
389
  $home_path = substr( $_SERVER['SCRIPT_FILENAME'], 0, $pos );
390
- $home_path = trailingslashit( $home_path );
391
  }
392
  else
393
  {
394
- $wp_path_rel_to_home = '\\' . trim($wp_path_rel_to_home, '/');
395
- $pos = strpos( realpath(ABSPATH), $wp_path_rel_to_home);
396
- $home_path = substr( realpath(ABSPATH), 0, $pos );
397
- $home_path = trailingslashit( $home_path );
 
 
 
398
  }
399
  }
400
  else
@@ -402,7 +405,7 @@
402
  $home_path = ABSPATH;
403
  }
404
 
405
- $home_path = str_replace( '\\', '/', $home_path );
406
 
407
  return $home_path;
408
 
@@ -475,7 +478,7 @@
475
 
476
  $htaccess_file = $home_path.'.htaccess';
477
 
478
- if ((!file_exists($htaccess_file) && is_writable($home_path) && $this->is_permalink_enabled()) || is_writable($htaccess_file))
479
  return TRUE;
480
 
481
  return FALSE;
@@ -510,7 +513,7 @@
510
 
511
  $web_config_file = $home_path . 'web.config';
512
 
513
- if ( ( ! file_exists($web_config_file) && win_is_writable($home_path) && $this->is_permalink_enabled() ) || win_is_writable($web_config_file) )
514
  return TRUE;
515
 
516
  return FALSE;
@@ -820,7 +823,7 @@
820
 
821
  foreach($this->wph->urls_replacement as $priority => $replacements_block)
822
  {
823
- if(isset($this->wph->urls_replacement[ $old_url ]))
824
  return TRUE;
825
  }
826
 
@@ -1571,7 +1574,7 @@
1571
  unset( $plugin_data['_sitewide'] );
1572
 
1573
  if ( $markup || $translate ) {
1574
- $plugin_data = _get_plugin_data_markup_translate( $plugin_file, $plugin_data, $markup, $translate );
1575
  } else {
1576
  $plugin_data['Title'] = $plugin_data['Name'];
1577
  $plugin_data['AuthorName'] = $plugin_data['Author'];
@@ -1581,6 +1584,81 @@
1581
  }
1582
 
1583
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1584
  /**
1585
  * Alternative when apache_response_headers() not available
1586
  *
387
  if($pos !== FALSE)
388
  {
389
  $home_path = substr( $_SERVER['SCRIPT_FILENAME'], 0, $pos );
390
+ $home_path = trim( $home_path , '/\\') . DIRECTORY_SEPARATOR;;
391
  }
392
  else
393
  {
394
+ $wp_path_rel_to_home = DIRECTORY_SEPARATOR . trim($wp_path_rel_to_home, '/\\') . DIRECTORY_SEPARATOR;
395
+
396
+ $real_apth = realpath(ABSPATH) . DIRECTORY_SEPARATOR ;
397
+
398
+ $pos = strpos( $real_apth, $wp_path_rel_to_home);
399
+ $home_path = substr( $real_apth, 0, $pos );
400
+ $home_path = trim( $home_path , '/\\') . DIRECTORY_SEPARATOR;
401
  }
402
  }
403
  else
405
  $home_path = ABSPATH;
406
  }
407
 
408
+ //$home_path = str_replace( '\\', '/', $home_path );
409
 
410
  return $home_path;
411
 
478
 
479
  $htaccess_file = $home_path.'.htaccess';
480
 
481
+ if ((!file_exists($htaccess_file) && $this->is_permalink_enabled()) || is_writable($htaccess_file))
482
  return TRUE;
483
 
484
  return FALSE;
513
 
514
  $web_config_file = $home_path . 'web.config';
515
 
516
+ if ( ( ! file_exists($web_config_file) && $this->is_permalink_enabled() ) || win_is_writable($web_config_file) )
517
  return TRUE;
518
 
519
  return FALSE;
823
 
824
  foreach($this->wph->urls_replacement as $priority => $replacements_block)
825
  {
826
+ if(isset($this->wph->urls_replacement[$priority][ $old_url ]))
827
  return TRUE;
828
  }
829
 
1574
  unset( $plugin_data['_sitewide'] );
1575
 
1576
  if ( $markup || $translate ) {
1577
+ $plugin_data = $this->_get_plugin_data_markup_translate( $plugin_file, $plugin_data, $markup, $translate );
1578
  } else {
1579
  $plugin_data['Title'] = $plugin_data['Name'];
1580
  $plugin_data['AuthorName'] = $plugin_data['Author'];
1584
  }
1585
 
1586
 
1587
+
1588
+ /**
1589
+ * Sanitizes plugin data, optionally adds markup, optionally translates.
1590
+ *
1591
+ * @since 2.7.0
1592
+ * @access private
1593
+ * @see get_plugin_data()
1594
+ */
1595
+ function _get_plugin_data_markup_translate( $plugin_file, $plugin_data, $markup = true, $translate = true )
1596
+ {
1597
+
1598
+ // Sanitize the plugin filename to a WP_PLUGIN_DIR relative path
1599
+ $plugin_file = plugin_basename( $plugin_file );
1600
+
1601
+ // Translate fields
1602
+ if ( $translate ) {
1603
+ if ( $textdomain = $plugin_data['TextDomain'] ) {
1604
+ if ( ! is_textdomain_loaded( $textdomain ) ) {
1605
+ if ( $plugin_data['DomainPath'] ) {
1606
+ load_plugin_textdomain( $textdomain, false, dirname( $plugin_file ) . $plugin_data['DomainPath'] );
1607
+ } else {
1608
+ load_plugin_textdomain( $textdomain, false, dirname( $plugin_file ) );
1609
+ }
1610
+ }
1611
+ } elseif ( 'hello.php' == basename( $plugin_file ) ) {
1612
+ $textdomain = 'default';
1613
+ }
1614
+ if ( $textdomain ) {
1615
+ foreach ( array( 'Name', 'PluginURI', 'Description', 'Author', 'AuthorURI', 'Version' ) as $field )
1616
+ $plugin_data[ $field ] = translate( $plugin_data[ $field ], $textdomain );
1617
+ }
1618
+ }
1619
+
1620
+ // Sanitize fields
1621
+ $allowed_tags = $allowed_tags_in_links = array(
1622
+ 'abbr' => array( 'title' => true ),
1623
+ 'acronym' => array( 'title' => true ),
1624
+ 'code' => true,
1625
+ 'em' => true,
1626
+ 'strong' => true,
1627
+ );
1628
+ $allowed_tags['a'] = array( 'href' => true, 'title' => true );
1629
+
1630
+ // Name is marked up inside <a> tags. Don't allow these.
1631
+ // Author is too, but some plugins have used <a> here (omitting Author URI).
1632
+ $plugin_data['Name'] = wp_kses( $plugin_data['Name'], $allowed_tags_in_links );
1633
+ $plugin_data['Author'] = wp_kses( $plugin_data['Author'], $allowed_tags );
1634
+
1635
+ $plugin_data['Description'] = wp_kses( $plugin_data['Description'], $allowed_tags );
1636
+ $plugin_data['Version'] = wp_kses( $plugin_data['Version'], $allowed_tags );
1637
+
1638
+ $plugin_data['PluginURI'] = esc_url( $plugin_data['PluginURI'] );
1639
+ $plugin_data['AuthorURI'] = esc_url( $plugin_data['AuthorURI'] );
1640
+
1641
+ $plugin_data['Title'] = $plugin_data['Name'];
1642
+ $plugin_data['AuthorName'] = $plugin_data['Author'];
1643
+
1644
+ // Apply markup
1645
+ if ( $markup ) {
1646
+ if ( $plugin_data['PluginURI'] && $plugin_data['Name'] )
1647
+ $plugin_data['Title'] = '<a href="' . $plugin_data['PluginURI'] . '">' . $plugin_data['Name'] . '</a>';
1648
+
1649
+ if ( $plugin_data['AuthorURI'] && $plugin_data['Author'] )
1650
+ $plugin_data['Author'] = '<a href="' . $plugin_data['AuthorURI'] . '">' . $plugin_data['Author'] . '</a>';
1651
+
1652
+ $plugin_data['Description'] = wptexturize( $plugin_data['Description'] );
1653
+
1654
+ if ( $plugin_data['Author'] )
1655
+ $plugin_data['Description'] .= ' <cite>' . sprintf( __('By %s.'), $plugin_data['Author'] ) . '</cite>';
1656
+ }
1657
+
1658
+ return $plugin_data;
1659
+ }
1660
+
1661
+
1662
  /**
1663
  * Alternative when apache_response_headers() not available
1664
  *
include/update.class.php CHANGED
@@ -31,7 +31,7 @@
31
  }
32
 
33
 
34
- if (version_compare($version, WPH_VERSION, '<'))
35
  {
36
  //keep track of flushed rules to avoid doing it multiple times
37
  $_triggered_flush_rules = FALSE;
@@ -70,8 +70,11 @@
70
  if(version_compare($version, '1.3', '<'))
71
  {
72
  //flush rules
73
- add_action('wp_loaded', array($this, 'flush_rules') , -1);
74
- $_triggered_flush_rules = TRUE;
 
 
 
75
 
76
  $version = '1.3';
77
  }
@@ -87,7 +90,10 @@
87
  {
88
  //flush rules
89
  if( ! $_triggered_flush_rules )
90
- add_action('wp_loaded', array($this, 'flush_rules') , -1);
 
 
 
91
 
92
  $version = '1.3.2';
93
  }
@@ -105,8 +111,28 @@
105
  $version = '1.3.2.2';
106
  }
107
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
108
  //save the last code version
109
- $this->wph->settings['version'] = WPH_VERSION;
110
  $this->wph->functions->update_settings($this->wph->settings);
111
 
112
  }
31
  }
32
 
33
 
34
+ if (version_compare($version, WPH_CORE_VERSION, '<'))
35
  {
36
  //keep track of flushed rules to avoid doing it multiple times
37
  $_triggered_flush_rules = FALSE;
70
  if(version_compare($version, '1.3', '<'))
71
  {
72
  //flush rules
73
+ if( ! $_triggered_flush_rules )
74
+ {
75
+ add_action('wp_loaded', array($this, 'flush_rules') , -1);
76
+ $_triggered_flush_rules = TRUE;
77
+ }
78
 
79
  $version = '1.3';
80
  }
90
  {
91
  //flush rules
92
  if( ! $_triggered_flush_rules )
93
+ {
94
+ add_action('wp_loaded', array($this, 'flush_rules') , -1);
95
+ $_triggered_flush_rules = TRUE;
96
+ }
97
 
98
  $version = '1.3.2';
99
  }
111
  $version = '1.3.2.2';
112
  }
113
 
114
+ /**
115
+ * Create the environemnt file
116
+ */
117
+ if(version_compare($version, '1.4', '<'))
118
+ {
119
+
120
+ $this->wph->set_static_environemnt_file( FALSE );
121
+
122
+ //copy over the new mu-loader version
123
+ WPH_functions::copy_mu_loader( TRUE );
124
+
125
+ if( ! $_triggered_flush_rules )
126
+ {
127
+ add_action('wp_loaded', array($this, 'flush_rules') , -1);
128
+ $_triggered_flush_rules = TRUE;
129
+ }
130
+
131
+ }
132
+
133
+
134
  //save the last code version
135
+ $this->wph->settings['version'] = WPH_CORE_VERSION;
136
  $this->wph->functions->update_settings($this->wph->settings);
137
 
138
  }
include/wph.class.php CHANGED
@@ -3,6 +3,7 @@
3
 
4
  class WPH
5
  {
 
6
  var $default_variables = array();
7
  var $templates_data = array();
8
  var $urls_replacement = array();
@@ -31,7 +32,13 @@
31
 
32
  function __construct()
33
  {
34
-
 
 
 
 
 
 
35
  }
36
 
37
  function __destruct()
@@ -42,8 +49,7 @@
42
 
43
  function init()
44
  {
45
- $this->functions = new WPH_functions();
46
-
47
  $this->settings = $this->functions->get_settings();
48
 
49
  //set the urls_replacement priority blocks
@@ -51,9 +57,6 @@
51
  $this->urls_replacement['normal'] = array();
52
  $this->urls_replacement['low'] = array();
53
 
54
- //check for plugin update
55
- $this->update();
56
-
57
  //set whatever the server use htaccess or web.config configuration file
58
  $this->server_htaccess_config = $this->functions->server_use_htaccess_config_file();
59
  $this->server_web_config = $this->functions->server_use_web_config_file();
@@ -81,6 +84,9 @@
81
 
82
  $this->get_default_variables();
83
 
 
 
 
84
  //handle the conflicts
85
  $this->plugin_conflicts();
86
 
@@ -115,6 +121,9 @@
115
  //rebuild and change uppon settings modified
116
  add_action('wph/settings_changed', array($this, 'settings_changed'));
117
 
 
 
 
118
  //apache
119
  add_filter('mod_rewrite_rules', array($this, 'mod_rewrite_rules'), 999);
120
  //IIS7 server
@@ -348,7 +357,7 @@
348
  echo "<div class='updated'><p>". __('Settings saved', 'wp-hide-security-enhancer') ."</p></div>";
349
  else
350
  {
351
- echo "<div class='error'><p>". __('Some errors occurred, no setting has been saved!', 'wp-hide-security-enhancer') ."</p></div>";
352
  echo "<div class='error'><p>";
353
 
354
  foreach ($process_interface_save_errors as $error)
@@ -577,6 +586,81 @@
577
  flush_rewrite_rules();
578
  }
579
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
580
  function mod_rewrite_rules( $rules )
581
  {
582
  if($this->uninstall === TRUE)
3
 
4
  class WPH
5
  {
6
+
7
  var $default_variables = array();
8
  var $templates_data = array();
9
  var $urls_replacement = array();
32
 
33
  function __construct()
34
  {
35
+ $this->functions = new WPH_functions();
36
+
37
+ $plugin_data = $this->functions->get_plugin_data( WPH_PATH . '/wp-hide.php', $markup = true, $translate = true );
38
+
39
+ define('WPH_CORE_VERSION', $plugin_data['Version']);
40
+ define('WPH_CORE_MULOADER_VERSION', '1.2');
41
+
42
  }
43
 
44
  function __destruct()
49
 
50
  function init()
51
  {
52
+
 
53
  $this->settings = $this->functions->get_settings();
54
 
55
  //set the urls_replacement priority blocks
57
  $this->urls_replacement['normal'] = array();
58
  $this->urls_replacement['low'] = array();
59
 
 
 
 
60
  //set whatever the server use htaccess or web.config configuration file
61
  $this->server_htaccess_config = $this->functions->server_use_htaccess_config_file();
62
  $this->server_web_config = $this->functions->server_use_web_config_file();
84
 
85
  $this->get_default_variables();
86
 
87
+ //check for plugin update
88
+ $this->update();
89
+
90
  //handle the conflicts
91
  $this->plugin_conflicts();
92
 
121
  //rebuild and change uppon settings modified
122
  add_action('wph/settings_changed', array($this, 'settings_changed'));
123
 
124
+ //create the static file which contain different environment variables which will be used on router
125
+ add_action('wph/settings_changed', array($this, 'set_static_environemnt_file'), 999);
126
+
127
  //apache
128
  add_filter('mod_rewrite_rules', array($this, 'mod_rewrite_rules'), 999);
129
  //IIS7 server
357
  echo "<div class='updated'><p>". __('Settings saved', 'wp-hide-security-enhancer') ."</p></div>";
358
  else
359
  {
360
+ //echo "<div class='error'><p>". __('Some errors occurred, no setting has been saved!', 'wp-hide-security-enhancer') ."</p></div>";
361
  echo "<div class='error'><p>";
362
 
363
  foreach ($process_interface_save_errors as $error)
586
  flush_rewrite_rules();
587
  }
588
 
589
+
590
+ /**
591
+ * Create a staitc file which will be used in router
592
+ *
593
+ */
594
+ function set_static_environemnt_file()
595
+ {
596
+
597
+ $environment_variable = array();
598
+
599
+ $environment_variable['theme'] = array(
600
+ 'folder_name' => $this->templates_data['main']['folder_name'],
601
+ 'mapped_name' => $this->settings['module_settings']['new_theme_path']
602
+ );
603
+
604
+ if(isset($this->templates_data['child']))
605
+ {
606
+ $environment_variable['child_theme'] = array(
607
+ 'folder_name' => $this->templates_data['child']['folder_name'],
608
+ 'mapped_name' => $this->settings['module_settings']['new_theme_child_path']
609
+ );
610
+ }
611
+
612
+ $themes_url = untrailingslashit($this->templates_data['themes_url']);
613
+ $themes_url = str_replace(array("http://", "https://"), "", $themes_url);
614
+
615
+
616
+ $site_url = site_url();
617
+ $site_url = str_replace(array("http://", "https://"), "", $site_url);
618
+
619
+ $themes_url = str_replace($site_url, "", $themes_url);
620
+
621
+ //set the allowe paths
622
+ $environment_variable['allowed_paths'] = array( $themes_url );
623
+
624
+ global $wp_filesystem;
625
+
626
+ if (empty($wp_filesystem))
627
+ {
628
+ require_once (ABSPATH . '/wp-admin/includes/file.php');
629
+ WP_Filesystem();
630
+ }
631
+
632
+ ob_start();
633
+
634
+ echo "<?php ";
635
+ echo '$environment_variable = \''. json_encode($environment_variable) .'\'';
636
+ echo " ?>";
637
+
638
+ $file_data = ob_get_contents();
639
+ ob_end_clean();
640
+
641
+ if( ! $wp_filesystem->put_contents( WPH_PATH . 'router/environment.php', $file_data , 0644) )
642
+ {
643
+ $process_interface_save_errors = get_transient( 'wph-process_interface_save_errors' );
644
+ delete_transient( 'wph-process_interface_save_errors' );
645
+
646
+ $process_interface_save_errors[] = __('Unable to create environemnt static file. Is ', 'wp-hide-security-enhancer') . WPH_PATH . 'router/ ' . __('writable', 'wp-hide-security-enhancer') . '? <b>Remove description header from Style file</b> and <b>Child - Remove description header from Style file</b> ' . __('will not work correctly, so where turned off.', 'wp-hide-security-enhancer');
647
+
648
+ //disable certain options
649
+ $this->settings['module_settings']['style_file_clean'] = 'no';
650
+ $this->settings['module_settings']['child_style_file_clean'] = 'no';
651
+
652
+ //save the new options
653
+ $this->functions->update_settings($this->settings);
654
+
655
+ //regenerate permalinks
656
+ $this->settings_changed();
657
+
658
+ set_transient( 'wph-process_interface_save_errors', $process_interface_save_errors, HOUR_IN_SECONDS );
659
+ }
660
+
661
+ }
662
+
663
+
664
  function mod_rewrite_rules( $rules )
665
  {
666
  if($this->uninstall === TRUE)
modules/components/rewrite-new_plugin_path.php CHANGED
@@ -58,6 +58,9 @@
58
 
59
  $plugin_slug = sanitize_title($active_plugin);
60
 
 
 
 
61
  $pluding_data = $all_plugins[$active_plugin];
62
 
63
  $this->module_settings[] = array(
58
 
59
  $plugin_slug = sanitize_title($active_plugin);
60
 
61
+ if(!isset($all_plugins[$active_plugin]))
62
+ continue;
63
+
64
  $pluding_data = $all_plugins[$active_plugin];
65
 
66
  $this->module_settings[] = array(
modules/components/rewrite-new_theme_path.php CHANGED
@@ -160,7 +160,7 @@
160
  //add_filter('theme_root_uri', array(&$this, 'theme_root_uri'), 999, 3);
161
 
162
  //add replacement url
163
- $this->wph->functions->add_replacement( untrailingslashit( $this->wph->default_variables['template_url']), trailingslashit( home_url() ) . $saved_field_data );
164
 
165
  }
166
 
@@ -301,7 +301,7 @@
301
  //add_filter('theme_root_uri', array(&$this, 'theme_root_uri'), 999, 3);
302
 
303
  //add replacement url
304
- $this->wph->functions->add_replacement( untrailingslashit( $this->wph->default_variables['stylesheet_uri'] ) , trailingslashit( home_url() ) . untrailingslashit( $saved_field_data ) );
305
 
306
  }
307
 
160
  //add_filter('theme_root_uri', array(&$this, 'theme_root_uri'), 999, 3);
161
 
162
  //add replacement url
163
+ $this->wph->functions->add_replacement( trailingslashit( $this->wph->default_variables['template_url']), trailingslashit( trailingslashit( home_url() ) . $saved_field_data ) );
164
 
165
  }
166
 
301
  //add_filter('theme_root_uri', array(&$this, 'theme_root_uri'), 999, 3);
302
 
303
  //add replacement url
304
+ $this->wph->functions->add_replacement( trailingslashit( $this->wph->default_variables['stylesheet_uri'] ) , trailingslashit( trailingslashit( home_url() ) . untrailingslashit( $saved_field_data ) ) );
305
 
306
  }
307
 
modules/components/rewrite-new_upload_path.php CHANGED
@@ -127,7 +127,7 @@
127
  //$data['baseurl'] = $new_url;
128
 
129
  //add replacement
130
- if(!isset($this->wph->functions->replacement_exists[ $this->wph->default_variables['upload_url'] ]))
131
  {
132
  //prevent media images from being replaced on admin, as when plugin disable the links will not work anymore
133
  $block_upload_url = $this->wph->functions->get_module_item_setting('block_upload_url');
127
  //$data['baseurl'] = $new_url;
128
 
129
  //add replacement
130
+ if(! ($this->wph->functions->replacement_exists( $this->wph->default_variables['upload_url'] )))
131
  {
132
  //prevent media images from being replaced on admin, as when plugin disable the links will not work anymore
133
  $block_upload_url = $this->wph->functions->get_module_item_setting('block_upload_url');
modules/components/rewrite-root-files.php CHANGED
@@ -93,6 +93,23 @@
93
 
94
  );
95
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
96
  $this->module_settings[] = array(
97
  'id' => 'block_other_wp_files',
98
  'label' => 'Block other wp-*.php files',
@@ -263,6 +280,35 @@
263
 
264
  return $processing_response;
265
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
266
 
267
  function _callback_saved_block_other_wp_files($saved_field_data)
268
  {
93
 
94
  );
95
 
96
+ $this->module_settings[] = array(
97
+ 'id' => 'block_default_wp_register_php',
98
+ 'label' => 'Block wp-register.php',
99
+ 'description' => __('Block default wp-register.php file. This file is now deprecated however still exists within code and redirected to /register page.', 'wp-hide-security-enhancer'),
100
+
101
+ 'input_type' => 'radio',
102
+ 'options' => array(
103
+ 'yes' => __('Yes', 'wp-hide-security-enhancer'),
104
+ 'no' => __('No', 'wp-hide-security-enhancer'),
105
+ ),
106
+ 'default_value' => 'no',
107
+
108
+ 'sanitize_type' => array('sanitize_title', 'strtolower'),
109
+ 'processing_order' => 55
110
+
111
+ );
112
+
113
  $this->module_settings[] = array(
114
  'id' => 'block_other_wp_files',
115
  'label' => 'Block other wp-*.php files',
280
 
281
  return $processing_response;
282
  }
283
+
284
+
285
+ function _callback_saved_block_default_wp_register_php( $saved_field_data )
286
+ {
287
+ $processing_response = array();
288
+
289
+ if(empty($saved_field_data) || $saved_field_data == 'no')
290
+ return $processing_response;
291
+
292
+ $rewrite_file_base = !empty($this->wph->default_variables['wordpress_directory']) ? trailingslashit( $this->wph->default_variables['wordpress_directory'] ) . 'wp-signup.php' : 'wp-signup.php';
293
+
294
+ if($this->wph->server_htaccess_config === TRUE)
295
+ {
296
+ $text = "RewriteCond %{ENV:REDIRECT_STATUS} ^$\n";
297
+ $text .= "RewriteRule ^wp-register.php /index.php?wph-throw-404 [L]";
298
+ }
299
+
300
+ if($this->wph->server_web_config === TRUE)
301
+ $text = '
302
+ <rule name="wph-block_default_wp_register_php" stopProcessing="true">
303
+ <match url="^wp-register.php" />
304
+ <action type="Rewrite" url="'. $this->wph->default_variables['site_relative_path'] .'index.php?wph-throw-404" />
305
+ </rule>
306
+ ';
307
+
308
+ $processing_response['rewrite'] = $text;
309
+
310
+ return $processing_response;
311
+ }
312
 
313
  function _callback_saved_block_other_wp_files($saved_field_data)
314
  {
mu-loader/wp-hide-loader.php CHANGED
@@ -15,10 +15,9 @@
15
  if( !in_array( 'wp-hide-security-enhancer/wp-hide.php' , $active_plugins) )
16
  return FALSE;
17
 
18
- define('WPH_VERSION', '1.3.9');
19
  define('WPH_PATH', trailingslashit( dirname( WP_PLUGIN_DIR . '/wp-hide-security-enhancer/wp-hide.php' ) ) );
20
  define('WPH_MULOADER', TRUE);
21
- define('WPH_MULOADER_VERSION', '1.1');
22
 
23
  include_once(WPH_PATH . '/include/wph.class.php');
24
  include_once(WPH_PATH . '/include/functions.class.php');
15
  if( !in_array( 'wp-hide-security-enhancer/wp-hide.php' , $active_plugins) )
16
  return FALSE;
17
 
 
18
  define('WPH_PATH', trailingslashit( dirname( WP_PLUGIN_DIR . '/wp-hide-security-enhancer/wp-hide.php' ) ) );
19
  define('WPH_MULOADER', TRUE);
20
+ define('WPH_MULOADER_VERSION', '1.2');
21
 
22
  include_once(WPH_PATH . '/include/wph.class.php');
23
  include_once(WPH_PATH . '/include/functions.class.php');
readme.txt CHANGED
@@ -3,8 +3,8 @@ Contributors: nsp-code, tdgu
3
  Donate link: http://www.nsp-code.com/donate.php
4
  Tags: hide, security, improve security, hacking, wp hide, wordpress hide, custom login url, wp-loging.php, ap-admin
5
  Requires at least: 2.8
6
- Tested up to: 4.7.1
7
- Stable tag: 1.3.9.2
8
  License: GPLv2 or later
9
 
10
  Hide and increase Security for your WordPress website instance using smart techniques. No files are changed on your server.
@@ -239,6 +239,20 @@ Please get in touch with us and we'll do our best to include it for a next versi
239
 
240
  == Changelog ==
241
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
242
  = 1.3.9.2 =
243
  * Fix: Use of undefined constant WPH_VERSION
244
 
@@ -321,24 +335,6 @@ Please get in touch with us and we'll do our best to include it for a next versi
321
  * Removed 'admin_url' and 'wp_default_scripts' filters to allow replacement at the end, within the buffer
322
  * Updated PO / MO translation files
323
 
324
- = 1.3.4 =
325
- * Improved replacement code for Uploads, when "Block uploads URL" is set for "No" it use default media urls within the admin editor, to ensure links are still functional if plugin is disabled.
326
- * Priority (high, normal, low) for replacement urls
327
- * Replacement Urls for gziped buffer
328
- * Fix rule name for child_style_file_clean on web.config IIS
329
- * bbPress Compatibility
330
- * BuddyPress Compatibility
331
- * Prevent replacements on wp_redirect filter if is_404()
332
- * Updated PO / MO translation files
333
- * Removed in line components filters which changed the urls, leave for end buffering to make all changes.
334
- * Fix for mod_rewrite line on child theme when router is turned Off, append the default style.css filename
335
- * Improvements for Templates default variables to match customized themes like Sage
336
- * Compatibility fix for Super Cache plugin ob callback
337
- * Add IfModule mod_env.c before set nSetEnv HTTP_MOD_REWRITE On to prevent server internal error in case mod_env module is not available
338
- * Check for Empty $saved_field_data within new plugin path component, to avoid creating rewrite rule if empty and existent path
339
- * Improved get_home_path()
340
- * Replacements for Relative URL's
341
-
342
  See full list of changelogs at http://www.wp-hide.com/plugin-changelogs/
343
 
344
  == Upgrade Notice ==
3
  Donate link: http://www.nsp-code.com/donate.php
4
  Tags: hide, security, improve security, hacking, wp hide, wordpress hide, custom login url, wp-loging.php, ap-admin
5
  Requires at least: 2.8
6
+ Tested up to: 4.7.2
7
+ Stable tag: 1.4
8
  License: GPLv2 or later
9
 
10
  Hide and increase Security for your WordPress website instance using smart techniques. No files are changed on your server.
239
 
240
  == Changelog ==
241
 
242
+ = 1.4 =
243
+ * Fix: Allow only css files to be processed through the router to prevent other types from being displayed arbitrary.
244
+ * Mu-loader updated version
245
+ * Environment allowed path to limit css files processing
246
+ * Include _get_plugin_data_markup_translate ratter WordPress method
247
+ * Fix: replacement_exists returned wrong response since not using priority keys
248
+ * Fix: Add media replacement, use correct replacement_exists function call
249
+ * Router check for client HTTP_ACCEPT_ENCODING type to start ob_start using ob_gzhandler or not.
250
+ * Update urls dynamically within stylesheets files e.g. include '../theme-name'
251
+ * Use trailingslashit for theme / child new urls to make sure it match full url instead partial theme name (e.g. main-theme and main-theme-child)
252
+ * Block wp-register.php
253
+ * get_home_path rely on DIRECTORY_SEPARATOR for better compatibility
254
+ * Check if plugin slug actually exists within all plugins list on re_plugin_path component
255
+
256
  = 1.3.9.2 =
257
  * Fix: Use of undefined constant WPH_VERSION
258
 
335
  * Removed 'admin_url' and 'wp_default_scripts' filters to allow replacement at the end, within the buffer
336
  * Updated PO / MO translation files
337
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
338
  See full list of changelogs at http://www.wp-hide.com/plugin-changelogs/
339
 
340
  == Upgrade Notice ==
router/file-process.php CHANGED
@@ -9,27 +9,70 @@
9
  die();
10
 
11
  //append doc root to path
12
- $file_path = $_SERVER["DOCUMENT_ROOT"] . $file_path;
13
 
14
  //check if file exists
15
- if (!file_exists($file_path))
16
  die();
17
-
18
- $WPH_FileProcess = new WPH_FileProcess();
19
-
20
- $WPH_FileProcess->action = $action;
21
- $WPH_FileProcess->file_path = $file_path;
22
 
 
 
 
 
 
 
23
  $WPH_FileProcess->run();
24
 
25
  class WPH_FileProcess
26
  {
27
  var $action;
28
  var $file_path;
 
29
 
30
- function __construct()
 
 
31
  {
32
- ob_start("ob_gzhandler");
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
33
  }
34
 
35
  function __destruct()
@@ -39,9 +82,14 @@
39
 
40
  echo $out;
41
  }
42
-
 
 
 
 
43
  function run()
44
  {
 
45
  switch($this->action)
46
  {
47
  case 'style-clean' :
@@ -49,6 +97,7 @@
49
  break;
50
 
51
  }
 
52
  }
53
 
54
 
@@ -60,14 +109,26 @@
60
  header('Content-Type: text/css; charset=UTF-8');
61
  header('Expires: ' . gmdate( "D, d M Y H:i:s", time() + $expires_offset ) . ' GMT');
62
  header("Cache-Control: public, max-age=$expires_offset");
63
- header('Last-Modified: '.gmdate('D, d M Y H:i:s', filemtime($this->file_path)).' GMT', true);
64
 
65
- $handle = fopen($this->file_path, "r");
66
- $file_data = fread($handle, filesize($this->file_path));
67
  fclose($handle);
68
 
69
  $file_data = preg_replace('!/\*.*?\*/!s', '', $file_data);
70
  $file_data = preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", $file_data);
 
 
 
 
 
 
 
 
 
 
 
 
71
 
72
  echo $file_data;
73
 
9
  die();
10
 
11
  //append doc root to path
12
+ $full_file_path = $_SERVER["DOCUMENT_ROOT"] . $file_path;
13
 
14
  //check if file exists
15
+ if (!file_exists($full_file_path))
16
  die();
 
 
 
 
 
17
 
18
+ //allow only style files
19
+ $pathinfo = pathinfo($full_file_path);
20
+ if(!isset($pathinfo['extension']) || strtolower($pathinfo['extension']) != 'css')
21
+ die();
22
+
23
+ $WPH_FileProcess = new WPH_FileProcess($action, $file_path);
24
  $WPH_FileProcess->run();
25
 
26
  class WPH_FileProcess
27
  {
28
  var $action;
29
  var $file_path;
30
+ var $full_file_path;
31
 
32
+ var $environemnt;
33
+
34
+ function __construct( $action, $file_path )
35
  {
36
+ if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== false)
37
+ {
38
+ ob_start('ob_gzhandler'); ob_start();
39
+ }
40
+ else
41
+ {
42
+ ob_start();
43
+ }
44
+
45
+ $this->action = $action;
46
+ $this->file_path = $file_path;
47
+ $this->full_file_path = $_SERVER["DOCUMENT_ROOT"] . $file_path;
48
+
49
+ //load the environemtn data
50
+ $this->environment = new stdClass();
51
+
52
+ if(file_exists('environment.php'))
53
+ {
54
+ include('environment.php');
55
+ $this->environment = json_decode($environment_variable);
56
+ }
57
+
58
+ //check for allowed paths
59
+ if(!isset($this->environment->allowed_paths) || !is_array($this->environment->allowed_paths) || count($this->environment->allowed_paths) < 1)
60
+ die();
61
+
62
+ //check if the file is in allowed path
63
+ $found = FALSE;
64
+ foreach($this->environment->allowed_paths as $allowed_path)
65
+ {
66
+ if(strpos($this->file_path, $allowed_path) === 0)
67
+ {
68
+ $found = TRUE;
69
+ break;
70
+ }
71
+ }
72
+
73
+ if(! $found )
74
+ die();
75
+
76
  }
77
 
78
  function __destruct()
82
 
83
  echo $out;
84
  }
85
+
86
+ /**
87
+ * Process the action
88
+ *
89
+ */
90
  function run()
91
  {
92
+
93
  switch($this->action)
94
  {
95
  case 'style-clean' :
97
  break;
98
 
99
  }
100
+
101
  }
102
 
103
 
109
  header('Content-Type: text/css; charset=UTF-8');
110
  header('Expires: ' . gmdate( "D, d M Y H:i:s", time() + $expires_offset ) . ' GMT');
111
  header("Cache-Control: public, max-age=$expires_offset");
112
+ header('Last-Modified: '.gmdate('D, d M Y H:i:s', filemtime($this->full_file_path)).' GMT', true);
113
 
114
+ $handle = fopen($this->full_file_path, "r");
115
+ $file_data = fread($handle, filesize($this->full_file_path));
116
  fclose($handle);
117
 
118
  $file_data = preg_replace('!/\*.*?\*/!s', '', $file_data);
119
  $file_data = preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", $file_data);
120
+
121
+
122
+ if(isset($this->environment->theme))
123
+ {
124
+ $var_theme = $this->environment->theme;
125
+ $file_data = str_replace('../' . $var_theme->folder_name .'/', '../' . $var_theme->mapped_name .'/', $file_data);
126
+ }
127
+ if(isset($this->environment->child_theme))
128
+ {
129
+ $var_theme = $this->environment->child_theme;
130
+ $file_data = str_replace('../' . $var_theme->folder_name .'/', '../' . $var_theme->mapped_name .'/', $file_data);
131
+ }
132
 
133
  echo $file_data;
134
 
wp-hide.php CHANGED
@@ -5,7 +5,7 @@ Plugin URI: http://www.nsp-code.com
5
  Description: Hide and increase Security for your WordPress website instance using smart techniques. No files are changed on your server.
6
  Author: Nsp Code
7
  Author URI: http://www.nsp-code.com
8
- Version: 1.3.9.2
9
  Text Domain: wp-hide-security-enhancer
10
  Domain Path: /languages/
11
  */
@@ -13,8 +13,7 @@ Domain Path: /languages/
13
  //if mu-plugins component not being loaded trigger a later init
14
  if(!defined('WPH_PATH'))
15
  {
16
-
17
- define('WPH_VERSION', '1.3.9');
18
  define('WPH_PATH', plugin_dir_path(__FILE__));
19
  include_once(WPH_PATH . '/include/wph.class.php');
20
  include_once(WPH_PATH . '/include/functions.class.php');
@@ -35,6 +34,7 @@ Domain Path: /languages/
35
  */
36
  ob_start(array($wph, 'ob_start_callback'));
37
 
 
38
  }
39
 
40
 
5
  Description: Hide and increase Security for your WordPress website instance using smart techniques. No files are changed on your server.
6
  Author: Nsp Code
7
  Author URI: http://www.nsp-code.com
8
+ Version: 1.4
9
  Text Domain: wp-hide-security-enhancer
10
  Domain Path: /languages/
11
  */
13
  //if mu-plugins component not being loaded trigger a later init
14
  if(!defined('WPH_PATH'))
15
  {
16
+
 
17
  define('WPH_PATH', plugin_dir_path(__FILE__));
18
  include_once(WPH_PATH . '/include/wph.class.php');
19
  include_once(WPH_PATH . '/include/functions.class.php');
34
  */
35
  ob_start(array($wph, 'ob_start_callback'));
36
 
37
+
38
  }
39
 
40