WP Hide & Security Enhancer - Version 1.7.8

Version Description

  • New Security Functionality - Headers. HTTP Response Headers are a powerful tool to Harden Your Website Security.
  • Security Headers - Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP), X-Content-Type-Options, X-Download-Options, X-Frame-Options (XFO), X-Permitted-Cross-Domain-Policies, X-XSS-Protection.
  • Security Headers - Protection Level graph
  • Security Headers - Sample Setup
  • Security Headers - Recovery functionality
  • Styles and layout improvements
  • Code clean-up
  • Fix: Append URL arguments to login URL, if exists
Download this release

Release Info

Developer nsp-code
Plugin Icon 128x128 WP Hide & Security Enhancer
Version 1.7.8
Comparing to
See all releases

Code changes from version 1.7.6 to 1.7.8

Files changed (32) hide show
  1. assets/css/graph.css +8 -0
  2. assets/css/wph-general.css +1 -0
  3. assets/css/wph.css +158 -64
  4. assets/js/wph.js +44 -1
  5. include/admin-interface.class.php +144 -93
  6. include/functions.class.php +266 -97
  7. include/module.class.php +1 -1
  8. include/wph.class.php +78 -31
  9. modules/components/admin-admin_url.php +0 -1
  10. modules/components/admin-new_wp_login_php.php +7 -3
  11. modules/components/rewrite-json-rest.php +1 -0
  12. modules/components/rewrite-new_theme_path.php +6 -6
  13. modules/components/rewrite-new_upload_path.php +1 -1
  14. modules/components/rewrite-new_xml-rpc-path.php +2 -1
  15. modules/components/rewrite-slash.php +1 -1
  16. modules/components/security-add_headers.php +179 -0
  17. modules/components/security-check_headers.php +309 -0
  18. modules/components/security-header-cross-origin-embedder-policy.php +150 -0
  19. modules/components/security-header-cross-origin-opener-policy.php +160 -0
  20. modules/components/security-header-cross-origin-resource-policy.php +153 -0
  21. modules/components/security-header-x-content-type-options.php +149 -0
  22. modules/components/security-header-x-download-options.php +147 -0
  23. modules/components/security-header-x-frame-options.php +154 -0
  24. modules/components/security-header-x-permitted-cross-domain-policies.php +167 -0
  25. modules/components/security-header-x-xss-protection.php +174 -0
  26. modules/module-admin.php +1 -1
  27. modules/module-cdn.php +1 -1
  28. modules/module-general.php +4 -1
  29. modules/module-rewrite.php +2 -4
  30. modules/module-security_headers.php +93 -0
  31. readme.txt +170 -144
  32. wp-hide.php +1 -1
assets/css/graph.css ADDED
@@ -0,0 +1,8 @@
 
 
 
 
 
 
 
 
1
+
2
+ #wph-headers-graph { position: relative; background-color: #fdfcf7; padding: 20px; display: inline-block;}
3
+ .wph-graph-container{ width:400px; height:200px; position: relative; overflow: hidden; text-align: center; }
4
+ .wph-graph-bg{ z-index: 1; position: absolute; background-color: rgba(255,215,186,.2); width: 400px; height: 200px; top: 0%; border-radius:250px 250px 0px 0px ;}
5
+ .wph-graph-text{ z-index: 3; position: absolute; width: 250px; height: 125px; top: 75px; margin-left: 75px; margin-right: auto; border-radius:250px 250px 0px 0px ; background-color: #fdfcf7;}
6
+ .wph-graph-progress{ z-index: 2; position: absolute; background-color: #229d51; width: 400px; height: 200px; top: 200px; margin-left: auto; margin-right: auto; border-radius:0px 0px 200px 200px ; transform-origin:center top; transition: all 1.3s ease-in-out; transform:rotate(0);}
7
+ .wph-graph-data{ z-index: 4;color: #000;font-size: 1.5em;line-height: 25px;position: absolute;width: 400px;height: 50px;top: 150px;margin-left: auto;margin-right: auto;transition: all 1s ease-out;font-size: 24px;}
8
+ .wph-graph-data span { font-size: 14px}
assets/css/wph-general.css ADDED
@@ -0,0 +1 @@
 
1
+ #adminmenu span.wph-info {display: inline-block;font-size: 9px;}
assets/css/wph.css CHANGED
@@ -1,11 +1,14 @@
1
  #wph h2.nav-tab-wrapper{padding-left: 10px;margin-right: 140px; padding-top: 0px;}
2
- #wph h2 .nav-tab {font-size: 12px; font-weight: bold; padding: 2px 8px 3px; margin-right: 0; margin-top: 5px;}
 
 
 
3
  #wph h2 #reset_settings{font-size: 11px; height: auto; line-height: 20px; padding: 1px 5px;}
4
  #wph .ajax_loading {display: none}
5
  #wph .postbox .inside { margin: 0; padding: 0;}
6
  #wph h3.handle {border-bottom: 1px solid #e1e1e1; font-size: 14px; line-height: 1.4; margin: 0; padding: 8px 12px;}
7
- #wph .postbox {margin-bottom: 10px}
8
- #wph .wph_input fieldset label { margin-bottom: 7px; display: inline-block; }
9
  #wph #reset_settings_form .reset_settings { margin-top: -31px;}
10
  #wph h2 #reset_settings, #wph #reset_settings_form .reset_settings { }
11
  #wph span.wph-pro {background-color: #f04d46; color:#FFF; font-weight: bold;display: inline-block; padding: 2px 4px;}
@@ -16,42 +19,150 @@
16
  transition: opacity 0.3s ease-in-out;}
17
  #wph .something-wrong:hover {opacity: 1;}
18
 
 
 
19
  .wph-postbox {display: flex; border-color: #e5e5e5}
20
 
21
  #wph .section_title {font-size: 13px; font-weight: bold; padding: 5px 15px 5px; border: 1px solid #ccc; display: inline-block; margin-right: 0;border-bottom: 1px solid #f1f1f1; background:#FFF; color: #000;}
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
22
 
23
- table.wph_input { border: 0 none; background: #fff; width: 50%}
24
- table.wph_input tbody tr td { padding: 10px 12px; border-top: 1px solid #f5f5f5; border-bottom: 0 none; width: 100%;box-sizing: border-box;}
25
- table.wph_input tbody tr td.np {padding: 0px}
26
- table.wph_input tbody tr:first-child td,
27
- table.wph_input tbody tr:first-child td.label { border-top: 0 none;}
28
- table.wph_input tbody tr td.data { padding-bottom: 20px;}
29
- table.wph_input tbody tr td.data p.description {font-size: 12px; margin-bottom: 15px;}
30
- table.wph_input .dashicons {overflow: hidden}
31
- table.wph_input .options {float: right; display: flex; margin: 0px; padding-top: 5px}
32
- table.wph_input .options ul {display: inline-block; }
33
- table.wph_input .options li { padding: 0px 3px}
34
- table.wph_input .options li a:focus, table.wph_input .options li a:active { outline: 0; border: none; -moz-outline-style: none; }
35
- table.wph_input .options li span {display:block;cursor: pointer; color: #797979; font-size: 17px;}
36
- table.wph_input .options li span:hover {color: #000}
37
- table.wph_input input[type=text],table.wph_input textarea,table.wph_input select{border-color:#dddddd; width: 100%; margin-left: 0px}
38
-
39
- table.wph_input .advanced.hide {display: none}
40
- table.wph_input .advanced_notice {background-color: #FFF; border: 1px solid #cfcfd1; border-left: 5px solid #7d6591; margin: 10px 0 10px -16px; display: flex; justify-content: center; padding: 10px 0}
41
- table.wph_input .advanced_notice .icon {flex: 0 0 60px; text-align: center; margin-top: auto; margin-bottom: auto;}
42
- table.wph_input .advanced_notice .icon img {max-width: 32px}
43
- table.wph_input .advanced_notice .text {width: 100%}
44
- table.wph_input .advanced_notice .text p {color:#4a4949; font-size: 13px;line-height: 17px;}
45
- table.wph_input .advanced_notice .actions {flex: 0 0 100px; text-align: center; vertical-align: middle; margin-top: auto; margin-bottom: auto;}
46
-
47
- table.wph_input .options_text{padding: 10px 0; border-left: 4px solid #0073aa;margin-left: -13px;padding-left: 10px; display: flex}
48
- table.wph_input .options_text.text_pre {margin-bottom: 10px;}
49
- table.wph_input .options_text.text_post {margin-top: 10px;}
50
- table.wph_input .options_text .icon {flex: 0 0 60px; text-align: center; margin-top: auto; margin-bottom: auto;}
51
- table.wph_input .options_text .icon img {max-width: 32px}
52
- table.wph_input .options_text .text {width: 100%}
53
- table.wph_input .options_text .text p {color:#4a4949; font-size: 13px;line-height: 17px;}
54
- table.wph_input .options_text .button {margin-left: 10px}
55
 
56
  .wph_help {width: 50%; background-color: #f9f9f9; padding: 0 20px; box-sizing: border-box; overflow: hidden; position:relative; border-left: 1px solid #f1f1f1}
57
  .wph_help::before { color: #ececec; content: "\f118";; display: block; font-family: dashicons; font-size: 232px; line-height: 1; position: absolute; right: 20px; text-align: center; top: 10%; width: 1em; z-index: 1}
@@ -61,39 +172,22 @@ table.wph_input .options_text .button {margin-left: 10px}
61
  .wph_help .text p a {text-decoration: none}
62
  .wph_help .text p .important {color: #d54e21;}
63
 
64
- table.inner_table tbody tr td {padding-bottom: 12px}
65
  .inner_table .description {margin-bottom: 3px; font-style: normal;}
66
  table .submit .submitdelete {line-height: 25px; text-align: left; vertical-align: middle;border-bottom-color: red; color: red; border-bottom-style: solid; border-bottom-width: 1px;padding: 1px 2px; text-decoration: none; margin-right: 20px}
67
  table .submit .submitdelete:hover {color:#FFF; background-color: red; border-color: red}
68
- table.wph_input tbody tr td.label { width: 25%; vertical-align: top; background: #F9F9F9; border-top: 1px solid #f0f0f0; border-right: none}
69
- table.wph_input tbody tr td.label.advanced {border-left: 4px solid orange;}
70
- table.apto_rules tbody tr td{border-top: 0 none;}
71
- table.wph_input img {vertical-align: middle;}
72
- table.even_table tr td {background-color:#FCFCFC}
73
- table.wph_input hr {border:1px dotted #E1E1E1; float: left; margin-left: 15px; width: 90%; border-style:none none dotted; color:#FFF; background:#FFF;}
74
- table table.wph_input tr td{}
75
- table.wph_input tbody tr td.param {width: 50%}
76
- .conditional_rules table.wph_input td.param{width: 40%}
77
- .conditional_rules table.wph_input td.comparison{width: 12%}
78
 
79
  table .select.multiple {height: 82px}
80
- table.wph_input tbody tr td h4 {margin: 0px; padding-bottom: 6px}
81
- table.wph_input tbody tr td h5 {font-size: 12px; font-weight: normal; margin: 0; padding-bottom: 6px; padding-top: 10px;}
82
- table.wph_input tbody tr td.label label{ font-size: 13px; font-weight: bold; padding: 0; margin: 0; color: #333; cursor: default }
83
- table.wph_input .label p, table.wph_input .label .description{ display: block; font-size: 12px; padding: 6px 0 !important; margin: 0 !important; font-style: normal; line-height: 16px; color: #999;}
84
- table.wph_input tbody tr td.label .description .important {color: #d54e21}
85
- table.wph_input tbody tr td.label .description .dashicons, table.wph_input tbody tr td.label .description span {display: inline-block}
86
- table.wph_input tbody tr td.label .description span {padding-left: 5px; line-height: 18px;}
87
- table.wph_input tbody tr td.label .description span a {display: block}
88
- table.wph_input tbody tr td.label .description span.important {color: #d54e21; padding-left: 0px }
89
- table.wph_input tbody tr td.label .description span.info {padding-left: 0px; color:#d54e21; font-style: italic;}
90
- table.wph_input tbody tr td.label .description .pointer {cursor:pointer}
91
- table.wph_input tbody tr td.label .description .notice-success, table.wph_input tbody tr td.label .description .notice-error {padding: 10px 12px; background-color: #fff;}
92
- table.wph_input tbody tr td.label .description a.button {display: inline-block; vertical-align: middle;}
93
- table.wph_input tbody tr.submit td { text-align: right}
94
- table.wph_input tbody tr.submit td.label {border-right: 1px solid #F9F9F9}
95
- table.wph_input select { padding: 2px;}
96
- table.wph_input input[type=text]:focus,table.wph_input textarea:focus,table.wph_input select:focus { border-color:#98B6CB;}
97
 
98
  .postbox h3 span {display: inline-block; vertical-align: middle}
99
 
@@ -153,6 +247,6 @@ h2.subtitle {font-size: 15px; font-style: italic; font-weight: bold}
153
  #info_box .text span.split {width: 100%}
154
 
155
  .wph-postbox {display: block}
156
- .wph_help, table.wph_input {width: 100%}
157
 
158
  }
1
  #wph h2.nav-tab-wrapper{padding-left: 10px;margin-right: 140px; padding-top: 0px;}
2
+ #wph h2 .nav-tab {font-size: 12px; font-weight: bold; padding: 2px 8px 3px; margin-right: 0; }
3
+ #wph h2 .nav-tab.header-active { border-left: 3px solid orange; }
4
+ #wph a.nav-tab.check-headers{ background-color: black; color: #FFF; border-color: #3e3e3e; padding: 14px; font-size: 14px;}
5
+ #wph a.nav-tab.check-headers:hover {background-color: #FFF; color:#000}
6
  #wph h2 #reset_settings{font-size: 11px; height: auto; line-height: 20px; padding: 1px 5px;}
7
  #wph .ajax_loading {display: none}
8
  #wph .postbox .inside { margin: 0; padding: 0;}
9
  #wph h3.handle {border-bottom: 1px solid #e1e1e1; font-size: 14px; line-height: 1.4; margin: 0; padding: 8px 12px;}
10
+ #wph .postbox {margin-bottom: 10px; overflow:hidden}
11
+ #wph .wph_input fieldset label { margin-bottom: 7px; display: block; }
12
  #wph #reset_settings_form .reset_settings { margin-top: -31px;}
13
  #wph h2 #reset_settings, #wph #reset_settings_form .reset_settings { }
14
  #wph span.wph-pro {background-color: #f04d46; color:#FFF; font-weight: bold;display: inline-block; padding: 2px 4px;}
19
  transition: opacity 0.3s ease-in-out;}
20
  #wph .something-wrong:hover {opacity: 1;}
21
 
22
+ #wph .wph-postbox {display: flex; border-color: #e5e5e5}
23
+
24
  .wph-postbox {display: flex; border-color: #e5e5e5}
25
 
26
  #wph .section_title {font-size: 13px; font-weight: bold; padding: 5px 15px 5px; border: 1px solid #ccc; display: inline-block; margin-right: 0;border-bottom: 1px solid #f1f1f1; background:#FFF; color: #000;}
27
+ #wph-check-headers {padding-top: 30px;}
28
+ #wph-check-headers .spinner {float: none}
29
+
30
+ .wph_input { border: 0 none; background: #fff; width: 50%}
31
+
32
+ .wph_input .dashicons {overflow: hidden}
33
+ .wph_input .options {float: right; display: flex; margin: 0px; padding-top: 5px}
34
+ .wph_input .options ul {display: inline-block; }
35
+ .wph_input .options li { padding: 0px 3px}
36
+ .wph_input .options li a:focus, .wph_input .options li a:active { outline: 0; border: none; -moz-outline-style: none; }
37
+ .wph_input .options li span {display:block;cursor: pointer; color: #797979; font-size: 17px;}
38
+ .wph_input .options li span:hover {color: #000}
39
+ .wph_input input[type=text],.wph_input textarea,.wph_input select{border-color:#dddddd; width: 100%; margin-left: 0px}
40
+
41
+ .wph_input .advanced.hide {display: none}
42
+ .wph_input .advanced_notice {background-color: #FFF; border: 1px solid #cfcfd1; border-left: 5px solid #7d6591; margin: 10px 0 10px -16px; display: flex; justify-content: center; padding: 10px 0}
43
+ .wph_input .advanced_notice .icon {flex: 0 0 60px; text-align: center; margin-top: auto; margin-bottom: auto;}
44
+ .wph_input .advanced_notice .icon img {max-width: 32px}
45
+ .wph_input .advanced_notice .text {width: 100%}
46
+ .wph_input .advanced_notice .text p {color:#4a4949; font-size: 13px;line-height: 17px;}
47
+ .wph_input .advanced_notice .actions {flex: 0 0 100px; text-align: center; vertical-align: middle; margin-top: auto; margin-bottom: auto;}
48
+
49
+ .wph_input .options_text{padding: 10px 0; border-left: 4px solid #0073aa;margin-left: -13px;padding-left: 10px; display: flex}
50
+ .wph_input .options_text.text_pre {margin-bottom: 10px;}
51
+ .wph_input .options_text.text_post {margin-top: 10px;}
52
+ .wph_input .options_text .icon {flex: 0 0 60px; text-align: center; margin-top: auto; margin-bottom: auto;}
53
+ .wph_input .options_text .icon img {max-width: 32px}
54
+ .wph_input .options_text .text {width: 100%}
55
+ .wph_input .options_text .text p {color:#4a4949; font-size: 13px;line-height: 17px;}
56
+ .wph_input .options_text .button {margin-left: 10px}
57
+
58
+
59
+ .wph_input { border: 0 none; background: #fff; width: 50%}
60
+ .wph_input.full_width {width: 100%;}
61
+ .wph_input .row.cell { padding: 10px 12px; border-top: 1px solid #f5f5f5; border-bottom: 0 none; width: 100%;box-sizing: border-box; line-height: 1.5em;}
62
+ .wph_input .row.cell.np {padding: 0px}
63
+ .wph_input .row:first-child.cell,
64
+ .wph_input .row:first-child.cell.label { border-top: 0 none;}
65
+ .wph_input .row.cell.data { padding-bottom: 20px;}
66
+ .wph_input .row.cell.data p.description {font-size: 12px; margin-bottom: 3px;}
67
+ .wph_input .row.cell.data .irow {display: flex; padding: 5px 0; position: relative; z-index: 1;}
68
+ .wph_input .row.cell.data .orow {position: relative; z-index: 1;}
69
+ .wph_input .row {align-items: center; position: relative; z-index: 1;}
70
+ .wph_input .row .action {display: flex; font-size: 24px; padding: 5px 0 5px 10px;}
71
+ .wph_input .row .action .dashicons {font-size: 20px}
72
+ .wph_input .row .irow .icon {display: flex; font-size: 20px; width: 50px; padding-top: 4px;}
73
+ .wph_input .row.xspacer {padding-bottom: 30px}
74
+ .wph_input .row.header{border-left: 3px solid orange;padding-left: 20px;}
75
+ .wph_input .row.header p {font-weight: bold}
76
+ .wph_input .dashicons {overflow: hidden}
77
+ .wph_input .options {float: right; display: flex; margin: 0px; padding-top: 5px}
78
+ .wph_input .options ul {display: inline-block; }
79
+ .wph_input .options li { padding: 0px 3px}
80
+ .wph_input .options li a:focus, .wph_input .options li a:active { outline: 0; border: none; -moz-outline-style: none; }
81
+ .wph_input .options li span {display:block;cursor: pointer; color: #797979; font-size: 17px;}
82
+ .wph_input .options li span:hover {color: #000}
83
+ .wph_input input[type=text],.wph_input textarea,.wph_input select{border-color:#dddddd; width: 100%; margin-left: 0px}
84
+ .wph_input #replacer_insert_root {display: none}
85
+
86
+ .inner_table .row.cell {padding-bottom: 12px}
87
+ .inner_table .description {margin-bottom: 3px; font-style: normal;}
88
+ table .submit .submitdelete {line-height: 25px; text-align: left; vertical-align: middle;border-bottom-color: red; color: red; border-bottom-style: solid; border-bottom-width: 1px;padding: 1px 2px; text-decoration: none; margin-right: 20px}
89
+ table .submit .submitdelete:hover {color:#FFF; background-color: red; border-color: red}
90
+ .wph_input .row.cell.label { vertical-align: top; background: #F9F9F9; border-top: 1px solid #f0f0f0; border-right: none}
91
+ .apto_rules .row.cell{border-top: 0 none;}
92
+ .wph_input img {vertical-align: middle;}
93
+ .even_table tr .cell {background-color:#FCFCFC}
94
+ .wph_input hr {border:1px dotted #E1E1E1; float: left; margin-left: 15px; width: 90%; border-style:none none dotted; color:#FFF; background:#FFF;}
95
+ table .wph_input tr .cell{}
96
+ .wph_input .row.cell.param {width: 50%}
97
+ .conditional_rules .wph_input .cell.param{width: 40%}
98
+ .conditional_rules .wph_input .cell.comparison{width: 12%}
99
+
100
+ .wph_input .advanced.hide {display: none}
101
+ .wph_input .advanced_notice {background-color: #FFF; border: 1px solid #cfcfd1; border-left: 5px solid #7d6591; margin: 10px 0 10px -17px; display: flex; justify-content: center; padding: 10px 0}
102
+ .wph_input .advanced_notice .icon {flex: 0 0 60px; text-align: center; margin-top: auto; margin-bottom: auto;}
103
+ .wph_input .advanced_notice .icon img {max-width: 32px}
104
+ .wph_input .advanced_notice .text {width: 100%}
105
+ .wph_input .advanced_notice .text p {color:#4a4949; font-size: 13px;line-height: 17px;}
106
+ .wph_input .advanced_notice .actions {flex: 0 0 100px; text-align: center; vertical-align: middle; margin-top: auto; margin-bottom: auto;}
107
+
108
+ .wph_input .options_text{padding: 10px 0; border-left: 4px solid #0073aa;margin-left: -13px;padding-left: 10px; display: flex}
109
+ .wph_input .options_text.text_pre {margin-bottom: 10px;}
110
+ .wph_input .options_text.text_post {margin-top: 10px;}
111
+ .wph_input .options_text .icon {flex: 0 0 60px; text-align: center; margin-top: auto; margin-bottom: auto;}
112
+ .wph_input .options_text .icon img {max-width: 32px}
113
+ .wph_input .options_text .text {width: 100%}
114
+ .wph_input .options_text .text p {color:#4a4949; font-size: 13px;line-height: 17px;}
115
+
116
+ .wph_help {width: 50%; background-color: #f9f9f9; padding: 0 20px; box-sizing: border-box; overflow: hidden; position:relative; border-left: 1px solid #f1f1f1}
117
+ .option_help::before { color: #ececec; content: "\f118";; display: block; font-family: dashicons; font-size: 232px; line-height: 1; position: absolute; right: 20px; text-align: center; top: 10%; width: 1em; z-index: 1}
118
+ .option_help .text { position: relative; z-index: 1;}
119
+ .option_help .text p, .option_help .text li {font-size: 12px; color: #999;}
120
+ .option_help .text p br {content: ""; margin: 3px; display: block; font-size: 24%;}
121
+ .option_help .text p img {max-width: 100%; height: auto}
122
+ .option_help .text p a {text-decoration: none}
123
+ .option_help .text .important {color: #d54e21;}
124
+ .option_help .text p b {color: #000000b8 }
125
+ .option_help .text li {padding-left: 10px}
126
+ .option_help .help-section {margin-top: 30px; padding: 10px 10px; background-color: #f4f4f4}
127
+ #wph .option_help .help-section h4 {margin-bottom: 10px}
128
+ .option_help .help-section p:first-of-type {margin: 0px}
129
+ .option_help .help-section #wph-recovery-link { margin: 0px}
130
+ #wph-recovery-link { padding: 5px; margin-top: 10px; background-color: #FFF; display: inline-block}
131
+
132
+ #wph-headers {margin-top: 30px; border-left: 4px solid orange;margin-left: -12px; padding-left: 12px;}
133
+ #wph-headers table {width: 100%}
134
+ #wph-headers thead th {font-weight: bold}
135
+ #wph-headers .security-header td:first-child{border-left: 5px solid #7d6591;}
136
+ #wph-headers-container .found-headers-info small {background-color: #f7fcfe; padding: 3px 5px; border: 1px dashed red;}
137
+ #wph-headers tr td{border-bottom: 1px solid #dddddd}
138
+ #wph-headers-container span.wph-pro {font-size: 10px;font-weight: normal;padding: 1px 3px;}
139
+
140
+ table .select.multiple {height: 82px}
141
+ .wph_input .row.cell h4 {margin: 0px; padding-bottom: 6px}
142
+ .wph_input .row.cell h5 {font-size: 12px; font-weight: normal; margin: 0; padding-bottom: 6px; padding-top: 10px;}
143
+ .wph_input .row.cell.label label{ font-size: 13px; font-weight: bold; padding: 0; margin: 0; color: #333; cursor: default }
144
+ .wph_input .row.cell.label p, .wph_input .row.cell.label .description{ display: block; font-size: 12px; padding: 6px 0 !important; margin: 0 !important; font-style: normal; line-height: 16px; color: #999;}
145
+ .wph_input .row.cell.label .description .important {color: #d54e21}
146
+ .wph_input .row.cell.label .description .dashicons, .wph_input .row.cell.label .description span {display: inline-block}
147
+ .wph_input .row.cell.label .description span {padding-left: 5px; line-height: 18px;}
148
+ .wph_input .row.cell.label .description span a {display: inline-block}
149
+ .wph_input .row.cell.label .description span.important {color: #d54e21; padding-left: 0px}
150
+ .wph_input .row.cell.label .description span.info {padding-left: 0px; color:#d54e21; font-style: italic;}
151
+ .wph_input .row.cell.label .description .pointer {cursor:pointer}
152
+ .wph_input .row.cell.label .description .notice-success, .wph_input .row.cell.label .description .notice-error {padding: 10px 12px; background-color: #fff;}
153
+ .wph_input .row.cell.label .description a.button {display: inline-block; vertical-align: middle;}
154
+ .wph_input .row.submit .cell { text-align: right}
155
+ .wph_input .row.submit .cell.label {border-right: 1px solid #F9F9F9}
156
+ .wph_input input[type=text],.wph_input textarea,.wph_input select{ width: 99.95%; outline: none;}
157
+ .wph_input textarea {min-height: 150px}
158
+ .wph_input textarea.ex_block {max-width: calc(100% - 30px);; vertical-align: top; min-height: 80px; max-height: 80px}
159
+ .wph_input .row.cell .replacement_field {width: 47%; display: inline-block; vertical-align: middle;}
160
+ .wph_input .row.cell .replacement_field.full_width {width: 100%; display: flex}
161
+ .wph_input .row.cell span.dashicons.close {font-size: 16px;}
162
+ .wph_input select { padding: 2px;}
163
+ .wph_input input[type=text]:focus,.wph_input textarea:focus,.wph_input select:focus { border-color:#98B6CB;}
164
+
165
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
166
 
167
  .wph_help {width: 50%; background-color: #f9f9f9; padding: 0 20px; box-sizing: border-box; overflow: hidden; position:relative; border-left: 1px solid #f1f1f1}
168
  .wph_help::before { color: #ececec; content: "\f118";; display: block; font-family: dashicons; font-size: 232px; line-height: 1; position: absolute; right: 20px; text-align: center; top: 10%; width: 1em; z-index: 1}
172
  .wph_help .text p a {text-decoration: none}
173
  .wph_help .text p .important {color: #d54e21;}
174
 
175
+ .inner_table tbody tr td {padding-bottom: 12px}
176
  .inner_table .description {margin-bottom: 3px; font-style: normal;}
177
  table .submit .submitdelete {line-height: 25px; text-align: left; vertical-align: middle;border-bottom-color: red; color: red; border-bottom-style: solid; border-bottom-width: 1px;padding: 1px 2px; text-decoration: none; margin-right: 20px}
178
  table .submit .submitdelete:hover {color:#FFF; background-color: red; border-color: red}
179
+ .wph_input .label { width: 25%; vertical-align: top; background: #F9F9F9; border-top: 1px solid #f0f0f0; border-right: none}
180
+ .wph_input .label.advanced {border-left: 4px solid orange;}
181
+ .apto_rules tbody tr td{border-top: 0 none;}
182
+ .wph_input img {vertical-align: middle;}
183
+ .even_table tr td {background-color:#FCFCFC}
184
+ .wph_input hr {border:1px dotted #E1E1E1; float: left; margin-left: 15px; width: 90%; border-style:none none dotted; color:#FFF; background:#FFF;}
185
+ table .wph_input tr td{}
186
+ .wph_input tbody tr td.param {width: 50%}
187
+ .conditional_rules .wph_input td.param{width: 40%}
188
+ .conditional_rules .wph_input td.comparison{width: 12%}
189
 
190
  table .select.multiple {height: 82px}
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
191
 
192
  .postbox h3 span {display: inline-block; vertical-align: middle}
193
 
247
  #info_box .text span.split {width: 100%}
248
 
249
  .wph-postbox {display: block}
250
+ .wph_help, .wph_input {width: 100%}
251
 
252
  }
assets/js/wph.js CHANGED
@@ -24,7 +24,7 @@
24
 
25
  showAdvanced( element )
26
  {
27
- jQuery( element ).closest('.wph_input').find('tr.advanced').show('fast');
28
  jQuery( element ).closest('.advanced_notice').slideUp('fast', function() { jQuery(this).hide() });
29
 
30
 
@@ -76,6 +76,49 @@
76
  return false ;
77
  }
78
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
79
 
80
  }
81
 
24
 
25
  showAdvanced( element )
26
  {
27
+ jQuery( element ).closest('.wph_input').find('div.advanced').show('fast');
28
  jQuery( element ).closest('.advanced_notice').slideUp('fast', function() { jQuery(this).hide() });
29
 
30
 
76
  return false ;
77
  }
78
  }
79
+
80
+
81
+ check_headers( nonce )
82
+ {
83
+ jQuery('#wph-check-headers .spinner').css( 'visibility', 'visible');
84
+
85
+ jQuery('#wph-headers-container').html('');
86
+ jQuery('#wph-headers-graph .wph-graph-data').html( 'Loading..' );
87
+ jQuery('#wph-headers-graph .wph-graph-progress').css( 'transform', 'rotate(0deg)')
88
+
89
+ jQuery.ajax({
90
+ type: 'POST',
91
+ url: ajaxurl,
92
+ dataType: "json",
93
+ data: {
94
+ 'action':'wph_check_headers',
95
+ 'nonce' : nonce
96
+ },
97
+ success:function(data) {
98
+ jQuery('#wph-check-headers .spinner').css( 'visibility', 'hidden');
99
+ jQuery('#wph-headers-container').html( data.html );
100
+ jQuery('#wph-headers-graph .wph-graph-data').html( data.graph.message );
101
+ jQuery('#wph-headers-graph .wph-graph-progress').css( 'transform', 'rotate(' + data.graph.value +'deg)')
102
+ },
103
+ error: function(errorThrown){
104
+ jQuery('#wph-check-headers .spinner').css( 'visibility', 'hidden');
105
+ jQuery('#wph-headers-container').html( 'Unable to call AJAX.' );
106
+ jQuery('#wph-headers-graph .wph-graph-data').html( data.graph.message );
107
+ jQuery('#wph-headers-graph .wph-graph-progress').css( 'transform', 'rotate(' + data.graph.value + 'deg);')
108
+ }
109
+ });
110
+ }
111
+
112
+
113
+ runSampleHeaders ()
114
+ {
115
+ var agree = confirm( wph_vars.run_sample_headers );
116
+ if ( !agree )
117
+ return false;
118
+
119
+ document.getElementById("wph-form").submit();
120
+
121
+ }
122
 
123
  }
124
 
include/admin-interface.class.php CHANGED
@@ -65,7 +65,7 @@
65
 
66
  function _load_interface_data()
67
  {
68
- $this->module_settings = $this->functions->filter_settings( $this->module->get_module_settings($this->tab_slug ));
69
 
70
  $this->interface_data = $this->module->get_interface_data();
71
  }
@@ -132,7 +132,7 @@
132
  <?php
133
 
134
  if( $this->module->use_tabs === true )
135
- $this->_generate_interface_tabs();
136
 
137
  ?>
138
 
@@ -146,30 +146,47 @@
146
 
147
  <div class="inside">
148
 
149
- <form method="post" action="">
 
 
 
 
 
 
 
 
 
 
150
  <?php wp_nonce_field( 'wph/interface_fields', 'wph-interface-nonce' ); ?>
151
 
152
  <div class="options">
153
  <?php
 
 
154
 
155
  foreach($this->module_settings as $module_setting)
156
  {
157
- $this->_generate_module_html( $module_setting );
 
 
 
158
  }
159
 
160
  ?>
161
  </div>
162
-
163
- <table class="wph_submit widefat">
164
- <tbody>
165
- <tr class="submit">
166
- <td class="label">&nbsp;</td>
167
- <td class="label">
168
- <input type="submit" value="<?php _e('Save', 'wp-hide-security-enhancer') ?>" class="button-primary alignright">
169
- </td>
170
- </tr>
171
- </tbody>
172
- </table>
 
 
173
  </form>
174
  </div>
175
 
@@ -203,10 +220,8 @@
203
  return;
204
  }
205
 
206
-
207
  if($module_setting['visible'] === FALSE)
208
  return;
209
-
210
 
211
  $option_name = $module_setting['id'];
212
  $value = $this->wph->get_setting_value( $option_name, $module_setting );
@@ -217,27 +232,24 @@
217
 
218
  ?>
219
  <div class="postbox wph-postbox">
220
- <table class="wph_input widefat">
221
- <tbody>
222
-
223
- <tr>
224
- <td class="label<?php if ( $is_advanced ) { echo ' advanced'; } ?>">
225
  <ul class="options">
226
- <?php if ( $module_setting['input_type'] != 'radio' ) { ?>
227
- <li><span class="dashicons dashicons-rest-api" title='Generate random value for the field' onClick="WPH.randomWord( this, '<?php if ( ! empty ($module_setting['help']['input_value_extension'])) { echo $module_setting['help']['input_value_extension']; } ?>' )"></span></li>
228
- <li><span class="dashicons dashicons-admin-appearance" title='Remove the field value' onClick="WPH.clear( this )"></span></li>
229
- <?php } ?>
230
- <?php
231
-
232
- if ( $module_setting['help'] !== FALSE && ! empty( $module_setting['help']['option_documentation_url'] ))
233
- {
234
-
235
- ?>
236
- <li><a target="_blank" href="<?php echo $module_setting['help']['option_documentation_url'] ?>"><span class="dashicons dashicons-admin-links" title='Open option help page'></span></a></li>
237
- <?php
238
- }
239
- ?>
240
- </ul>
241
  <label for=""><?php echo $module_setting['label'] ?></label>
242
  <?php
243
 
@@ -278,62 +290,87 @@
278
  }
279
 
280
  ?>
281
-
282
- </td>
283
- </tr>
284
 
285
- <tr class="entry<?php if ( $is_advanced ) { echo ' advanced';} if ( $hide_advanced ) { echo ' hide'; } ?>">
286
- <td class="data">
287
- <?php if(!empty($module_setting['options_pre'])) { ?><div class="options_text text_pre"><?php echo $module_setting['options_pre'] ?></div><?php } ?>
288
- <?php if(!empty($module_setting['value_description'])) { ?><p class="description"><?php echo $module_setting['value_description'] ?></p><?php } ?>
289
- <?php
290
-
291
- switch($module_setting['input_type'])
292
- {
293
- case 'text' :
294
- $class = 'text';
295
-
296
- ?><input name="<?php echo $module_setting['id'] ?>" class="<?php echo $class ?>" value="<?php echo esc_html($value) ?>" placeholder="<?php echo esc_html($module_setting['placeholder']) ?>" type="text"><?php
297
-
298
- break;
299
-
300
- case 'textarea' :
301
- $class = 'textarea';
302
-
303
- ?><textarea rows="7" name="<?php echo $module_setting['id'] ?>" class="<?php echo $class ?>"><?php echo stripslashes ( esc_html($value) ) ?></textarea><?php
304
-
305
- break;
306
-
307
- case 'radio' :
308
- $class = 'radio';
309
-
310
- ?>
311
- <fieldset>
312
- <?php
313
-
314
- foreach($module_setting['options'] as $option_value => $option_title)
315
- {
316
- ?><label><input type="radio" class="<?php echo $class ?>" <?php checked($value, $option_value) ?> value="<?php echo $option_value ?>" name="<?php echo $module_setting['id'] ?>"> <span><?php echo esc_html($option_title) ?></span></label><br /><?php
317
- }
318
-
319
- ?>
320
- </fieldset>
321
- <?php
322
-
323
- break;
324
- }
325
-
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
326
  ?>
327
- <?php if(!empty($module_setting['options_post'])) { ?><div class="options_text text_post"><?php echo $module_setting['options_post'] ?></div><?php } ?>
328
- </td>
329
- </tr>
330
- </tbody>
331
- </table>
332
-
333
- <div class="wph_help<?php if ( $module_setting['help'] === FALSE ) { echo ' empty'; } ?>">
334
  <div class="text">
335
  <?php if ( $module_setting['help'] !== FALSE ) { ?>
336
- <h4><?php echo $module_setting['help']['title'] ?></h3>
337
  <p><?php echo $module_setting['help']['description'] ?></p>
338
  <?php } else { ?>
339
  <p>There is no help available for this option.</p>
@@ -341,19 +378,19 @@
341
  </div>
342
 
343
  </div>
344
-
345
- </div>
346
 
347
  <?php
348
 
349
  }
350
 
351
 
352
- function _generate_interface_tabs()
353
  {
354
 
355
  ?>
356
- <h2 class="nav-tab-wrapper">
357
  <?php
358
 
359
  //output all module components as tabs
@@ -365,6 +402,20 @@
365
  $class = '';
366
  if($module_component->id == $this->tab_slug)
367
  $class = 'nav-tab-active';
 
 
 
 
 
 
 
 
 
 
 
 
 
 
368
 
369
  ?>
370
  <a href="<?php echo esc_url(admin_url( 'admin.php?page=' . $this->screen_slug . '&component=' . $module_component->id)); ?>" class="nav-tab <?php echo $class ?>"><?php echo $module_component->title ?></a>
65
 
66
  function _load_interface_data()
67
  {
68
+ $this->module_settings = $this->functions->filter_settings( $this->module->get_module_components_settings($this->tab_slug ));
69
 
70
  $this->interface_data = $this->module->get_interface_data();
71
  }
132
  <?php
133
 
134
  if( $this->module->use_tabs === true )
135
+ $this->_generate_interface_tabs( $this->tab_slug );
136
 
137
  ?>
138
 
146
 
147
  <div class="inside">
148
 
149
+ <form method="post" id="wph-form" action="<?php
150
+
151
+ $args = array(
152
+ 'page' => isset($_GET['page']) ? $_GET['page'] : '',
153
+ 'component' => isset($_GET['component']) ? $_GET['component'] : '',
154
+ );
155
+
156
+ $url_query = http_build_query( $args );
157
+
158
+ echo esc_url(admin_url( 'admin.php?' . $url_query));
159
+ ?>">
160
  <?php wp_nonce_field( 'wph/interface_fields', 'wph-interface-nonce' ); ?>
161
 
162
  <div class="options">
163
  <?php
164
+
165
+ $require_save = FALSE;
166
 
167
  foreach($this->module_settings as $module_setting)
168
  {
169
+ $this->_generate_module_html( $module_setting );
170
+
171
+ if ( isset ( $module_setting['require_save'] ) && $module_setting['require_save'] )
172
+ $require_save = TRUE;
173
  }
174
 
175
  ?>
176
  </div>
177
+
178
+ <?php if ( $require_save ) { ?>
179
+ <table class="wph_submit widefat">
180
+ <tbody>
181
+ <tr class="submit">
182
+ <td class="label">&nbsp;</td>
183
+ <td class="label">
184
+ <input type="submit" value="<?php _e('Save', 'wp-hide-security-enhancer') ?>" class="button-primary alignright">
185
+ </td>
186
+ </tr>
187
+ </tbody>
188
+ </table>
189
+ <?php } ?>
190
  </form>
191
  </div>
192
 
220
  return;
221
  }
222
 
 
223
  if($module_setting['visible'] === FALSE)
224
  return;
 
225
 
226
  $option_name = $module_setting['id'];
227
  $value = $this->wph->get_setting_value( $option_name, $module_setting );
232
 
233
  ?>
234
  <div class="postbox wph-postbox">
235
+ <div class="wph_input widefat<?php if ( $module_setting['interface_help_split'] === FALSE ) { echo ' full_width';} ?> option-<?php echo $option_name ?>">
236
+ <div class="row cell label <?php if ( $is_advanced ) { echo ' advanced'; } ?>">
 
 
 
237
  <ul class="options">
238
+ <?php if ( $module_setting['input_type'] == 'text' ) { ?>
239
+ <li><span class="tips dashicons dashicons-rest-api" title='Generate random value for the field' onClick="WPH.randomWord( this, '<?php if ( ! empty ($module_setting['help']['input_value_extension'])) { echo $module_setting['help']['input_value_extension']; } ?>' )"></span></li>
240
+ <li><span class="tips dashicons dashicons-admin-appearance" title='Remove the field value' onClick="WPH.clear( this )"></span></li>
241
+ <?php } ?>
242
+ <?php
243
+
244
+ if ( $module_setting['help'] !== FALSE && ! empty( $module_setting['help']['option_documentation_url'] ))
245
+ {
246
+
247
+ ?>
248
+ <li><a target="_blank" href="<?php echo $module_setting['help']['option_documentation_url'] ?>"><span class="tips dashicons dashicons-admin-links" title='Open option help page'></span></a></li>
249
+ <?php
250
+ }
251
+ ?>
252
+ </ul>
253
  <label for=""><?php echo $module_setting['label'] ?></label>
254
  <?php
255
 
290
  }
291
 
292
  ?>
293
+
294
+ </div>
 
295
 
296
+ <div class="row cell data entry<?php if ( $is_advanced ) { echo ' advanced';} if ( $hide_advanced ) { echo ' hide'; } ?>">
297
+ <?php
298
+
299
+ if ( $module_setting['interface_help_split'] === FALSE ) { ?>
300
+ <div class="option_help<?php if ( $module_setting['help'] === FALSE ) { echo ' empty'; } ?>">
301
+ <div class="text">
302
+ <?php if ( ! empty ( $module_setting['help']['title'] ) ) { ?>
303
+ <h4><?php echo $module_setting['help']['title'] ?></h3>
304
+ <?php } ?>
305
+ <?php if ( $module_setting['help'] !== FALSE ) { ?>
306
+ <p><?php echo wpautop ( $module_setting['help']['description'] ) ?></p>
307
+ <?php } else { ?>
308
+ <p>There is no help available for this option.</p>
309
+ <?php }?>
310
+ </div>
311
+
312
+ </div>
313
+ <?php } ?>
314
+
315
+ <?php if(!empty($module_setting['options_pre'])) { ?><div class="options_text text_pre"><?php echo $module_setting['options_pre'] ?></div><?php } ?>
316
+ <div class="orow">
317
+ <?php if ( isset($module_setting['module_option_html_render']) && is_callable($module_setting['module_option_html_render']))
318
+ {
319
+ call_user_func($module_setting['module_option_html_render'], $module_setting);
320
+ }
321
+ else
322
+ {
323
+ if(!empty($module_setting['value_description'])) { ?><p class="description"><?php echo $module_setting['value_description'] ?></p><?php } ?>
324
+ <!-- WPH Preserve - Start -->
325
+ <?php
326
+
327
+ switch($module_setting['input_type'])
328
+ {
329
+ case 'text' :
330
+ $class = 'text';
331
+
332
+ ?><input name="<?php echo $module_setting['id'] ?>" class="<?php echo $class ?>" value="<?php echo esc_html($value) ?>" placeholder="<?php echo esc_html($module_setting['placeholder']) ?>" type="text"><?php
333
+
334
+ break;
335
+
336
+ case 'textarea' :
337
+ $class = 'textarea';
338
+
339
+ ?><textarea rows="7" name="<?php echo $module_setting['id'] ?>" class="<?php echo $class ?>"><?php echo stripslashes ( esc_html($value) ) ?></textarea><?php
340
+
341
+ break;
342
+
343
+ case 'radio' :
344
+ $class = 'radio';
345
+
346
+ ?>
347
+ <fieldset>
348
+ <?php
349
+
350
+ foreach($module_setting['options'] as $option_value => $option_title)
351
+ {
352
+ ?><label><input type="radio" class="<?php echo $class ?>" <?php checked($value, $option_value) ?> value="<?php echo $option_value ?>" name="<?php echo $module_setting['id'] ?>"> <span><?php echo esc_html($option_title) ?></span></label><?php
353
+ }
354
+
355
+ ?>
356
+ </fieldset>
357
+ <?php
358
+
359
+ break;
360
+ }
361
+ ?><!-- WPH Preserve - Stop --><?php
362
+ }
363
  ?>
364
+ </div>
365
+ <?php if(!empty($module_setting['options_post'])) { ?><div class="options_text text_post"><?php echo $module_setting['options_post'] ?></div><?php } ?>
366
+
367
+ </div>
368
+ </div>
369
+ <?php if ( $module_setting['interface_help_split'] ) { ?>
370
+ <div class="wph_help option_help<?php if ( $module_setting['help'] === FALSE ) { echo ' empty'; } ?>">
371
  <div class="text">
372
  <?php if ( $module_setting['help'] !== FALSE ) { ?>
373
+ <h4><?php echo $module_setting['help']['title'] ?></h4>
374
  <p><?php echo $module_setting['help']['description'] ?></p>
375
  <?php } else { ?>
376
  <p>There is no help available for this option.</p>
378
  </div>
379
 
380
  </div>
381
+ <?php } ?>
382
+ </div>
383
 
384
  <?php
385
 
386
  }
387
 
388
 
389
+ function _generate_interface_tabs( $tab_slug )
390
  {
391
 
392
  ?>
393
+ <h2 class="nav-tab-wrapper <?php echo $tab_slug ?>">
394
  <?php
395
 
396
  //output all module components as tabs
402
  $class = '';
403
  if($module_component->id == $this->tab_slug)
404
  $class = 'nav-tab-active';
405
+
406
+ $class .= ' ' . $module_component->id;
407
+
408
+ if ( is_a ( $this->module, 'WPH_module_security_headers' ) )
409
+ {
410
+ $module_settings = $module_component->get_module_settings();
411
+ if ( isset ( $module_settings[0] ) )
412
+ {
413
+ $module_component_settings = $module_settings[0];
414
+ $values = $this->wph->functions->get_module_item_setting( $module_component_settings['id'] );
415
+ if ( isset ( $values['enabled'] ) && $values['enabled'] == 'yes' )
416
+ $class .= ' header-active';
417
+ }
418
+ }
419
 
420
  ?>
421
  <a href="<?php echo esc_url(admin_url( 'admin.php?page=' . $this->screen_slug . '&component=' . $module_component->id)); ?>" class="nav-tab <?php echo $class ?>"><?php echo $module_component->title ?></a>
include/functions.class.php CHANGED
@@ -32,6 +32,10 @@
32
  'options' => array(),
33
  'options_post' => '',
34
 
 
 
 
 
35
  //callback function when components run. Default being set for _init_{$field_id}
36
  'callback' => '',
37
  //callback function to return the rewrite code, Default being set for _callback_saved_{$field_id}
@@ -39,15 +43,21 @@
39
  //PassThrough any additional arguments
40
  'callback_arguments' => array(),
41
 
 
 
 
 
 
 
42
  'processing_order' => 10,
43
  );
44
 
45
  return $defaults;
46
  }
47
 
48
- function filter_settings($module_settings, $strip_splits = FALSE)
49
  {
50
- if(!is_array($module_settings) || count($module_settings) < 1)
51
  return $module_settings;
52
 
53
  $defaults = $this->get_module_default_setting();
@@ -169,11 +179,11 @@
169
  $unique_require_updated_settings = array();
170
 
171
  //proces the fields
172
- $module_settings = $this->filter_settings( $module->get_module_settings($tab_slug) );
173
 
174
  $processed_fields = array();
175
 
176
- foreach($module_settings as $module_setting)
177
  {
178
  if(isset($module_setting['type']) && $module_setting['type'] == 'split')
179
  continue;
@@ -182,20 +192,30 @@
182
 
183
  $processed_fields[] = $field_name;
184
 
185
- $value = isset($_POST[$field_name]) ? sanitize_text_field($_POST[$field_name]) : '';
186
-
187
- //if empty use the default
188
- if(empty($value))
189
- $value = $module_setting['default_value'];
190
-
191
- //sanitize value
192
- foreach($module_setting['sanitize_type'] as $sanitize)
193
  {
194
- $value = call_user_func_array($sanitize, array($value));
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
195
  }
196
 
197
  //held the value
198
- if ($module_setting['input_type'] == 'text' && !empty( $value ))
199
  {
200
  //if require unique, save for postprocessing
201
  $unique_require_updated_settings[ $field_name ] = array(
@@ -601,29 +621,7 @@
601
  $this->wph->server_nginx_config = TRUE;
602
 
603
  }
604
-
605
-
606
-
607
- /**
608
- * return whatever server using the .htaccess config file
609
- *
610
- */
611
- function server_use_htaccess_config_file()
612
- {
613
-
614
- $home_path = $this->get_home_path();
615
- $htaccess_file = $home_path . DIRECTORY_SEPARATOR . '.htaccess';
616
-
617
- if ((!file_exists($htaccess_file) && $this->using_mod_rewrite_permalinks()) || is_writable($htaccess_file))
618
- {
619
- if ( $this->got_mod_rewrite() )
620
- return TRUE;
621
- }
622
-
623
- return FALSE;
624
-
625
- }
626
-
627
 
628
  function using_mod_rewrite_permalinks()
629
  {
@@ -647,58 +645,6 @@
647
  return preg_match( '#^/*' . $index . '#', $permalink_structure );
648
 
649
  }
650
-
651
- function got_mod_rewrite()
652
- {
653
-
654
- if ($this->apache_mod_loaded('mod_rewrite', true))
655
- return TRUE;
656
-
657
- return FALSE;
658
-
659
- }
660
-
661
-
662
- /**
663
- * Does the specified module exist in the Apache config?
664
- *
665
- * @since 2.5.0
666
- *
667
- * @global bool $is_apache
668
- *
669
- * @param string $mod The module, e.g. mod_rewrite.
670
- * @param bool $default Optional. The default return value if the module is not found. Default false.
671
- * @return bool Whether the specified module is loaded.
672
- */
673
- function apache_mod_loaded($mod, $default = false)
674
- {
675
-
676
- if ( !$this->is_apache() )
677
- return false;
678
-
679
- if ( function_exists( 'apache_get_modules' ) )
680
- {
681
- $mods = apache_get_modules();
682
- if ( in_array($mod, $mods) )
683
- return true;
684
- }
685
- elseif (getenv('HTTP_MOD_REWRITE') !== FALSE)
686
- {
687
- $mod_found = getenv('HTTP_MOD_REWRITE') == 'On' ? true : false ;
688
- return $mod_found;
689
- }
690
- elseif ( function_exists( 'phpinfo' ) && false === strpos( ini_get( 'disable_functions' ), 'phpinfo' ) ) {
691
- ob_start();
692
- phpinfo(8);
693
- $phpinfo = ob_get_clean();
694
- if ( false !== strpos($phpinfo, $mod) )
695
- return true;
696
-
697
- }
698
-
699
- return $default;
700
-
701
- }
702
 
703
 
704
  /**
@@ -930,7 +876,7 @@
930
  function show_recovery()
931
  {
932
  ?>
933
- <p class="important framed"><span class="dashicons dashicons-warning important" alt="f534"></span> <?php _e('Copy the following link to a safe place. You can use it later to reset all plugin options if something goes wrong or lost the new login URL.', 'wp-hide-security-enhancer') ?> <b><span id="wph-recovery-link" onClick="WPH.selectText( 'wph-recovery-link' )"><?php echo trailingslashit ( home_url() ) ?>?wph-recovery=<?php echo $this->get_recovery_code() ?></span></b></p>
934
  <?php
935
 
936
  }
@@ -1096,8 +1042,11 @@
1096
  if ( ! empty ($response['response']['message'] ) )
1097
  $response_message .= ":" . $response['response']['message'];
1098
 
1099
- $messages['server_check'] = __( "A custom rewrite line has been inserted into your rewrite file for testing, the ", 'wp-hide-security-enhancer' ) . '<b><a target="_blank" href="' . $test_url . '">' . __( "Test URL", 'wp-hide-security-enhancer' ) . '</a></b> '. __( "expected to return a JSON response (contains a name and description) The server instead replied a", 'wp-hide-security-enhancer' ) . ' <b class="highlight">' . $response['response']['code'] . '</b> ' . __( "error with the message", 'wp-hide-security-enhancer' ) . ' <b class="highlight">' . $response['response']['message'] . '</b><br />';
1100
- $messages['server_check'] .= __( "You need to get in touch with your server support for a fix, the rewrite engine is either disabled for your account or their internal set-up does not allow such rewrites. ", 'wp-hide-security-enhancer' );
 
 
 
1101
 
1102
  $response_message .= '<br />' . $messages['server_check'];
1103
 
@@ -1996,8 +1945,8 @@
1996
  $to = get_option('admin_email');
1997
  $subject = get_option('blogname') . ' - WP Hide Recovery Link';
1998
  $message = __('Hello', 'wp-hide-security-enhancer') . ", \n\n"
1999
- . __('This is an automated message to inform that you can always use a recovery link if something go wrong', 'wp-hide-security-enhancer') . ": " . home_url() . '?wph-recovery='. $this->get_recovery_code() . "\n\n"
2000
- . __('Please keep this url to a safe place.', 'wp-hide-security-enhancer') . ".";
2001
  $headers = 'From: '. get_option('blogname') .' <'. get_option('admin_email') .'>' . "\r\n";
2002
 
2003
  if ( ! function_exists( 'wp_mail' ) )
@@ -2024,16 +1973,49 @@
2024
  if(empty($wph_recovery) || $wph_recovery != $this->wph->settings['recovery_code'])
2025
  return;
2026
 
2027
- $settings['module_settings'] = $this->reset_settings();
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2028
 
2029
  //update the settings
2030
  $this->update_settings( $settings );
 
2031
 
2032
  //available for mu-plugins
2033
  do_action('wph/do_recovery');
2034
 
2035
  //add filter for rewriting the rules
2036
- add_action('wp_loaded', array($this, 'wp_loaded_trigger_do_recovery'));
 
 
 
2037
 
2038
  }
2039
 
@@ -2047,7 +2029,7 @@
2047
  foreach($this->wph->modules as $module)
2048
  {
2049
  //proces the fields
2050
- $module_settings = $this->filter_settings( $module->get_module_settings(), TRUE );
2051
 
2052
  foreach($module_settings as $module_setting)
2053
  {
@@ -2128,6 +2110,193 @@
2128
  die();
2129
 
2130
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2131
 
2132
  /**
2133
  * Replace a filter / action from anonymous object
32
  'options' => array(),
33
  'options_post' => '',
34
 
35
+ 'interface_help_split' => TRUE,
36
+
37
+ 'require_save' => TRUE,
38
+
39
  //callback function when components run. Default being set for _init_{$field_id}
40
  'callback' => '',
41
  //callback function to return the rewrite code, Default being set for _callback_saved_{$field_id}
43
  //PassThrough any additional arguments
44
  'callback_arguments' => array(),
45
 
46
+ //custom html render content for this module component option
47
+ 'module_option_html_render' => '',
48
+
49
+ //custom processing (interface save) for this module component option
50
+ 'module_option_processing' => '',
51
+
52
  'processing_order' => 10,
53
  );
54
 
55
  return $defaults;
56
  }
57
 
58
+ function filter_settings( $module_settings, $strip_splits = FALSE )
59
  {
60
+ if( ! is_array( $module_settings ) || count( $module_settings ) < 1)
61
  return $module_settings;
62
 
63
  $defaults = $this->get_module_default_setting();
179
  $unique_require_updated_settings = array();
180
 
181
  //proces the fields
182
+ $module_settings = $this->filter_settings( $module->get_module_components_settings($tab_slug) );
183
 
184
  $processed_fields = array();
185
 
186
+ foreach ( $module_settings as $module_setting )
187
  {
188
  if(isset($module_setting['type']) && $module_setting['type'] == 'split')
189
  continue;
192
 
193
  $processed_fields[] = $field_name;
194
 
195
+ if ( isset($module_setting['module_option_processing']) && is_callable( $module_setting['module_option_processing']) )
 
 
 
 
 
 
 
196
  {
197
+ $results = call_user_func( $module_setting['module_option_processing'], $module_setting );
198
+
199
+ $value = $results['value'];
200
+ }
201
+ else
202
+ {
203
+
204
+ $value = isset($_POST[$field_name]) ? sanitize_text_field($_POST[$field_name]) : '';
205
+
206
+ //if empty use the default
207
+ if(empty($value))
208
+ $value = $module_setting['default_value'];
209
+
210
+ //sanitize value
211
+ foreach($module_setting['sanitize_type'] as $sanitize)
212
+ {
213
+ $value = call_user_func_array( $sanitize, array( $value ) );
214
+ }
215
  }
216
 
217
  //held the value
218
+ if ( $module_setting['input_type'] == 'text' && ! empty( $value ))
219
  {
220
  //if require unique, save for postprocessing
221
  $unique_require_updated_settings[ $field_name ] = array(
621
  $this->wph->server_nginx_config = TRUE;
622
 
623
  }
624
+
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
625
 
626
  function using_mod_rewrite_permalinks()
627
  {
645
  return preg_match( '#^/*' . $index . '#', $permalink_structure );
646
 
647
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
648
 
649
 
650
  /**
876
  function show_recovery()
877
  {
878
  ?>
879
+ <p class="important framed"><span class="dashicons dashicons-warning important" alt="f534"></span> <?php _e('Copy the following link to a safe place. You can use it later to reset all plugin options if something goes wrong or lost the new login URL.', 'wp-hide-security-enhancer') ?><br /><span id="wph-recovery-link" onClick="WPH.selectText( 'wph-recovery-link' )"><?php echo trailingslashit ( home_url() ) ?>?wph-recovery=<?php echo $this->get_recovery_code() ?></span></b></p>
880
  <?php
881
 
882
  }
1042
  if ( ! empty ($response['response']['message'] ) )
1043
  $response_message .= ":" . $response['response']['message'];
1044
 
1045
+ $messages['server_check'] = __( "A custom rewrite line has been inserted into your rewrite file for testing. The ", 'wp-hide-security-enhancer' ) . '<b><a target="_blank" href="' . $test_url . '">' . __( "Test URL", 'wp-hide-security-enhancer' ) . '</a></b> '. __( "expected to return a JSON response (contains a name and description) The server instead replied a", 'wp-hide-security-enhancer' ) . ' <b class="highlight">' . $response['response']['code'] . '</b> ' . __( "error with the message", 'wp-hide-security-enhancer' ) . ' <b class="highlight">' . $response['response']['message'] . '</b><br />';
1046
+ $messages['server_check'] .= "<br />" . __( "In certain environments ( e.g. Cloudflare) the plugin may not be allowed to check the test rewrite automatically. If checking manually the ", 'wp-hide-security-enhancer' ) . '<b><a target="_blank" href="' . $test_url . '">' . __( "Test URL", 'wp-hide-security-enhancer' ) . '</a></b>, ' . __( "if the result is a valid JSON response (contains a name and description), you can", 'wp-hide-security-enhancer' ) .' <a href="' . $this->get_current_url() . '&wph_environment=ignore-rewrite-test">' . __( "Ignore", 'wp-hide-security-enhancer' ) . '</a> ' . __( "this notification", 'wp-hide-security-enhancer' ) .'<br />';
1047
+ $messages['server_check'] .= __( "Sample result, can be different from a browser to another:", 'wp-hide-security-enhancer' ) . '<br /><img src="' . WPH_URL . '/assets/images/rewrite-test-json-response.jpg" /><br />';
1048
+ $messages['server_check'] .= __( "The Ignore action will be available until the next plugin options update.", 'wp-hide-security-enhancer' ) . '<br />';
1049
+ $messages['server_check'] .= "<br />" . __( "If manually checking the Test URL fails too, you need to get in touch with your server support for a fix. The rewrite engine is either disabled for your account or their internal set-up does not allow such rewrites. ", 'wp-hide-security-enhancer' );
1050
 
1051
  $response_message .= '<br />' . $messages['server_check'];
1052
 
1945
  $to = get_option('admin_email');
1946
  $subject = get_option('blogname') . ' - WP Hide Recovery Link';
1947
  $message = __('Hello', 'wp-hide-security-enhancer') . ", \n\n"
1948
+ . __('This is a system automated message to inform that you can always use a recovery link if something go wrong', 'wp-hide-security-enhancer') . ": " . home_url() . '?wph-recovery='. $this->get_recovery_code() . "\n\n"
1949
+ . __('Please keep this URL to a safe place.', 'wp-hide-security-enhancer') . ".";
1950
  $headers = 'From: '. get_option('blogname') .' <'. get_option('admin_email') .'>' . "\r\n";
1951
 
1952
  if ( ! function_exists( 'wp_mail' ) )
1973
  if(empty($wph_recovery) || $wph_recovery != $this->wph->settings['recovery_code'])
1974
  return;
1975
 
1976
+ $resetOnlyHeaders = isset ( $_GET['reset_headers'] ) && $_GET['reset_headers'] == '1' ? TRUE: FALSE;
1977
+
1978
+ if ( $resetOnlyHeaders === TRUE )
1979
+ {
1980
+ $modules_settings = $settings['module_settings'];
1981
+
1982
+ $headers = array (
1983
+ 'cross_origin_embedder_policy',
1984
+ 'cross_origin_opener_policy',
1985
+ 'cross_origin_resource_policy',
1986
+ 'x_content_type_options',
1987
+ 'x_download_options',
1988
+ 'x_frame_options',
1989
+ 'x_permitted_cross_domain_policies',
1990
+ 'x_xss_protection'
1991
+ );
1992
+ foreach ( $headers as $header )
1993
+ {
1994
+ if ( ! isset ( $modules_settings[ $header ] ) || ! is_array ( $modules_settings[ $header ] ) )
1995
+ $modules_settings[ $header ] = array (
1996
+ 'enabled' => 'no'
1997
+ );
1998
+
1999
+ $modules_settings[ $header ]['enabled'] = 'no';
2000
+ }
2001
+
2002
+ $settings['module_settings'] = $modules_settings;
2003
+ }
2004
+ else
2005
+ $settings['module_settings'] = $this->reset_settings();
2006
 
2007
  //update the settings
2008
  $this->update_settings( $settings );
2009
+ $this->wph->settings = $settings;
2010
 
2011
  //available for mu-plugins
2012
  do_action('wph/do_recovery');
2013
 
2014
  //add filter for rewriting the rules
2015
+ if ( $resetOnlyHeaders === TRUE )
2016
+ add_action('wp_loaded', array($this, 'wp_loaded_trigger_do_recovery_headers'));
2017
+ else
2018
+ add_action('wp_loaded', array($this, 'wp_loaded_trigger_do_recovery'));
2019
 
2020
  }
2021
 
2029
  foreach($this->wph->modules as $module)
2030
  {
2031
  //proces the fields
2032
+ $module_settings = $this->filter_settings( $module->get_module_components_settings(), TRUE );
2033
 
2034
  foreach($module_settings as $module_setting)
2035
  {
2110
  die();
2111
 
2112
  }
2113
+
2114
+
2115
+ function wp_loaded_trigger_do_recovery_headers()
2116
+ {
2117
+ /** WordPress Misc Administration API */
2118
+ require_once(ABSPATH . 'wp-admin/includes/misc.php');
2119
+
2120
+ /** WordPress Administration File API */
2121
+ require_once(ABSPATH . 'wp-admin/includes/file.php');
2122
+
2123
+ flush_rewrite_rules();
2124
+
2125
+ ?><!DOCTYPE html>
2126
+ <html lang="en-US">
2127
+ <head>
2128
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
2129
+ <meta name="viewport" content="width=device-width">
2130
+ <meta name='robots' content='noindex,follow' />
2131
+ <title>WP-Hide - <?php _e('Recovery', 'wp-hide-security-enhancer') ?></title>
2132
+ <style type="text/css">
2133
+ html{background:#f1f1f1}body{background:#fff;color:#444;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif;margin:2em auto;padding:1em 2em;max-width:700px;-webkit-box-shadow:0 1px 3px rgba(0,0,0,.13);box-shadow:0 1px 3px rgba(0,0,0,.13)}h1{border-bottom:1px solid #dadada;clear:both;color:#666;font-size:24px;margin:30px 0 0 0;padding:0;padding-bottom:7px}#error-page{margin-top:50px}#error-page .wp-die-message,#error-page p{font-size:14px;line-height:1.5;margin:25px 0 20px}#error-page code{font-family:Consolas,Monaco,monospace}ul li{margin-bottom:10px;font-size:14px}a{color:#0073aa}a:active,a:hover{color:#006799}a:focus{color:#124964;-webkit-box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8);box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8);outline:0}.button{background:#f7f7f7;border:1px solid #ccc;color:#555;display:inline-block;text-decoration:none;font-size:13px;line-height:2;height:28px;margin:0;padding:0 10px 1px;cursor:pointer;-webkit-border-radius:3px;-webkit-appearance:none;border-radius:3px;white-space:nowrap;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;-webkit-box-shadow:0 1px 0 #ccc;box-shadow:0 1px 0 #ccc;vertical-align:top}.button.button-large{height:30px;line-height:2.15384615;padding:0 12px 2px}.button:focus,.button:hover{background:#fafafa;border-color:#999;color:#23282d}.button:focus{border-color:#5b9dd9;-webkit-box-shadow:0 0 3px rgba(0,115,170,.8);box-shadow:0 0 3px rgba(0,115,170,.8);outline:0}.button:active{background:#eee;border-color:#999;-webkit-box-shadow:inset 0 2px 5px -3px rgba(0,0,0,.5);box-shadow:inset 0 2px 5px -3px rgba(0,0,0,.5)}
2134
+ </style>
2135
+ </head>
2136
+ <body>
2137
+
2138
+ <h1>WP-Hide - <?php _e('Headers Recovery', 'wp-hide-security-enhancer') ?></h1>
2139
+ <p><b><?php _e('The plugin Headers options have been disabled successfully.', 'wp-hide-security-enhancer') ?></b></p>
2140
+ <br />
2141
+ <?php
2142
+
2143
+ if ( $this->wph->server_htaccess_config === TRUE )
2144
+ {
2145
+ ?>
2146
+ <p><?php _e('Ensure the .htaccess file does not contain any rewrite Header lines. The plugin already attempted to clear the data. If the operation fails, manual removal is required.', 'wp-hide-security-enhancer') ?></p>
2147
+ <?php
2148
+ }
2149
+
2150
+ if ( $this->wph->server_web_config === TRUE )
2151
+ {
2152
+ ?>
2153
+ <p><?php _e('Ensure the web.config file does not contain any rewrite Header lines. The plugin already attempted to clear the data. If the operation fails, manual removal is required.', 'wp-hide-security-enhancer') ?></p>
2154
+ <?php
2155
+ }
2156
+
2157
+ if ( $this->wph->server_nginx_config === TRUE )
2158
+ {
2159
+
2160
+ //Check if use Wpengine
2161
+ if ( $this->wph->functions->server_is_wpengine() )
2162
+ {
2163
+ ?>
2164
+ <p><?php _e('Your site use WPEngine! You need to get in touch with live support and ask to remove the custom Nginx Header rewrite code from your account.', 'wp-hide-security-enhancer') ?></p>
2165
+ <?php
2166
+ }
2167
+ else if ( $this->wph->functions->server_is_kinsta() )
2168
+ {
2169
+ ?>
2170
+ <p><?php _e('Your site use Kinsta! You need to get in touch with live support and ask to remove the custom Nginx Header rewrite code from your account.', 'wp-hide-security-enhancer') ?></p>
2171
+ <?php
2172
+ }
2173
+ else
2174
+ {
2175
+
2176
+ ?>
2177
+ <p><?php _e('Check with your Nginx config file located usually at', 'wp-hide-security-enhancer') ?> /etc/nginx/sites-available/ <?php _e('and remove any Header rewrite rules within', 'wp-hide-security-enhancer') ?> <strong># BEGIN WP Hide & Security Enhancer</strong> <?php _e('and', 'wp-hide-security-enhancer') ?> <strong># END WP Hide & Security Enhancer</strong></p>
2178
+ <p><?php _e('After the configuration file update', 'wp-hide-security-enhancer') ?>, <strong><?php _e('Test', 'wp-hide-security-enhancer') ?></strong> <?php _e('the new data using ', 'wp-hide-security-enhancer') ?> <strong>nginx -t</strong>. <?php _e('If successfully compiled, restart the Nginx service.', 'wp-hide-security-enhancer') ?></p>
2179
+ <?php
2180
+ }
2181
+ }
2182
+
2183
+
2184
+
2185
+ ?>
2186
+
2187
+ <p><br /></p>
2188
+ <p><a class="button" href="<?php echo get_site_url() ?>"><?php _e('Continue to your Site', 'wp-hide-security-enhancer') ?></a></p>
2189
+
2190
+
2191
+ </body>
2192
+ </html>
2193
+ <?php
2194
+
2195
+ wp_logout();
2196
+
2197
+ die();
2198
+
2199
+ }
2200
+
2201
+
2202
+ function create_headers_sample_setup()
2203
+ {
2204
+
2205
+ $nonce = $_POST['wph-interface-nonce'];
2206
+ if ( ! wp_verify_nonce( $nonce, 'wph/interface_fields' ) )
2207
+ return FALSE;
2208
+
2209
+ //only for admins
2210
+ If ( ! current_user_can ( 'manage_options' ) )
2211
+ return FALSE;
2212
+
2213
+ $screen_slug = isset ( $_GET['page'] ) ? sanitize_text_field( $_GET['page'] ) : '';
2214
+ $tab_slug = isset ( $_GET['component'] ) ? sanitize_text_field( $_GET['component'] ) : '';
2215
+
2216
+ $site_settings = $this->get_settings();
2217
+ $modules_settings = $site_settings['module_settings'];
2218
+
2219
+ //reset the options
2220
+ $headers = array (
2221
+ 'cross_origin_embedder_policy',
2222
+ 'cross_origin_opener_policy',
2223
+ 'cross_origin_resource_policy',
2224
+ 'x_content_type_options',
2225
+ 'x_download_options',
2226
+ 'x_frame_options',
2227
+ 'x_permitted_cross_domain_policies',
2228
+ 'x_xss_protection'
2229
+ );
2230
+ foreach ( $headers as $header )
2231
+ {
2232
+ if ( ! isset ( $modules_settings[ $header ] ) || ! is_array ( $modules_settings[ $header ] ) )
2233
+ $modules_settings[ $header ] = array (
2234
+ 'enabled' => 'no'
2235
+ );
2236
+
2237
+ $modules_settings[ $header ]['enabled'] = 'no';
2238
+ }
2239
+
2240
+
2241
+ //add the custom headers
2242
+ $modules_settings[ 'cross_origin_embedder_policy' ]['enabled'] = 'yes';
2243
+ $modules_settings[ 'cross_origin_embedder_policy' ]['value'] = 'unsafe-none';
2244
+
2245
+ $modules_settings[ 'cross_origin_opener_policy' ]['enabled'] = 'yes';
2246
+ $modules_settings[ 'cross_origin_opener_policy' ]['value'] = 'unsafe-none';
2247
+
2248
+ $modules_settings[ 'cross_origin_resource_policy' ]['enabled'] = 'yes';
2249
+ $modules_settings[ 'cross_origin_resource_policy' ]['value'] = 'cross-origin';
2250
+
2251
+ $modules_settings[ 'x_download_options' ]['enabled'] = 'yes';
2252
+ $modules_settings[ 'x_download_options' ]['value'] = 'noopen';
2253
+
2254
+ $modules_settings[ 'x_frame_options' ]['enabled'] = 'yes';
2255
+ $modules_settings[ 'x_frame_options' ]['value'] = 'SAMEORIGIN';
2256
+
2257
+ $modules_settings[ 'x_xss_protection' ]['enabled'] = 'yes';
2258
+ $modules_settings[ 'x_xss_protection' ]['value'] = '1; mode=block';
2259
+
2260
+ $site_settings['module_settings'] = $modules_settings;
2261
+
2262
+ //$this->update_settings( $site_settings );
2263
+ $this->wph->settings = $site_settings;
2264
+
2265
+ //generate a new write_check_string
2266
+ $write_check_string = time() . '_' . mt_rand(100, 99999);
2267
+ $this->wph->settings['write_check_string'] = $write_check_string;
2268
+
2269
+ //update the settings
2270
+ $this->update_settings( $this->wph->settings );
2271
+
2272
+ //trigger the settings changed action
2273
+ do_action('wph/settings_changed', $screen_slug, $tab_slug);
2274
+
2275
+
2276
+ //redirect
2277
+ $new_admin_url = $this->get_module_item_setting('admin_url' , 'admin');
2278
+
2279
+ //check if the rewrite applied
2280
+ if ( ! empty ( $new_admin_url ) && ! $this->rewrite_rules_applied() )
2281
+ $new_admin_url = '';
2282
+
2283
+ if(!empty($new_admin_url) && $this->is_permalink_enabled())
2284
+ $new_location = trailingslashit( home_url() ) . $new_admin_url . "/admin.php?page=" . $screen_slug;
2285
+ else
2286
+ $new_location = trailingslashit( site_url() ) . "wp-admin/admin.php?page=" . $screen_slug;
2287
+
2288
+ if($tab_slug !== FALSE)
2289
+ $new_location .= '&component=' . $tab_slug;
2290
+
2291
+ $new_location .= '&settings_updated=true&headers_sample_setup=true';
2292
+ wp_redirect( $new_location );
2293
+
2294
+ die();
2295
+
2296
+ }
2297
+
2298
+
2299
+
2300
 
2301
  /**
2302
  * Replace a filter / action from anonymous object
include/module.class.php CHANGED
@@ -42,7 +42,7 @@
42
  * Return module components settings
43
  *
44
  */
45
- function get_module_settings($module_id = FALSE)
46
  {
47
 
48
  $module_settings = array();
42
  * Return module components settings
43
  *
44
  */
45
+ function get_module_components_settings($module_id = FALSE)
46
  {
47
 
48
  $module_settings = array();
include/wph.class.php CHANGED
@@ -129,6 +129,7 @@
129
 
130
  add_action('admin_menu', array($this, 'admin_menus'));
131
  add_action('admin_init', array($this, 'admin_init'), 11);
 
132
 
133
  //make sure to clear cache files on certain actions
134
  add_action("after_switch_theme", array($this->functions, 'cache_clear'));
@@ -200,15 +201,20 @@
200
  function _load_modules()
201
  {
202
 
203
- $module_files = glob(WPH_PATH . "/modules/module-*.php");
 
 
 
 
 
 
204
 
205
- foreach ($module_files as $filename)
206
  {
207
- $path_parts = pathinfo($filename);
208
 
209
- include_once(WPH_PATH . '/modules/' . $path_parts['basename']);
210
 
211
- $module_name = str_replace('module-' , '', $path_parts['filename']);
212
  $module_class_name = 'WPH_module_' . $module_name;
213
  $module = new $module_class_name;
214
 
@@ -223,11 +229,10 @@
223
  }
224
 
225
  //sort the modules array
226
- ksort($this->modules);
227
 
228
  //filter available for mu-plugins
229
  $this->modules = apply_filters('wp-hide/loaded_modules', $this->modules);
230
-
231
 
232
  }
233
 
@@ -241,7 +246,7 @@
241
  foreach($this->modules as $module)
242
  {
243
  //process the module fields
244
- $module_settings = $this->functions->filter_settings( $module->get_module_settings(), TRUE );
245
 
246
  usort($module_settings, array($this->functions, 'array_sort_by_processing_order'));
247
 
@@ -311,6 +316,12 @@
311
  $this->functions->do_reset_settings();
312
  }
313
 
 
 
 
 
 
 
314
  //check for interface submit
315
  if($this->doing_interface_save === TRUE)
316
  {
@@ -333,6 +344,13 @@
333
  }
334
 
335
 
 
 
 
 
 
 
 
336
  function admin_print_scripts()
337
  {
338
  wp_enqueue_script( 'jquery');
@@ -342,7 +360,8 @@
342
 
343
  // Localize the script with new data
344
  $translation_array = array(
345
- 'reset_confirmation' => __('Are you sure to reset all settings? All options will be removed. Manual remove of rewrite lines is required if no access from php', 'wp-hide-security-enhancer')
 
346
  );
347
  wp_localize_script( 'wph', 'wph_vars', $translation_array );
348
 
@@ -393,7 +412,7 @@
393
  add_action('admin_print_styles-' . $hookID , array($this, 'admin_print_styles'));
394
  add_action('admin_print_scripts-' . $hookID , array($this, 'admin_print_scripts'));
395
  }
396
-
397
  }
398
 
399
 
@@ -470,6 +489,11 @@
470
  $this->functions->settings_changed_check_for_cache_plugins();
471
  }
472
 
 
 
 
 
 
473
 
474
  if(isset($_GET['settings_updated']))
475
  {
@@ -921,10 +945,8 @@
921
  function get_rewrite_rules( )
922
  {
923
 
924
- $rules = "";
925
-
926
- if($this->uninstall === TRUE)
927
- return $rules;
928
 
929
  $write_check_string = isset( $this->settings['write_check_string'] ) ? $this->settings['write_check_string'] : '';
930
 
@@ -941,36 +963,54 @@
941
  $processing_data = $this->get_components_rules();
942
 
943
  //post-process the htaccess data
944
- $_rewrite_data = array();
945
- $_page_refresh = FALSE;
 
946
  foreach($processing_data as $response)
947
  {
948
- if(isset($response['rewrite']) && !empty($response['rewrite']))
949
  {
950
- $_rewrite_data[] = $response['rewrite'];
 
951
  }
952
 
953
- if(isset($response['page_refresh']) && $response['page_refresh'] === TRUE)
954
- $_page_refresh = TRUE;
 
 
955
  }
956
 
957
- $rules .= "#WriteCheckString:" . $write_check_string . "\n";
958
- $rules .= "RewriteRule .* - [E=HTTP_MOD_REWRITE:On]" . "\n";
 
 
 
959
 
960
  $plugin_path = $this->functions->get_url_path( WP_PLUGIN_URL );
961
  $rewrite_to = $this->functions->get_rewrite_to_base( trailingslashit( $plugin_path ) . 'wp-hide-security-enhancer/include/rewrite-confirm.php', TRUE, FALSE );
962
 
963
- $rules .= "RewriteRule ^rewrite_test_" .$write_check_string ."/? ". $rewrite_to ." [L,QSA]";
964
-
965
- if(count($_rewrite_data) > 0)
966
  {
967
- foreach($_rewrite_data as $_htaccess_data_line)
968
  {
969
- $rules .= "\n" . $_htaccess_data_line;
970
  }
971
  }
972
-
973
- $rules = apply_filters('wp-hide/mod_rewrite_rules', $rules, 'apache');
 
 
 
 
 
 
 
 
 
 
 
 
974
 
975
 
976
  $home_root = parse_url(home_url());
@@ -982,9 +1022,16 @@
982
  $rules = "<IfModule mod_rewrite.c> \n"
983
  . "RewriteEngine On \n"
984
  . "RewriteBase ". $home_root ." \n"
985
- . $rules
986
  . "\n"
987
  . "</IfModule> \n";
 
 
 
 
 
 
 
988
 
989
  return $rules;
990
 
@@ -1076,7 +1123,7 @@
1076
  //loop all module settings and run the callback functions
1077
  foreach($this->modules as $module)
1078
  {
1079
- $module_settings = $this->functions->filter_settings( $module->get_module_settings(), TRUE );
1080
 
1081
  //sort by processing order
1082
  usort($module_settings, array($this->functions, 'array_sort_by_processing_order'));
129
 
130
  add_action('admin_menu', array($this, 'admin_menus'));
131
  add_action('admin_init', array($this, 'admin_init'), 11);
132
+ add_action('admin_print_styles', array($this, 'admin_print_styles_general' ) );
133
 
134
  //make sure to clear cache files on certain actions
135
  add_action("after_switch_theme", array($this->functions, 'cache_clear'));
201
  function _load_modules()
202
  {
203
 
204
+ $modules = array (
205
+ 'module-rewrite.php',
206
+ 'module-general.php',
207
+ 'module-admin.php',
208
+ 'module-cdn.php',
209
+ 'module-security_headers.php'
210
+ );
211
 
212
+ foreach ( $modules as $module_file )
213
  {
 
214
 
215
+ include_once( WPH_PATH . '/modules/' . $module_file );
216
 
217
+ $module_name = str_replace( array ( 'module-', '.php' ) , '', $module_file );
218
  $module_class_name = 'WPH_module_' . $module_name;
219
  $module = new $module_class_name;
220
 
229
  }
230
 
231
  //sort the modules array
232
+ ksort( $this->modules );
233
 
234
  //filter available for mu-plugins
235
  $this->modules = apply_filters('wp-hide/loaded_modules', $this->modules);
 
236
 
237
  }
238
 
246
  foreach($this->modules as $module)
247
  {
248
  //process the module fields
249
+ $module_settings = $this->functions->filter_settings( $module->get_module_components_settings(), TRUE );
250
 
251
  usort($module_settings, array($this->functions, 'array_sort_by_processing_order'));
252
 
316
  $this->functions->do_reset_settings();
317
  }
318
 
319
+ //check for headers sample setup
320
+ if(isset($_POST['wph-headers-sample-setup']))
321
+ {
322
+ $this->functions->create_headers_sample_setup();
323
+ }
324
+
325
  //check for interface submit
326
  if($this->doing_interface_save === TRUE)
327
  {
344
  }
345
 
346
 
347
+ function admin_print_styles_general()
348
+ {
349
+ wp_register_style('WPH-Styles-general', WPH_URL . '/assets/css/wph-general.css');
350
+ wp_enqueue_style( 'WPH-Styles-general');
351
+ }
352
+
353
+
354
  function admin_print_scripts()
355
  {
356
  wp_enqueue_script( 'jquery');
360
 
361
  // Localize the script with new data
362
  $translation_array = array(
363
+ 'reset_confirmation' => __('Are you sure to reset all settings? All options will be removed. Manual remove of rewrite lines is required if no access from php', 'wp-hide-security-enhancer'),
364
+ 'run_sample_headers' => __('This creates a sample setup for Headers. That will overwrite any Headers settings previously created through the plugin options. Are you sure?', 'wp-hide-security-enhancer')
365
  );
366
  wp_localize_script( 'wph', 'wph_vars', $translation_array );
367
 
412
  add_action('admin_print_styles-' . $hookID , array($this, 'admin_print_styles'));
413
  add_action('admin_print_scripts-' . $hookID , array($this, 'admin_print_scripts'));
414
  }
415
+
416
  }
417
 
418
 
489
  $this->functions->settings_changed_check_for_cache_plugins();
490
  }
491
 
492
+
493
+ if( isset( $_GET['headers_sample_setup'] ) )
494
+ {
495
+ echo "<div class='notice notice-success'><p>". __('Headers Sample Setup deployed successfully.', 'wp-hide-security-enhancer') ."</p></div>";
496
+ }
497
 
498
  if(isset($_GET['settings_updated']))
499
  {
945
  function get_rewrite_rules( )
946
  {
947
 
948
+ if ( $this->uninstall === TRUE )
949
+ return;
 
 
950
 
951
  $write_check_string = isset( $this->settings['write_check_string'] ) ? $this->settings['write_check_string'] : '';
952
 
963
  $processing_data = $this->get_components_rules();
964
 
965
  //post-process the htaccess data
966
+ $_rewrite_data_mod_rewrite = array();
967
+ $_rewrite_data_mod_headers = array();
968
+
969
  foreach($processing_data as $response)
970
  {
971
+ if ( isset ( $response['type'] ) && $response['type'] == 'header' )
972
  {
973
+ $_rewrite_data_mod_headers[] = $response['rewrite'];
974
+ continue;
975
  }
976
 
977
+ if ( isset ( $response['rewrite'] ) && ! empty ( $response['rewrite'] ) )
978
+ {
979
+ $_rewrite_data_mod_rewrite[] = $response['rewrite'];
980
+ }
981
  }
982
 
983
+
984
+ /**
985
+ * Process the mod_rewrite rules
986
+ */
987
+ $rewrite_rules = "#WriteCheckString:" . $write_check_string . "\n";
988
 
989
  $plugin_path = $this->functions->get_url_path( WP_PLUGIN_URL );
990
  $rewrite_to = $this->functions->get_rewrite_to_base( trailingslashit( $plugin_path ) . 'wp-hide-security-enhancer/include/rewrite-confirm.php', TRUE, FALSE );
991
 
992
+ $rewrite_rules .= "RewriteRule ^rewrite_test_" .$write_check_string ."/? ". $rewrite_to ." [L,QSA]";
993
+ if(count( $_rewrite_data_mod_rewrite ) > 0)
 
994
  {
995
+ foreach( $_rewrite_data_mod_rewrite as $_htaccess_data_line)
996
  {
997
+ $rewrite_rules .= "\n" . $_htaccess_data_line;
998
  }
999
  }
1000
+ $rewrite_rules = apply_filters('wp-hide/mod_rewrite_rules', $rewrite_rules, 'apache');
1001
+
1002
+ /**
1003
+ * Process the mod_headers
1004
+ */
1005
+ $headers_rules = '';
1006
+ if ( count ( $_rewrite_data_mod_headers ) > 0 )
1007
+ {
1008
+ foreach( $_rewrite_data_mod_headers as $_htaccess_data_line)
1009
+ {
1010
+ $headers_rules .= $_htaccess_data_line;
1011
+ }
1012
+ }
1013
+ $headers_rules = apply_filters('wp-hide/mod_headers_rules', $headers_rules, 'apache');
1014
 
1015
 
1016
  $home_root = parse_url(home_url());
1022
  $rules = "<IfModule mod_rewrite.c> \n"
1023
  . "RewriteEngine On \n"
1024
  . "RewriteBase ". $home_root ." \n"
1025
+ . $rewrite_rules
1026
  . "\n"
1027
  . "</IfModule> \n";
1028
+
1029
+ if ( ! empty ( $headers_rules ) )
1030
+ $rules .= "<IfModule mod_headers.c>"
1031
+ . $headers_rules
1032
+ . "\n"
1033
+
1034
+ . '</IfModule>';
1035
 
1036
  return $rules;
1037
 
1123
  //loop all module settings and run the callback functions
1124
  foreach($this->modules as $module)
1125
  {
1126
+ $module_settings = $this->functions->filter_settings( $module->get_module_components_settings(), TRUE );
1127
 
1128
  //sort by processing order
1129
  usort($module_settings, array($this->functions, 'array_sort_by_processing_order'));
modules/components/admin-admin_url.php CHANGED
@@ -133,7 +133,6 @@
133
  ';
134
 
135
  $processing_response['rewrite'] = $text;
136
- $processing_response['page_refresh'] = TRUE;
137
 
138
  return $processing_response;
139
  }
133
  ';
134
 
135
  $processing_response['rewrite'] = $text;
 
136
 
137
  return $processing_response;
138
  }
modules/components/admin-new_wp_login_php.php CHANGED
@@ -120,11 +120,15 @@
120
  wp_mail( $to, $subject, $message, $headers );
121
  }
122
 
123
- function login_url($login_url, $redirect, $force_reauth)
124
  {
125
- $new_wp_login_php = $this->wph->functions->get_module_item_setting('new_wp_login_php');
 
 
 
126
 
127
- $login_url = home_url($new_wp_login_php, 'login');
 
128
 
129
  return $login_url;
130
  }
120
  wp_mail( $to, $subject, $message, $headers );
121
  }
122
 
123
+ function login_url( $login_url, $redirect, $force_reauth )
124
  {
125
+ $parse_login_url = parse_url ( $login_url );
126
+ $new_wp_login_php = $this->wph->functions->get_module_item_setting('new_wp_login_php');
127
+
128
+ $login_url = home_url($new_wp_login_php, 'login');
129
 
130
+ if ( isset ( $parse_login_url['query'] ) && ! empty ( $parse_login_url['query'] ) )
131
+ $login_url .= '?' . $parse_login_url['query'];
132
 
133
  return $login_url;
134
  }
modules/components/rewrite-json-rest.php CHANGED
@@ -291,6 +291,7 @@
291
  else if ( $saved_field_data == 'non-logged-in' )
292
  {
293
  $text = "\nRewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]".
 
294
  "\nRewriteRule ^wp-json(.+) ". $rewrite_to ."?wph-throw-404 [L]";
295
  }
296
 
291
  else if ( $saved_field_data == 'non-logged-in' )
292
  {
293
  $text = "\nRewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]".
294
+ "\nRewriteCond %{HTTP:Authorization} ^$ [NC]".
295
  "\nRewriteRule ^wp-json(.+) ". $rewrite_to ."?wph-throw-404 [L]";
296
  }
297
 
modules/components/rewrite-new_theme_path.php CHANGED
@@ -36,7 +36,7 @@
36
  'option_documentation_url' => 'https://wp-hide.com/documentation/rewrite-theme/'
37
  ),
38
 
39
- 'value_description' => __('Example', 'wp-hide-security-enhancer') . ': <b>' . __('template', 'wp-hide-security-enhancer'),
40
  'input_type' => 'text',
41
 
42
  'sanitize_type' => array(array($this->wph->functions, 'sanitize_file_path_name'), 'strtolower'),
@@ -57,7 +57,7 @@
57
  'input_value_extension' => 'css'
58
  ),
59
 
60
- 'value_description' => __('Example', 'wp-hide-security-enhancer') . ': <b>' . __('skin.css', 'wp-hide-security-enhancer'),
61
  'input_type' => 'text',
62
 
63
  'sanitize_type' => array(array($this->wph->functions, 'sanitize_file_path_name')),
@@ -92,7 +92,7 @@
92
  'yes' => __('Yes', 'wp-hide-security-enhancer'),
93
  ),
94
 
95
- 'options_post' => '<p><span class="dashicons dashicons-warning important" alt="f534">warning</span> ' . __('This functionality use caching! If active, cache clear is recommended on styles updates.', 'wp-hide-security-enhancer') .' </p> <p><a href="admin.php?page=wp-hide&wph_cache_clear=true" class="button action">' . __("Cache Clear", 'wp-hide-security-enhancer') . "</a></p>" ,
96
 
97
  'default_value' => 'no',
98
 
@@ -128,7 +128,7 @@
128
  'option_documentation_url' => 'https://wp-hide.com/documentation/rewrite-theme/'
129
  ),
130
 
131
- 'value_description' => __('Example', 'wp-hide-security-enhancer') . ': <b>' . __('template-child', 'wp-hide-security-enhancer'),
132
  'input_type' => 'text',
133
 
134
  'sanitize_type' => array(array($this->wph->functions, 'sanitize_file_path_name'), 'strtolower'),
@@ -148,7 +148,7 @@
148
  'input_value_extension' => 'css'
149
  ),
150
 
151
- 'value_description' => __('Example', 'wp-hide-security-enhancer') . ': <b>' . __('child-skin.css', 'wp-hide-security-enhancer'),
152
  'input_type' => 'text',
153
 
154
  'sanitize_type' => array(array($this->wph->functions, 'sanitize_file_path_name')),
@@ -184,7 +184,7 @@
184
  'yes' => __('Yes', 'wp-hide-security-enhancer'),
185
  ),
186
 
187
- 'options_post' => '<p><span class="dashicons dashicons-warning important" alt="f534">warning</span> ' . __('This functionality use caching! If active, cache clear is recommended on styles updates.', 'wp-hide-security-enhancer') .'</p><p><a href="admin.php?page=wp-hide&wph_cache_clear=true" class="button action">' . __("Cache Clear", 'wp-hide-security-enhancer') . '</a></p>' ,
188
 
189
  'default_value' => 'no',
190
 
36
  'option_documentation_url' => 'https://wp-hide.com/documentation/rewrite-theme/'
37
  ),
38
 
39
+ 'value_description' => __('Example', 'wp-hide-security-enhancer') . ': <b>template</b>',
40
  'input_type' => 'text',
41
 
42
  'sanitize_type' => array(array($this->wph->functions, 'sanitize_file_path_name'), 'strtolower'),
57
  'input_value_extension' => 'css'
58
  ),
59
 
60
+ 'value_description' => __('Example', 'wp-hide-security-enhancer') . ': <b>skin.css</b>',
61
  'input_type' => 'text',
62
 
63
  'sanitize_type' => array(array($this->wph->functions, 'sanitize_file_path_name')),
92
  'yes' => __('Yes', 'wp-hide-security-enhancer'),
93
  ),
94
 
95
+ 'options_post' => '<p><span class="dashicons dashicons-warning important" alt="f534">warning</span> ' . __('This functionality use caching! If active, cache clear is recommended on styles updates.', 'wp-hide-security-enhancer') .' </p> <p><a href="admin.php?page=wp-hide-rewrite&wph_cache_clear=true" class="button">' . __("Cache Clear", 'wp-hide-security-enhancer') . "</a></p>" ,
96
 
97
  'default_value' => 'no',
98
 
128
  'option_documentation_url' => 'https://wp-hide.com/documentation/rewrite-theme/'
129
  ),
130
 
131
+ 'value_description' => __('Example', 'wp-hide-security-enhancer') . ': <b>template-child</b>',
132
  'input_type' => 'text',
133
 
134
  'sanitize_type' => array(array($this->wph->functions, 'sanitize_file_path_name'), 'strtolower'),
148
  'input_value_extension' => 'css'
149
  ),
150
 
151
+ 'value_description' => __('Example', 'wp-hide-security-enhancer') . ': <b>child-skin.css</b>',
152
  'input_type' => 'text',
153
 
154
  'sanitize_type' => array(array($this->wph->functions, 'sanitize_file_path_name')),
184
  'yes' => __('Yes', 'wp-hide-security-enhancer'),
185
  ),
186
 
187
+ 'options_post' => '<p><span class="dashicons dashicons-warning important" alt="f534">warning</span> ' . __('This functionality use caching! If active, cache clear is recommended on styles updates.', 'wp-hide-security-enhancer') .'</p><p><a href="admin.php?page=wp-wp-hide-rewrite&wph_cache_clear=true" class="button">' . __("Cache Clear", 'wp-hide-security-enhancer') . '</a></p>' ,
188
 
189
  'default_value' => 'no',
190
 
modules/components/rewrite-new_upload_path.php CHANGED
@@ -15,7 +15,7 @@
15
  $this->module_settings[] = array(
16
  'id' => 'new_upload_path',
17
  'label' => __('New Uploads Path', 'wp-hide-security-enhancer'),
18
- 'description' => __('The default uploads path is set to', 'wp-hide-security-enhancer') . ' <strong>'. str_replace(get_bloginfo('wpurl'), '' ,$this->wph->default_variables['upload_url']) .'/</strong>',
19
 
20
  'help' => array(
21
  'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('New Uploads Path', 'wp-hide-security-enhancer'),
15
  $this->module_settings[] = array(
16
  'id' => 'new_upload_path',
17
  'label' => __('New Uploads Path', 'wp-hide-security-enhancer'),
18
+ 'description' => __('The default uploads path is set to', 'wp-hide-security-enhancer') . ' <strong>/wp-content/uploads/</strong>',
19
 
20
  'help' => array(
21
  'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('New Uploads Path', 'wp-hide-security-enhancer'),
modules/components/rewrite-new_xml-rpc-path.php CHANGED
@@ -179,7 +179,8 @@
179
  if($this->wph->server_htaccess_config === TRUE)
180
  {
181
  $text = "RewriteCond %{ENV:REDIRECT_STATUS} ^$\n";
182
- $text .= "RewriteRule ^xmlrpc.php ". $rewrite_to ."?wph-throw-404 [L]";
 
183
  }
184
 
185
  if($this->wph->server_web_config === TRUE)
179
  if($this->wph->server_htaccess_config === TRUE)
180
  {
181
  $text = "RewriteCond %{ENV:REDIRECT_STATUS} ^$\n";
182
+ $text .= "RewriteCond %{HTTP_USER_AGENT} !^WordPress\/[0-9\.\ ]+CFNetwork [NC]\n";
183
+ $text .= "RewriteRule ^xmlrpc.php ". $rewrite_to ."?wph-throw-404 [L]";
184
  }
185
 
186
  if($this->wph->server_web_config === TRUE)
modules/components/rewrite-slash.php CHANGED
@@ -17,7 +17,7 @@
17
  'description' => __('Add an end slash to all links which does not include one.', 'wp-hide-security-enhancer'). '<br /> ',
18
 
19
  'help' => array(
20
- 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('New XML-RPC Path', 'wp-hide-security-enhancer'),
21
  'description' => __("As default the WordPress url's format include an ending slash. ", 'wp-hide-security-enhancer') .
22
  "<br /><br />" . __("There are situations when this slash is not being append. Turning on this option, all links will get a slash if not included as default. Disguise the existence of files and folders, since they will not be slashed as deafault, all receive an ending slashed.", 'wp-hide-security-enhancer') .
23
  "<br />" . __("For example the following link:" , 'wp-hide-security-enhancer') .
17
  'description' => __('Add an end slash to all links which does not include one.', 'wp-hide-security-enhancer'). '<br /> ',
18
 
19
  'help' => array(
20
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('URL\'s add Slash', 'wp-hide-security-enhancer'),
21
  'description' => __("As default the WordPress url's format include an ending slash. ", 'wp-hide-security-enhancer') .
22
  "<br /><br />" . __("There are situations when this slash is not being append. Turning on this option, all links will get a slash if not included as default. Disguise the existence of files and folders, since they will not be slashed as deafault, all receive an ending slashed.", 'wp-hide-security-enhancer') .
23
  "<br />" . __("For example the following link:" , 'wp-hide-security-enhancer') .
modules/components/security-add_headers.php ADDED
@@ -0,0 +1,179 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_add_headers extends WPH_module_component
6
+ {
7
+ function get_component_title()
8
+ {
9
+ return "Add Headers";
10
+ }
11
+
12
+ function get_module_settings()
13
+ {
14
+
15
+ $this->module_settings[] = array(
16
+ 'id' => 'remove_header_link',
17
+ 'label' => __('Remove Link Header', 'wp-hide-security-enhancer'),
18
+ 'description' => __('Remove Link Header being set as default by WordPress which outputs the site JSON url.', 'wp-hide-security-enhancer'),
19
+
20
+ 'help' => array(
21
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('Remove Version', 'wp-hide-security-enhancer'),
22
+ 'description' => __("HTTP header fields are components of the header section of a request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction.", 'wp-hide-security-enhancer') .
23
+ "<br /><br />" . __("Sample header:", 'wp-hide-security-enhancer') .
24
+ "<br /><code>Link: &lt;http://-domain-name-/wp-json/&gt;; rel=&quot;https://api.w.org/&quot;</code>",
25
+ 'option_documentation_url' => 'https://wp-hide.com/documentation/request-headers/'
26
+ ),
27
+
28
+ 'input_type' => 'radio',
29
+ 'options' => array(
30
+ 'no' => __('No', 'wp-hide-security-enhancer'),
31
+ 'yes' => __('Yes', 'wp-hide-security-enhancer'),
32
+ ),
33
+ 'default_value' => 'no',
34
+
35
+ 'sanitize_type' => array('sanitize_title', 'strtolower'),
36
+ 'processing_order' => 70
37
+ );
38
+
39
+
40
+ $this->module_settings[] = array(
41
+ 'id' => 'remove_x_powered_by',
42
+ 'label' => __('Remove X-Powered-By Header', 'wp-hide-security-enhancer'),
43
+ 'description' => __('Remove X-Powered-By Header if being set.', 'wp-hide-security-enhancer'),
44
+
45
+ 'help' => array(
46
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('Remove X-Powered-By Header', 'wp-hide-security-enhancer'),
47
+ 'description' => __("Sample header:", 'wp-hide-security-enhancer') .
48
+ "<br /><code>x-powered-by: 'W3 Total Cache/0.9.5'</code>",
49
+ 'option_documentation_url' => 'https://wp-hide.com/documentation/request-headers/'
50
+ ),
51
+
52
+ 'input_type' => 'radio',
53
+ 'options' => array(
54
+ 'no' => __('No', 'wp-hide-security-enhancer'),
55
+ 'yes' => __('Yes', 'wp-hide-security-enhancer'),
56
+ ),
57
+ 'default_value' => 'no',
58
+
59
+ 'sanitize_type' => array('sanitize_title', 'strtolower'),
60
+ 'processing_order' => 70
61
+ );
62
+
63
+ $this->module_settings[] = array(
64
+ 'id' => 'remove_x_pingback',
65
+ 'label' => __('Remove X-Pingback Header', 'wp-hide-security-enhancer'),
66
+ 'description' => __('Remove X-Pingback Header if being set.', 'wp-hide-security-enhancer'),
67
+
68
+ 'help' => array(
69
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('Remove X-Pingback Header', 'wp-hide-security-enhancer'),
70
+ 'description' => __("Pingback is one of four types of linkback methods for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles. Pingback-enabled resources must either use an X-Pingback header or contain a element to the XML-RPC script.", 'wp-hide-security-enhancer'),
71
+ 'option_documentation_url' => 'https://wp-hide.com/documentation/request-headers/'
72
+ ),
73
+
74
+ 'input_type' => 'radio',
75
+ 'options' => array(
76
+ 'no' => __('No', 'wp-hide-security-enhancer'),
77
+ 'yes' => __('Yes', 'wp-hide-security-enhancer'),
78
+ ),
79
+ 'default_value' => 'no',
80
+
81
+ 'sanitize_type' => array('sanitize_title', 'strtolower'),
82
+ 'processing_order' => 70
83
+ );
84
+
85
+
86
+ return $this->module_settings;
87
+ }
88
+
89
+
90
+ function _init_remove_header_link( $saved_field_data )
91
+ {
92
+ if(empty($saved_field_data) || $saved_field_data == 'no')
93
+ return FALSE;
94
+
95
+ remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 );
96
+
97
+ }
98
+
99
+
100
+ function _init_remove_x_powered_by($saved_field_data)
101
+ {
102
+ if(empty($saved_field_data) || $saved_field_data == 'no')
103
+ return FALSE;
104
+
105
+
106
+ }
107
+
108
+ function _callback_saved_remove_x_powered_by($saved_field_data)
109
+ {
110
+ $processing_response = array();
111
+
112
+ if(empty($saved_field_data) || $saved_field_data == 'no')
113
+ return FALSE;
114
+
115
+ if($this->wph->server_htaccess_config === TRUE)
116
+ $processing_response['rewrite'] = '
117
+ <FilesMatch "">
118
+ <IfModule mod_headers.c>
119
+ Header unset X-Powered-By
120
+ </IfModule>
121
+ </FilesMatch>';
122
+
123
+ if($this->wph->server_web_config === TRUE)
124
+ {
125
+ //this goes after </rules> section
126
+ //to be implemented at a later version
127
+ /*
128
+ $processing_response['rewrite'] = '
129
+ <outboundRules>
130
+ <rule name="wph-bcdscsdh">
131
+ <match serverVariable="RESPONSE_X-POWERED-BY" pattern=".*" ignoreCase="true" />
132
+ <action type="Rewrite" value="" />
133
+ </rule>
134
+ </outboundRules>
135
+ ';
136
+ */
137
+
138
+ $processing_response['rewrite'] = '';
139
+ }
140
+
141
+ return $processing_response;
142
+ }
143
+
144
+
145
+ function _init_remove_x_pingback($saved_field_data)
146
+ {
147
+ if(empty($saved_field_data) || $saved_field_data == 'no')
148
+ return FALSE;
149
+
150
+
151
+ }
152
+
153
+ function _callback_saved_remove_x_pingback($saved_field_data)
154
+ {
155
+ $processing_response = array();
156
+
157
+ if(empty($saved_field_data) || $saved_field_data == 'no')
158
+ return FALSE;
159
+
160
+ if($this->wph->server_htaccess_config === TRUE)
161
+ $processing_response['rewrite'] = '
162
+ <FilesMatch "">
163
+ <IfModule mod_headers.c>
164
+ Header unset X-Pingback
165
+ </IfModule>
166
+ </FilesMatch>';
167
+
168
+ if($this->wph->server_web_config === TRUE)
169
+ {
170
+
171
+ $processing_response['rewrite'] = '';
172
+ }
173
+
174
+ return $processing_response;
175
+ }
176
+
177
+
178
+ }
179
+ ?>
modules/components/security-check_headers.php ADDED
@@ -0,0 +1,309 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_check_headers extends WPH_module_component
6
+ {
7
+
8
+ private $headers = array ();
9
+
10
+ function get_component_title()
11
+ {
12
+ return "Check Headers";
13
+ }
14
+
15
+ function get_module_settings()
16
+ {
17
+
18
+ $this->_set_headers();
19
+
20
+ $this->module_settings[] = array(
21
+ 'id' => 'check_headers',
22
+ 'label' => __('Check Headers', 'wp-hide-security-enhancer'),
23
+
24
+ 'help' => array(
25
+ 'description' => '<h4 class="important">'. __("HTTP Response Headers are a powerful tool to Harden Your Website.<br />Misusing the headers, can easily break the site layout and functionality. Ensure you understand the proper usage for each option before configuring. Once the Headers setup completed, a thorough check for the front side is recommended.", 'wp-hide-security-enhancer') . '</h4>' .
26
+
27
+ "<div class='help-section'><h4>" . __( "Recovery", 'wp-hide-security-enhancer' ) . '</h4>' .
28
+ '<p class="important"><span class="dashicons dashicons-warning important" alt="f534"></span> ' . __('Copy the following link to a safe place. You can use it to reset the header options if something goes wrong:', 'wp-hide-security-enhancer') . '</p><p> <b><span id="wph-recovery-link" onClick="WPH.selectText( \'wph-recovery-link\' )">' . trailingslashit ( home_url() ) . '?wph-recovery=' . $this->wph->functions->get_recovery_code() .'&reset_headers=1&rand=' . rand( 10000,9999999) .'</span></b></p></div>' .
29
+
30
+ "<div class='help-section'><h4>" . __( "Sample Setup", 'wp-hide-security-enhancer' ) . '</h4>' .
31
+ '<p>' . __('Create a sample setup for Headers. That will overwrite any Headers settings previously created through the plugin options. The sample setup creates a basic Headers implementation that is commonly safe on any site. For better performances, further manual adjustments are necesarelly.', 'wp-hide-security-enhancer') .'</p><p><input type="hidden" name="wph-headers-sample-setup" value="true" /><input type="button" class="button-secondary" value="' . __('Create Sample Setup', 'wp-hide-security-enhancer') .'" onclick="WPH.runSampleHeaders();"></p></div>' .
32
+
33
+ "<br /><br />" .__("The Hypertext Transfer Protocol (HTTP) is based on a client-server architecture, in which the client ( typically a web browser application ) establishes a connection with the server through a destination URL and waits for a response.", 'wp-hide-security-enhancer') .
34
+ "<br /><br />" .__("The HTTP Headers allow the client and the server send additional pieces of information with the HTTP request or response.", 'wp-hide-security-enhancer') .
35
+ "<br /><br />" .__("The HTTP Headers are categorised by their purpose: Authentication, Caching, Client hints, Conditionals, Connection management, Content negotiation, Controls, Cookies, CORS, Downloads, Message body information, Proxies, Redirects, Request context, Response context, Range requests, <b>Security</b>, Server-sent events, Transfer coding, WebSockets, Other", 'wp-hide-security-enhancer') .
36
+ "<br /><br />" . __("This area provides support for the <b>", 'wp-hide-security-enhancer'). '<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security" target="_blank">Security Headers</b></a>' . __(" type. Those are the ones responsible for the security implementation for any page.", 'wp-hide-security-enhancer') ,
37
+ 'option_documentation_url' => 'https://wp-hide.com/harden-your-website-using-security-headers/'
38
+ ),
39
+
40
+ 'interface_help_split' => FALSE,
41
+
42
+ 'require_save' => FALSE,
43
+
44
+ 'input_type' => 'custom',
45
+ 'default_value' => array(),
46
+
47
+ 'module_option_html_render' => array( $this, '_module_option_html' ),
48
+ 'module_option_processing' => array( $this, '_module_option_processing' ),
49
+
50
+ );
51
+
52
+
53
+
54
+ return $this->module_settings;
55
+ }
56
+
57
+
58
+ private function _set_headers()
59
+ {
60
+ $this->headers['cross-origin-embedder-policy'] = array (
61
+ 'title' => 'Cross-Origin-Embedder-Policy',
62
+ 'description' => __('Allows a server to declare an embedder policy for a given document.', 'wp-hide-security-enhancer'),
63
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
64
+ 'availability' => 'all'
65
+ );
66
+ $this->headers['cross-origin-opener-policy'] = array (
67
+ 'title' => 'Cross-Origin-Opener-Policy',
68
+ 'description' => __('Prevents other domains from opening/controlling a window.', 'wp-hide-security-enhancer'),
69
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
70
+ 'availability' => 'all'
71
+ );
72
+ $this->headers['cross-origin-resource-policy'] = array (
73
+ 'title' => 'Cross-Origin-Resource-Policy',
74
+ 'description' => __('Prevents other domains from reading the response of the resources to which this header is applied.', 'wp-hide-security-enhancer'),
75
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
76
+ 'availability' => 'all'
77
+ );
78
+ $this->headers['content-security-policy'] = array (
79
+ 'title' => 'Content-Security-Policy',
80
+ 'description' => __('Controls resources the user agent is allowed to load for a given page.', 'wp-hide-security-enhancer'),
81
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
82
+ 'availability' => 'pro'
83
+ );
84
+ $this->headers['content-security-policy-report-only'] = array (
85
+ 'title' => 'Content-Security-Policy-Report-Only',
86
+ 'description' => __('Allows web developers to experiment with policies by monitoring, but not enforcing, their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.', 'wp-hide-security-enhancer'),
87
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
88
+ 'availability' => 'pro'
89
+ );
90
+ $this->headers['expect-ct'] = array (
91
+ 'title' => 'Expect-CT',
92
+ 'description' => __('Allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs.', 'wp-hide-security-enhancer'),
93
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
94
+ 'availability' => 'pro'
95
+ );
96
+ $this->headers['feature-policy'] = array (
97
+ 'title' => 'Feature-Policy',
98
+ 'description' => __('Provides a mechanism to allow and deny the use of browser features in its own frame, and in iframes that it embeds.', 'wp-hide-security-enhancer'),
99
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
100
+ 'availability' => 'pro'
101
+ );
102
+ $this->headers['strict-transport-security'] = array (
103
+ 'title' => 'Strict-Transport-Security',
104
+ 'description' => __('Force communication using HTTPS instead of HTTP.', 'wp-hide-security-enhancer'),
105
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
106
+ 'availability' => 'pro'
107
+ );
108
+ $this->headers['x-content-type-options'] = array (
109
+ 'title' => 'X-Content-Type-Options',
110
+ 'description' => __('Disables MIME sniffing and forces browser to use the type given in Content-Type.', 'wp-hide-security-enhancer'),
111
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
112
+ 'availability' => 'all'
113
+ );
114
+ $this->headers['x-download-options'] = array (
115
+ 'title' => 'X-Download-Options',
116
+ 'description' => __('The X-Download-Options HTTP header indicates that the browser (Internet Explorer) should not display the option to "Open" a file that has been downloaded from an application, to prevent phishing attacks as the file otherwise would gain access to execute in the context of the application.', 'wp-hide-security-enhancer'),
117
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
118
+ 'availability' => 'all'
119
+ );
120
+ $this->headers['x-frame-options'] = array (
121
+ 'title' => 'X-Frame-Options',
122
+ 'description' => __('Indicates whether a browser should be allowed to render a page in a &#60;frame&#62;, &#60;iframe&#62;, &#60;embed&#62; or &#60;object&#62;', 'wp-hide-security-enhancer'),
123
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
124
+ 'availability' => 'all'
125
+ );
126
+ $this->headers['x-permitted-cross-domain-policies'] = array (
127
+ 'title' => 'X-Permitted-Cross-Domain-Policies',
128
+ 'description' => __('Specifies if a cross-domain policy file (crossdomain.xml) is allowed. The file may define a policy to grant clients, such as Adobe\'s Flash Player (now obsolete), Adobe Acrobat, Microsoft Silverlight (now obsolete), or Apache Flex, permission to handle data across domains that would otherwise be restricted due to the Same-Origin Policy. See the Cross-domain Policy File Specification for more information.', 'wp-hide-security-enhancer'),
129
+ 'link' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security',
130
+ 'availability' => 'all'
131
+ );
132
+
133
+ }
134
+
135
+
136
+ function _init_check_headers( $saved_field_data )
137
+ {
138
+ add_action( 'wp_ajax_wph_check_headers', array ( $this, 'wp_ajax_wph_check_headers' ) );
139
+ }
140
+
141
+
142
+ function _module_option_html( $module_setting )
143
+ {
144
+ ?>
145
+ <br />
146
+ <h4><?php _e( 'The current protection level is', 'wp-hide-security-enhancer') ?></h4>
147
+ <br />
148
+ <link rel="stylesheet" href="<?php echo WPH_URL; ?>/assets/css/graph.css" />
149
+ <div id="wph-headers-graph">
150
+ <div class="wph-graph-container">
151
+ <div class="wph-graph-bg"></div>
152
+ <div class="wph-graph-text"></div>
153
+ <div class="wph-graph-progress"></div>
154
+ <div class="wph-graph-data"><span>Check Headers First.</span></div>
155
+ </div>
156
+ </div>
157
+ <div id="wph-check-headers">
158
+ <button id="wph-check-headers-button" type="button" class="button button-primary" onClick="WPH.check_headers( '<?php echo esc_attr ( wp_create_nonce( 'wph/check_headers') ) ?>')"><?php _e('Check Current Headers', 'wp-hide-security-enhancer') ?></button><span class="spinner"></span>
159
+ </div>
160
+ <div id="wph-headers-container"></div>
161
+ <script type="text/javascript">
162
+ jQuery('#wph-check-headers-button').click();
163
+ </script>
164
+ <?php
165
+ }
166
+
167
+
168
+ function wp_ajax_wph_check_headers()
169
+ {
170
+
171
+ if ( ! wp_verify_nonce( $_POST['nonce'], 'wph/check_headers' ) )
172
+ die();
173
+
174
+ $_JSON_response = array();
175
+
176
+ $site_url = apply_filters( 'wp-hide/check_headers/url', home_url() );
177
+ $response = wp_remote_head( $site_url );
178
+
179
+ if ( ! is_array( $response ) )
180
+ {
181
+ $_JSON_response['html'] = __( "<br />Unable to parse the site Headers. The wp_remote_head() returned an invalid Response, check with your host support for more details. Unable to identify your site Headers.", 'wp-hide-security-enhancer' );
182
+ if ( is_wp_error( $response ) )
183
+ $_JSON_response['html'] .= "<br /><b>" . $response->get_error_message() . '</b>';
184
+ $_JSON_response['graph']['message'] = 'Error';
185
+ $_JSON_response['graph']['value'] = '0';
186
+ echo json_encode( $_JSON_response );
187
+ die();
188
+ }
189
+
190
+ $http_response = $response['http_response'];
191
+ if ( ! is_object( $http_response ) )
192
+ {
193
+ $_JSON_response['html'] = __( "<br />Invalid WP_HTTP_Requests_Response object. The wp_remote_head() returned an invalid Response, check with your host support for more details.", 'wp-hide-security-enhancer' );
194
+ $_JSON_response['graph']['message'] = 'Error';
195
+ $_JSON_response['graph']['value'] = '0';
196
+ echo json_encode( $_JSON_response );
197
+ die();
198
+ }
199
+
200
+ if ( empty ( $http_response->get_status() ) )
201
+ {
202
+ $_JSON_response['html'] = __( "<br />Unable to parse the site Headers. The wp_remote_head() returns invalid Response Code, check with your host support for more details.", 'wp-hide-security-enhancer' );
203
+ $_JSON_response['graph']['message'] = 'Error';
204
+ $_JSON_response['graph']['value'] = '0';
205
+ echo json_encode( $_JSON_response );
206
+ die();
207
+ }
208
+ if ( $http_response->get_status() != 200 )
209
+ {
210
+ if ( $http_response->get_status() == 401 )
211
+ {
212
+ $_JSON_response['html'] = __( "<br />Unable to parse the site Headers. The wp_remote_head() returns a 401 error code, the request could not be authenticated. Does the site use an httpd password?", 'wp-hide-security-enhancer' );
213
+ $_JSON_response['graph']['message'] = 'Error';
214
+ $_JSON_response['graph']['value'] = '0';
215
+ echo json_encode( $_JSON_response );
216
+ die();
217
+ }
218
+
219
+ $_JSON_response['html'] = __( "<br />Unable to parse the site Headers. The wp_remote_head() returns wrong Response Code", 'wp-hide-security-enhancer' ) . $http_response->get_status() . __(", check with your host support for more details.", 'wp-hide-security-enhancer' );
220
+ $_JSON_response['graph']['message'] = 'Error';
221
+ $_JSON_response['graph']['value'] = '0';
222
+ echo json_encode( $_JSON_response );
223
+ die();
224
+ }
225
+
226
+ $headers = $http_response->get_headers();
227
+
228
+ ob_start();
229
+
230
+ ?>
231
+ <div id="wph-headers">
232
+ <table class="found-headers">
233
+ <thead>
234
+ <tr>
235
+ <th style="width: 30%"><?php _e('Header', 'wp-hide-security-enhancer') ?></th>
236
+ <th><?php _e('Value', 'wp-hide-security-enhancer') ?></th>
237
+ </tr>
238
+ </thead>
239
+ <tbody>
240
+ <?php
241
+
242
+ $found_headers = array ( );
243
+
244
+ foreach ( $headers->getAll() as $header_key => $header_value )
245
+ {
246
+ $header_key = strtolower ( $header_key ) ;
247
+ $header_key = trim ( $header_key );
248
+
249
+ $is_security_header = FALSE;
250
+
251
+ if ( isset( $this->headers[ $header_key ] ) )
252
+ {
253
+ $is_security_header = TRUE;
254
+ $found_headers[] = $header_key;
255
+ }
256
+ ?>
257
+ <tr<?php if ( $is_security_header ){ echo ' class="security-header" ';} ?>>
258
+ <td style="width: 30%"><?php echo $header_key ?><?php if ( $is_security_header ){ echo ' <span class="dashicons dashicons-saved"></span>';} ?></td>
259
+ <td><?php echo $header_value ?></td>
260
+ </tr>
261
+ <?php
262
+ }
263
+ ?>
264
+ </tbody>
265
+ </table>
266
+ </div>
267
+ <p class="found-headers-info"><small>[ Found <?php echo count ( $found_headers ) ?> security headers ]</small></p>
268
+
269
+ <p>&nbsp;</p>
270
+ <h4><?php _e('Consider adding more security headers:', 'wp-hide-security-enhancer') ?></h4>
271
+ <?php
272
+
273
+ foreach ( $this->headers as $header_key => $header_data )
274
+ {
275
+ if ( in_array ( $header_key, $found_headers ) )
276
+ continue;
277
+
278
+ ?><p><a href="<?php echo $header_data['link'] ?>" target="_blank"><code><?php echo $header_key ?></code></a><?php if ( $header_data['availability'] == 'pro' ) { echo ' <span class="wph-pro">PRO</span>'; } ?><br /><?php echo $header_data['description'] ?></p><?php
279
+ }
280
+
281
+ $_JSON_response['html'] = ob_get_clean();
282
+
283
+ $progress = round ( count ( $found_headers ) * 180 / 12 );
284
+ if ( $progress < 1 )
285
+ $progress = 1;
286
+ $_JSON_response['graph']['value'] = $progress;
287
+
288
+ $_JSON_response['graph']['message'] = "<b>" . round ( ( $progress * 100 ) / 180 ) . '%</b>';
289
+ $_JSON_response['graph']['message'] .= '<br />';
290
+ if ( $progress < 20 )
291
+ $_JSON_response['graph']['message'] .= 'Poor';
292
+ else if ( $progress >= 20 and $progress < 40 )
293
+ $_JSON_response['graph']['message'] .= 'Fair';
294
+ else if ( $progress >= 40 and $progress < 60 )
295
+ $_JSON_response['graph']['message'] .= 'Good';
296
+ else if ( $progress >= 60 and $progress < 80 )
297
+ $_JSON_response['graph']['message'] .= 'Great';
298
+ else if ( $progress > 80 )
299
+ $_JSON_response['graph']['message'] .= 'Excelent';
300
+
301
+ echo json_encode( $_JSON_response );
302
+
303
+ die();
304
+
305
+ }
306
+
307
+
308
+ }
309
+ ?>
modules/components/security-header-cross-origin-embedder-policy.php ADDED
@@ -0,0 +1,150 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_header_cross_origin_embedder_policy extends WPH_module_component
6
+ {
7
+
8
+ private $headers = array ();
9
+
10
+ function get_component_title()
11
+ {
12
+ return "Cross-Origin-Embedder-Policy (COEP)";
13
+ }
14
+
15
+ function get_module_settings()
16
+ {
17
+
18
+ $this->module_settings[] = array(
19
+ 'id' => 'cross_origin_embedder_policy',
20
+ 'label' => __('Cross-Origin-Embedder-Policy (COEP)', 'wp-hide-security-enhancer'),
21
+
22
+ 'help' => array(
23
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('Cross-Origin-Embedder-Policy', 'wp-hide-security-enhancer'),
24
+ 'description' => __("The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).", 'wp-hide-security-enhancer') .
25
+ "<br /><br />" . __("Options:", 'wp-hide-security-enhancer') .
26
+ "<br /><b>unsafe-none</b> - " . __("This is the default value. Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.", 'wp-hide-security-enhancer') .
27
+ "<br /><b>require-corp</b> - " . __("A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.", 'wp-hide-security-enhancer') ,
28
+ 'option_documentation_url' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy'
29
+ ),
30
+
31
+ 'input_type' => 'custom',
32
+
33
+ 'module_option_html_render' => array( $this, '_module_option_html' ),
34
+ 'module_option_processing' => array( $this, '_module_option_processing' ),
35
+
36
+ );
37
+
38
+
39
+ return $this->module_settings;
40
+
41
+ }
42
+
43
+ function _get_default_options()
44
+ {
45
+
46
+ $options = array (
47
+ 'enabled' => 'no',
48
+ 'value' => 'unsafe-none'
49
+ );
50
+ return $options;
51
+ }
52
+
53
+
54
+ function _init_cross_origin_embedder_policy( $saved_field_data )
55
+ {
56
+
57
+ }
58
+
59
+ function _module_option_html( $module_settings )
60
+ {
61
+
62
+ $values = $this->wph->functions->get_module_item_setting( $module_settings['id'] );
63
+ $module_settings = shortcode_atts ( $this->_get_default_options(), (array)$values )
64
+
65
+ ?>
66
+ <div class="row xspacer header">
67
+ <p><?php _e('Enable Header', 'wp-hide-security-enhancer') ?></p>
68
+ <fieldset>
69
+ <label>
70
+ <input type="radio" class="radio" value="no" name="enabled" <?php if ( $module_settings['enabled'] == 'no' ) { ?>checked="checked"<?php } ?>> <span>No</span>
71
+ </label>
72
+ <label>
73
+ <input type="radio" class="radio" value="yes" name="enabled" <?php if ( $module_settings['enabled'] == 'yes' ) { ?>checked="checked"<?php } ?>> <span>Yes</span>
74
+ </label>
75
+ </fieldset>
76
+ </div>
77
+
78
+ <p><b><?php _e('Header Options', 'wp-hide-security-enhancer') ?></b></p>
79
+ <div class="row spacer">
80
+ <fieldset>
81
+ <label>
82
+ <input type="radio" class="radio" value="unsafe-none" name="value" <?php if ( $module_settings['value'] == 'unsafe-none' ) { ?>checked="checked"<?php } ?>> <span>unsafe-none</span>
83
+ </label>
84
+ <label>
85
+ <input type="radio" class="radio" value="require-corp" name="value" <?php if ( $module_settings['value'] == 'require-corp' ) { ?>checked="checked"<?php } ?>> <span>require-corp</span>
86
+ </label>
87
+ </fieldset>
88
+ </div>
89
+
90
+
91
+
92
+ <?php
93
+ }
94
+
95
+
96
+ function _module_option_processing( $field_name )
97
+ {
98
+
99
+ $results = array();
100
+
101
+ $module_settings = shortcode_atts ( $this->_get_default_options(), array() );
102
+ foreach ( $module_settings as $setting_name => $setting_value )
103
+ {
104
+ if ( ! isset ( $_POST[ $setting_name ] ) )
105
+ continue;
106
+
107
+ $value = preg_replace( '/[^a-zA-Z0-9-_]/m' , '', $_POST[ $setting_name ] );
108
+ if ( empty ( $value ) )
109
+ continue;
110
+
111
+ $module_settings[ $setting_name ] = $value;
112
+ }
113
+
114
+ $results['value'] = $module_settings;
115
+
116
+ return $results;
117
+
118
+ }
119
+
120
+
121
+ function _callback_saved_cross_origin_embedder_policy($saved_field_data)
122
+ {
123
+
124
+ if ( empty ( $saved_field_data ) || $saved_field_data['enabled'] == 'no' )
125
+ return FALSE;
126
+
127
+ $processing_response = array();
128
+
129
+ $rewrite = '';
130
+
131
+ if($this->wph->server_htaccess_config === TRUE)
132
+ {
133
+ $rewrite .= "\n" . ' Header set Cross-Origin-Embedder-Policy "' . $saved_field_data['value'] .'"';
134
+ }
135
+
136
+ if($this->wph->server_web_config === TRUE)
137
+ {
138
+
139
+ }
140
+
141
+ $processing_response['rewrite'] = $rewrite;
142
+ $processing_response['type'] = 'header';
143
+
144
+ return $processing_response;
145
+
146
+ }
147
+
148
+
149
+ }
150
+ ?>
modules/components/security-header-cross-origin-opener-policy.php ADDED
@@ -0,0 +1,160 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_header_cross_origin_opener_policy extends WPH_module_component
6
+ {
7
+
8
+ private $headers = array ();
9
+
10
+ function get_component_title()
11
+ {
12
+ return "Cross-Origin-Opener-Policy (COOP)";
13
+ }
14
+
15
+ function get_module_settings()
16
+ {
17
+
18
+ $this->module_settings[] = array(
19
+ 'id' => 'cross_origin_opener_policy',
20
+ 'label' => __('Cross-Origin-Embedder-Policy (COOP)', 'wp-hide-security-enhancer'),
21
+
22
+ 'help' => array(
23
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('Cross-Origin-Embedder-Policy', 'wp-hide-security-enhancer'),
24
+ 'description' => __("The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.", 'wp-hide-security-enhancer') .
25
+ "<br />" . __("COOP will process-isolate your document and potential attackers can't access your global object if they were to open it in a popup, preventing a set of cross-origin attacks dubbed XS-Leaks.", 'wp-hide-security-enhancer') .
26
+ "<br />" . __("If a cross-origin document with COOP is opened in a new window, the opening document will not have a reference to it, and the window.opener property of the new window will be null. This allows you to have more control over references to a window than rel=noopener, which only affects outgoing navigations.", 'wp-hide-security-enhancer') .
27
+ "<br /><br />" . __("Options:", 'wp-hide-security-enhancer') .
28
+ "<br /><b>unsafe-none</b> - " . __("This is the default value. Allows the document to be added to its opener's browsing context group unless the opener itself has a COOP of same-origin or same-origin-allow-popups.", 'wp-hide-security-enhancer') .
29
+ "<br /><b>same-origin-allow-popups</b> - " . __("Retains references to newly opened windows or tabs that either don't set COOP or that opt out of isolation by setting a COOP of unsafe-none.", 'wp-hide-security-enhancer') .
30
+ "<br /><b>same-origin</b> - " . __("Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context.", 'wp-hide-security-enhancer'),
31
+ ),
32
+
33
+
34
+ 'input_type' => 'custom',
35
+
36
+ 'module_option_html_render' => array( $this, '_module_option_html' ),
37
+ 'module_option_processing' => array( $this, '_module_option_processing' ),
38
+
39
+ );
40
+
41
+
42
+ return $this->module_settings;
43
+
44
+
45
+
46
+ return $this->module_settings;
47
+ }
48
+
49
+ function _get_default_options()
50
+ {
51
+
52
+ $options = array (
53
+ 'enabled' => 'no',
54
+ 'value' => 'unsafe-none'
55
+ );
56
+ return $options;
57
+ }
58
+
59
+
60
+ function _init_cross_origin_embedder_policy( $saved_field_data )
61
+ {
62
+
63
+ }
64
+
65
+
66
+ function _module_option_html( $module_settings )
67
+ {
68
+
69
+ $values = $this->wph->functions->get_module_item_setting( $module_settings['id'] );
70
+ $module_settings = shortcode_atts ( $this->_get_default_options(), (array)$values )
71
+
72
+ ?>
73
+ <div class="row xspacer header">
74
+ <p><?php _e('Enable Header', 'wp-hide-security-enhancer') ?></p>
75
+ <fieldset>
76
+ <label>
77
+ <input type="radio" class="radio" value="no" name="enabled" <?php if ( $module_settings['enabled'] == 'no' ) { ?>checked="checked"<?php } ?>> <span>No</span>
78
+ </label>
79
+ <label>
80
+ <input type="radio" class="radio" value="yes" name="enabled" <?php if ( $module_settings['enabled'] == 'yes' ) { ?>checked="checked"<?php } ?>> <span>Yes</span>
81
+ </label>
82
+ </fieldset>
83
+ </div>
84
+
85
+ <p><?php _e('Header Options', 'wp-hide-security-enhancer') ?></p>
86
+ <div class="row spacer">
87
+ <fieldset>
88
+ <label>
89
+ <input type="radio" class="radio" value="unsafe-none" name="value" <?php if ( $module_settings['value'] == 'unsafe-none' ) { ?>checked="checked"<?php } ?>> <span>unsafe-none</span>
90
+ </label>
91
+ <label>
92
+ <input type="radio" class="radio" value="same-origin-allow-popups" name="value" <?php if ( $module_settings['value'] == 'same-origin-allow-popups' ) { ?>checked="checked"<?php } ?>> <span>same-origin-allow-popups</span>
93
+ </label>
94
+ <label>
95
+ <input type="radio" class="radio" value="same-origin" name="value" <?php if ( $module_settings['value'] == 'same-origin' ) { ?>checked="checked"<?php } ?>> <span>same-origin</span>
96
+ </label>
97
+ </fieldset>
98
+ </div>
99
+
100
+
101
+
102
+ <?php
103
+ }
104
+
105
+
106
+ function _module_option_processing( $field_name )
107
+ {
108
+
109
+ $results = array();
110
+
111
+ $module_settings = shortcode_atts ( $this->_get_default_options(), array() );
112
+ foreach ( $module_settings as $setting_name => $setting_value )
113
+ {
114
+ if ( ! isset ( $_POST[ $setting_name ] ) )
115
+ continue;
116
+
117
+ $value = preg_replace( '/[^a-zA-Z0-9-_]/m' , '', $_POST[ $setting_name ] );
118
+ if ( empty ( $value ) )
119
+ continue;
120
+
121
+ $module_settings[ $setting_name ] = $value;
122
+ }
123
+
124
+ $results['value'] = $module_settings;
125
+
126
+ return $results;
127
+
128
+ }
129
+
130
+
131
+ function _callback_saved_cross_origin_opener_policy($saved_field_data)
132
+ {
133
+
134
+ if ( empty ( $saved_field_data ) || $saved_field_data['enabled'] == 'no' )
135
+ return FALSE;
136
+
137
+ $processing_response = array();
138
+
139
+ $rewrite = '';
140
+
141
+ if($this->wph->server_htaccess_config === TRUE)
142
+ {
143
+ $rewrite .= "\n" . ' Header set Cross-Origin-Opener-Policy "' . $saved_field_data['value'] .'"';
144
+ }
145
+
146
+ if($this->wph->server_web_config === TRUE)
147
+ {
148
+
149
+ }
150
+
151
+ $processing_response['rewrite'] = $rewrite;
152
+ $processing_response['type'] = 'header';
153
+
154
+ return $processing_response;
155
+
156
+ }
157
+
158
+
159
+ }
160
+ ?>
modules/components/security-header-cross-origin-resource-policy.php ADDED
@@ -0,0 +1,153 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_header_cross_origin_resource_policy extends WPH_module_component
6
+ {
7
+
8
+ private $headers = array ();
9
+
10
+ function get_component_title()
11
+ {
12
+ return "Cross-Origin-Resource-Policy (CORP)";
13
+ }
14
+
15
+ function get_module_settings()
16
+ {
17
+
18
+ $this->module_settings[] = array(
19
+ 'id' => 'cross_origin_resource_policy',
20
+ 'label' => __('Cross-Origin-Resource-Policy (CORP)', 'wp-hide-security-enhancer'),
21
+
22
+ 'help' => array(
23
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('Cross-Origin-Resource-Policy', 'wp-hide-security-enhancer'),
24
+ 'description' => __("The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting). ", 'wp-hide-security-enhancer')
25
+ ),
26
+
27
+ 'input_type' => 'custom',
28
+
29
+ 'module_option_html_render' => array( $this, '_module_option_html' ),
30
+ 'module_option_processing' => array( $this, '_module_option_processing' ),
31
+
32
+ );
33
+
34
+
35
+ return $this->module_settings;
36
+
37
+
38
+
39
+ return $this->module_settings;
40
+ }
41
+
42
+ function _get_default_options()
43
+ {
44
+
45
+ $options = array (
46
+ 'enabled' => 'no',
47
+ 'value' => 'same-site'
48
+ );
49
+ return $options;
50
+ }
51
+
52
+
53
+ function _init_cross_origin_resource_policy( $saved_field_data )
54
+ {
55
+
56
+ }
57
+
58
+
59
+ function _module_option_html( $module_settings )
60
+ {
61
+
62
+ $values = $this->wph->functions->get_module_item_setting( $module_settings['id'] );
63
+ $module_settings = shortcode_atts ( $this->_get_default_options(), (array)$values )
64
+
65
+ ?>
66
+ <div class="row xspacer header">
67
+ <p><?php _e('Enable Header', 'wp-hide-security-enhancer') ?></p>
68
+ <fieldset>
69
+ <label>
70
+ <input type="radio" class="radio" value="no" name="enabled" <?php if ( $module_settings['enabled'] == 'no' ) { ?>checked="checked"<?php } ?>> <span>No</span>
71
+ </label>
72
+ <label>
73
+ <input type="radio" class="radio" value="yes" name="enabled" <?php if ( $module_settings['enabled'] == 'yes' ) { ?>checked="checked"<?php } ?>> <span>Yes</span>
74
+ </label>
75
+ </fieldset>
76
+ </div>
77
+
78
+ <p><b><?php _e('Header Options', 'wp-hide-security-enhancer') ?></b></p>
79
+ <div class="row spacer">
80
+ <fieldset>
81
+ <label>
82
+ <input type="radio" class="radio" value="same-site" name="value" <?php if ( $module_settings['value'] == 'same-site' ) { ?>checked="checked"<?php } ?>> <span>same-site</span>
83
+ </label>
84
+ <label>
85
+ <input type="radio" class="radio" value="same-origin" name="value" <?php if ( $module_settings['value'] == 'same-origin' ) { ?>checked="checked"<?php } ?>> <span>same-origin</span>
86
+ </label>
87
+ <label>
88
+ <input type="radio" class="radio" value="cross-origin" name="value" <?php if ( $module_settings['value'] == 'cross-origin' ) { ?>checked="checked"<?php } ?>> <span>cross-origin</span>
89
+ </label>
90
+ </fieldset>
91
+ </div>
92
+
93
+
94
+
95
+ <?php
96
+ }
97
+
98
+
99
+ function _module_option_processing( $field_name )
100
+ {
101
+
102
+ $results = array();
103
+
104
+ $module_settings = shortcode_atts ( $this->_get_default_options(), array() );
105
+ foreach ( $module_settings as $setting_name => $setting_value )
106
+ {
107
+ if ( ! isset ( $_POST[ $setting_name ] ) )
108
+ continue;
109
+
110
+ $value = preg_replace( '/[^a-zA-Z0-9-_]/m' , '', $_POST[ $setting_name ] );
111
+ if ( empty ( $value ) )
112
+ continue;
113
+
114
+ $module_settings[ $setting_name ] = $value;
115
+ }
116
+
117
+ $results['value'] = $module_settings;
118
+
119
+ return $results;
120
+
121
+ }
122
+
123
+
124
+ function _callback_saved_cross_origin_resource_policy($saved_field_data)
125
+ {
126
+
127
+ if ( empty ( $saved_field_data ) || $saved_field_data['enabled'] == 'no' )
128
+ return FALSE;
129
+
130
+ $processing_response = array();
131
+
132
+ $rewrite = '';
133
+
134
+ if($this->wph->server_htaccess_config === TRUE)
135
+ {
136
+ $rewrite .= "\n" . ' Header set Cross-Origin-Resource-Policy "' . $saved_field_data['value'] .'"';
137
+ }
138
+
139
+ if($this->wph->server_web_config === TRUE)
140
+ {
141
+
142
+ }
143
+
144
+ $processing_response['rewrite'] = $rewrite;
145
+ $processing_response['type'] = 'header';
146
+
147
+ return $processing_response;
148
+
149
+ }
150
+
151
+
152
+ }
153
+ ?>
modules/components/security-header-x-content-type-options.php ADDED
@@ -0,0 +1,149 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_header_x_content_type_options extends WPH_module_component
6
+ {
7
+
8
+ private $headers = array ();
9
+
10
+ function get_component_title()
11
+ {
12
+ return "X-Content-Type-Options";
13
+ }
14
+
15
+ function get_module_settings()
16
+ {
17
+
18
+ $this->module_settings[] = array(
19
+ 'id' => 'x_content_type_options',
20
+ 'label' => __('X-Content-Type-Options', 'wp-hide-security-enhancer'),
21
+
22
+ 'help' => array(
23
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('X-Content-Type-Options', 'wp-hide-security-enhancer'),
24
+ 'description' => __("The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.", 'wp-hide-security-enhancer') .
25
+ "<br />" . __("This header was introduced by Microsoft in IE 8 as a way for webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types. Since then, other browsers have introduced it, even if their MIME sniffing algorithms were less aggressive.", 'wp-hide-security-enhancer') .
26
+ "<br />" . __("Starting with Firefox 72, top-level documents also avoid MIME sniffing (if Content-type is provided). This can cause HTML web pages to be downloaded instead of being rendered when they are served with a MIME type other than text/html. Make sure to set both headers correctly.", 'wp-hide-security-enhancer') .
27
+ "<br /><br />" . __("Options:", 'wp-hide-security-enhancer') .
28
+ "<br /><b>nosniff</b> - " . __("Blocks a request if the request destination is of type style and the MIME type is not text/css, or of type script and the MIME type is not a JavaScript MIME type.", 'wp-hide-security-enhancer')
29
+ ),
30
+
31
+ 'input_type' => 'custom',
32
+
33
+ 'module_option_html_render' => array( $this, '_module_option_html' ),
34
+ 'module_option_processing' => array( $this, '_module_option_processing' ),
35
+
36
+ );
37
+
38
+
39
+ return $this->module_settings;
40
+
41
+
42
+
43
+ return $this->module_settings;
44
+ }
45
+
46
+ function _get_default_options()
47
+ {
48
+
49
+ $options = array (
50
+ 'enabled' => 'no',
51
+ 'value' => 'nosniff'
52
+ );
53
+ return $options;
54
+ }
55
+
56
+ function _init_x_content_type_options( $saved_field_data )
57
+ {
58
+
59
+ }
60
+
61
+ function _module_option_html( $module_settings )
62
+ {
63
+
64
+ $values = $this->wph->functions->get_module_item_setting( $module_settings['id'] );
65
+ $module_settings = shortcode_atts ( $this->_get_default_options(), (array)$values )
66
+
67
+ ?>
68
+ <div class="row xspacer header">
69
+ <p><?php _e('Enable Header', 'wp-hide-security-enhancer') ?></p>
70
+ <fieldset>
71
+ <label>
72
+ <input type="radio" class="radio" value="no" name="enabled" <?php if ( $module_settings['enabled'] == 'no' ) { ?>checked="checked"<?php } ?>> <span>No</span>
73
+ </label>
74
+ <label>
75
+ <input type="radio" class="radio" value="yes" name="enabled" <?php if ( $module_settings['enabled'] == 'yes' ) { ?>checked="checked"<?php } ?>> <span>Yes</span>
76
+ </label>
77
+ </fieldset>
78
+ </div>
79
+
80
+ <p><?php _e('Header Options', 'wp-hide-security-enhancer') ?></p>
81
+ <div class="row spacer">
82
+ <fieldset>
83
+ <label>
84
+ <input type="radio" class="radio" value="nosniff" name="value" <?php if ( $module_settings['value'] == 'nosniff' ) { ?>checked="checked"<?php } ?>> <span>nosniff</span>
85
+ </label>
86
+ </fieldset>
87
+ </div>
88
+
89
+
90
+
91
+ <?php
92
+ }
93
+
94
+
95
+ function _module_option_processing( $field_name )
96
+ {
97
+
98
+ $results = array();
99
+
100
+ $module_settings = shortcode_atts ( $this->_get_default_options(), array() );
101
+ foreach ( $module_settings as $setting_name => $setting_value )
102
+ {
103
+ if ( ! isset ( $_POST[ $setting_name ] ) )
104
+ continue;
105
+
106
+ $value = preg_replace( '/[^a-zA-Z0-9-_]/m' , '', $_POST[ $setting_name ] );
107
+ if ( empty ( $value ) )
108
+ continue;
109
+
110
+ $module_settings[ $setting_name ] = $value;
111
+ }
112
+
113
+ $results['value'] = $module_settings;
114
+
115
+ return $results;
116
+
117
+ }
118
+
119
+
120
+ function _callback_saved_x_content_type_options($saved_field_data)
121
+ {
122
+
123
+ if ( empty ( $saved_field_data ) || $saved_field_data['enabled'] == 'no' )
124
+ return FALSE;
125
+
126
+ $processing_response = array();
127
+
128
+ $rewrite = '';
129
+
130
+ if($this->wph->server_htaccess_config === TRUE)
131
+ {
132
+ $rewrite .= "\n" . ' Header set X-Content-Type-Options "' . $saved_field_data['value'] .'"';
133
+ }
134
+
135
+ if($this->wph->server_web_config === TRUE)
136
+ {
137
+
138
+ }
139
+
140
+ $processing_response['rewrite'] = $rewrite;
141
+ $processing_response['type'] = 'header';
142
+
143
+ return $processing_response;
144
+
145
+ }
146
+
147
+
148
+ }
149
+ ?>
modules/components/security-header-x-download-options.php ADDED
@@ -0,0 +1,147 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_header_x_download_options extends WPH_module_component
6
+ {
7
+
8
+ private $headers = array ();
9
+
10
+ function get_component_title()
11
+ {
12
+ return "X-Download-Options";
13
+ }
14
+
15
+ function get_module_settings()
16
+ {
17
+
18
+ $this->module_settings[] = array(
19
+ 'id' => 'x_download_options',
20
+ 'label' => __('X-Download-Options', 'wp-hide-security-enhancer'),
21
+
22
+ 'help' => array(
23
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('X-Download-Options', 'wp-hide-security-enhancer'),
24
+ 'description' => __("The X-Download-Options is specific to IE 8, and is related to how IE 8 handles downloaded HTML files. Turns out if you download an HTML file from a web page and chooses to \"Open\" it in IE, it will execute in the context of the web site. That means that any scripts in that file will also execute with the origin of the web site.", 'wp-hide-security-enhancer')
25
+ ),
26
+
27
+ 'input_type' => 'custom',
28
+
29
+ 'module_option_html_render' => array( $this, '_module_option_html' ),
30
+ 'module_option_processing' => array( $this, '_module_option_processing' ),
31
+
32
+ );
33
+
34
+
35
+ return $this->module_settings;
36
+
37
+
38
+
39
+ return $this->module_settings;
40
+ }
41
+
42
+ function _get_default_options()
43
+ {
44
+
45
+ $options = array (
46
+ 'enabled' => 'no',
47
+ 'value' => 'noopen'
48
+ );
49
+ return $options;
50
+ }
51
+
52
+
53
+ function _init_x_download_options( $saved_field_data )
54
+ {
55
+
56
+ }
57
+
58
+
59
+ function _module_option_html( $module_settings )
60
+ {
61
+
62
+ $values = $this->wph->functions->get_module_item_setting( $module_settings['id'] );
63
+ $module_settings = shortcode_atts ( $this->_get_default_options(), (array)$values )
64
+
65
+ ?>
66
+ <div class="row xspacer header">
67
+ <p><?php _e('Enable Header', 'wp-hide-security-enhancer') ?></p>
68
+ <fieldset>
69
+ <label>
70
+ <input type="radio" class="radio" value="no" name="enabled" <?php if ( $module_settings['enabled'] == 'no' ) { ?>checked="checked"<?php } ?>> <span>No</span>
71
+ </label>
72
+ <label>
73
+ <input type="radio" class="radio" value="yes" name="enabled" <?php if ( $module_settings['enabled'] == 'yes' ) { ?>checked="checked"<?php } ?>> <span>Yes</span>
74
+ </label>
75
+ </fieldset>
76
+ </div>
77
+
78
+ <p><?php _e('Header Options', 'wp-hide-security-enhancer') ?></p>
79
+ <div class="row spacer">
80
+ <fieldset>
81
+ <label>
82
+ <input type="radio" class="radio" value="noopen" name="value" <?php if ( $module_settings['value'] == 'noopen' ) { ?>checked="checked"<?php } ?>> <span>noopen</span>
83
+ </label>
84
+ </fieldset>
85
+ </div>
86
+
87
+
88
+
89
+ <?php
90
+ }
91
+
92
+
93
+ function _module_option_processing( $field_name )
94
+ {
95
+
96
+ $results = array();
97
+
98
+ $module_settings = shortcode_atts ( $this->_get_default_options(), array() );
99
+ foreach ( $module_settings as $setting_name => $setting_value )
100
+ {
101
+ if ( ! isset ( $_POST[ $setting_name ] ) )
102
+ continue;
103
+
104
+ $value = preg_replace( '/[^a-zA-Z0-9-_]/m' , '', $_POST[ $setting_name ] );
105
+ if ( empty ( $value ) )
106
+ continue;
107
+
108
+ $module_settings[ $setting_name ] = $value;
109
+ }
110
+
111
+ $results['value'] = $module_settings;
112
+
113
+ return $results;
114
+
115
+ }
116
+
117
+
118
+ function _callback_saved_x_download_options($saved_field_data)
119
+ {
120
+
121
+ if ( empty ( $saved_field_data ) || $saved_field_data['enabled'] == 'no' )
122
+ return FALSE;
123
+
124
+ $processing_response = array();
125
+
126
+ $rewrite = '';
127
+
128
+ if($this->wph->server_htaccess_config === TRUE)
129
+ {
130
+ $rewrite .= "\n" . ' Header set X-Download-Options "' . $saved_field_data['value'] .'"';
131
+ }
132
+
133
+ if($this->wph->server_web_config === TRUE)
134
+ {
135
+
136
+ }
137
+
138
+ $processing_response['rewrite'] = $rewrite;
139
+ $processing_response['type'] = 'header';
140
+
141
+ return $processing_response;
142
+
143
+ }
144
+
145
+
146
+ }
147
+ ?>
modules/components/security-header-x-frame-options.php ADDED
@@ -0,0 +1,154 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_header_x_frame_options extends WPH_module_component
6
+ {
7
+
8
+ private $headers = array ();
9
+
10
+ function get_component_title()
11
+ {
12
+ return "X-Frame-Options (XFO)";
13
+ }
14
+
15
+ function get_module_settings()
16
+ {
17
+
18
+ $this->module_settings[] = array(
19
+ 'id' => 'x_frame_options',
20
+ 'label' => __('X-Frame-Options (XFO)', 'wp-hide-security-enhancer'),
21
+
22
+ 'help' => array(
23
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('X-Frame-Options', 'wp-hide-security-enhancer'),
24
+ 'description' => __("The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a &#60;frame&#62;, &#60;iframe&#62;, &#60;embed&#62; or &#60;object&#62;. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.", 'wp-hide-security-enhancer') .
25
+ "<br />" . __("The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options.", 'wp-hide-security-enhancer') .
26
+ "<br /><br />" . __("Options:", 'wp-hide-security-enhancer') .
27
+ "<br /><b>DENY</b> - " . __("The page cannot be displayed in a frame, regardless of the site attempting to do so.", 'wp-hide-security-enhancer') .
28
+ "<br /><b>SAMEORIGIN</b> - " . __("The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.", 'wp-hide-security-enhancer') .
29
+ "<br />&nbsp;<br /><br />" . __("If you specify DENY, not only will the browser attempt to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.", 'wp-hide-security-enhancer')
30
+ ),
31
+
32
+ 'input_type' => 'custom',
33
+
34
+ 'module_option_html_render' => array( $this, '_module_option_html' ),
35
+ 'module_option_processing' => array( $this, '_module_option_processing' ),
36
+
37
+ );
38
+
39
+
40
+ return $this->module_settings;
41
+
42
+
43
+
44
+ return $this->module_settings;
45
+ }
46
+
47
+ function _get_default_options()
48
+ {
49
+
50
+ $options = array (
51
+ 'enabled' => 'no',
52
+ 'value' => 'DENY'
53
+ );
54
+ return $options;
55
+ }
56
+
57
+
58
+ function _init_x_frame_options( $saved_field_data )
59
+ {
60
+
61
+ }
62
+
63
+ function _module_option_html( $module_settings )
64
+ {
65
+
66
+ $values = $this->wph->functions->get_module_item_setting( $module_settings['id'] );
67
+ $module_settings = shortcode_atts ( $this->_get_default_options(), (array)$values )
68
+
69
+ ?>
70
+ <div class="row xspacer header">
71
+ <p><?php _e('Enable Header', 'wp-hide-security-enhancer') ?></p>
72
+ <fieldset>
73
+ <label>
74
+ <input type="radio" class="radio" value="no" name="enabled" <?php if ( $module_settings['enabled'] == 'no' ) { ?>checked="checked"<?php } ?>> <span>No</span>
75
+ </label>
76
+ <label>
77
+ <input type="radio" class="radio" value="yes" name="enabled" <?php if ( $module_settings['enabled'] == 'yes' ) { ?>checked="checked"<?php } ?>> <span>Yes</span>
78
+ </label>
79
+ </fieldset>
80
+ </div>
81
+
82
+ <p><?php _e('Header Options', 'wp-hide-security-enhancer') ?></p>
83
+ <div class="row spacer">
84
+ <fieldset>
85
+ <label>
86
+ <input type="radio" class="radio" value="DENY" name="value" <?php if ( $module_settings['value'] == 'DENY' ) { ?>checked="checked"<?php } ?>> <span>DENY</span>
87
+ </label>
88
+ <label>
89
+ <input type="radio" class="radio" value="SAMEORIGIN" name="value" <?php if ( $module_settings['value'] == 'SAMEORIGIN' ) { ?>checked="checked"<?php } ?>> <span>SAMEORIGIN</span>
90
+ </label>
91
+ </fieldset>
92
+ </div>
93
+
94
+
95
+
96
+ <?php
97
+ }
98
+
99
+
100
+ function _module_option_processing( $field_name )
101
+ {
102
+
103
+ $results = array();
104
+
105
+ $module_settings = shortcode_atts ( $this->_get_default_options(), array() );
106
+ foreach ( $module_settings as $setting_name => $setting_value )
107
+ {
108
+ if ( ! isset ( $_POST[ $setting_name ] ) )
109
+ continue;
110
+
111
+ $value = preg_replace( '/[^a-zA-Z0-9-_]/m' , '', $_POST[ $setting_name ] );
112
+ if ( empty ( $value ) )
113
+ continue;
114
+
115
+ $module_settings[ $setting_name ] = $value;
116
+ }
117
+
118
+ $results['value'] = $module_settings;
119
+
120
+ return $results;
121
+
122
+ }
123
+
124
+
125
+ function _callback_saved_x_frame_options( $saved_field_data )
126
+ {
127
+
128
+ if ( empty ( $saved_field_data ) || $saved_field_data['enabled'] == 'no' )
129
+ return FALSE;
130
+
131
+ $processing_response = array();
132
+
133
+ $rewrite = '';
134
+
135
+ if($this->wph->server_htaccess_config === TRUE)
136
+ {
137
+ $rewrite .= "\n" . ' Header set X-Frame-Options "' . $saved_field_data['value'] .'"';
138
+ }
139
+
140
+ if($this->wph->server_web_config === TRUE)
141
+ {
142
+
143
+ }
144
+
145
+ $processing_response['rewrite'] = $rewrite;
146
+ $processing_response['type'] = 'header';
147
+
148
+ return $processing_response;
149
+
150
+ }
151
+
152
+
153
+ }
154
+ ?>
modules/components/security-header-x-permitted-cross-domain-policies.php ADDED
@@ -0,0 +1,167 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_header_x_permitted_cross_domain_policies extends WPH_module_component
6
+ {
7
+
8
+ private $headers = array ();
9
+
10
+ function get_component_title()
11
+ {
12
+ return "X-Permitted-Cross-Domain-Policies";
13
+ }
14
+
15
+ function get_module_settings()
16
+ {
17
+
18
+ $this->module_settings[] = array(
19
+ 'id' => 'x_permitted_cross_domain_policies',
20
+ 'label' => __('X-Permitted-Cross-Domain-Policies', 'wp-hide-security-enhancer'),
21
+
22
+ 'help' => array(
23
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('X-Permitted-Cross-Domain-Policies', 'wp-hide-security-enhancer'),
24
+ 'description' => __("A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.", 'wp-hide-security-enhancer') .
25
+ "<br />" . __("When clients request content hosted on a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction.", 'wp-hide-security-enhancer') .
26
+ "<br />" . __("Normally a meta-policy is declared in the master policy file, but for those who can’t write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header.", 'wp-hide-security-enhancer') .
27
+ "<br /><br />" . __("Options:", 'wp-hide-security-enhancer') .
28
+ "<br /><b>none</b> - " . __("No policy files are allowed anywhere on the target server, including this master policy file.", 'wp-hide-security-enhancer') .
29
+ "<br /><b>master-only</b> - " . __("Only this master policy file is allowed.", 'wp-hide-security-enhancer') .
30
+ "<br /><b>by-content-type</b> - " . __("[HTTP/HTTPS only] Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.", 'wp-hide-security-enhancer') .
31
+ "<br /><b>by-ftp-filename</b> - " . __("[FTP only] Only policy files whose file names are crossdomain.xml (i.e. URLs ending in /crossdomain.xml) are allowed.", 'wp-hide-security-enhancer') .
32
+ "<br /><b>all</b> - " . __("All policy files on this target domain are allowed.", 'wp-hide-security-enhancer')
33
+ ),
34
+
35
+ 'input_type' => 'custom',
36
+
37
+ 'module_option_html_render' => array( $this, '_module_option_html' ),
38
+ 'module_option_processing' => array( $this, '_module_option_processing' ),
39
+
40
+ );
41
+
42
+
43
+ return $this->module_settings;
44
+
45
+
46
+
47
+ return $this->module_settings;
48
+ }
49
+
50
+ function _get_default_options()
51
+ {
52
+
53
+ $options = array (
54
+ 'enabled' => 'no',
55
+ 'value' => 'none'
56
+ );
57
+ return $options;
58
+ }
59
+
60
+
61
+ function _init_x_permitted_cross_domain_policies( $saved_field_data )
62
+ {
63
+
64
+ }
65
+
66
+
67
+ function _module_option_html( $module_settings )
68
+ {
69
+
70
+ $values = $this->wph->functions->get_module_item_setting( $module_settings['id'] );
71
+ $module_settings = shortcode_atts ( $this->_get_default_options(), (array)$values )
72
+
73
+ ?>
74
+ <div class="row xspacer header">
75
+ <p><?php _e('Enable Header', 'wp-hide-security-enhancer') ?></p>
76
+ <fieldset>
77
+ <label>
78
+ <input type="radio" class="radio" value="no" name="enabled" <?php if ( $module_settings['enabled'] == 'no' ) { ?>checked="checked"<?php } ?>> <span>No</span>
79
+ </label>
80
+ <label>
81
+ <input type="radio" class="radio" value="yes" name="enabled" <?php if ( $module_settings['enabled'] == 'yes' ) { ?>checked="checked"<?php } ?>> <span>Yes</span>
82
+ </label>
83
+ </fieldset>
84
+ </div>
85
+
86
+ <p><?php _e('Header Options', 'wp-hide-security-enhancer') ?></p>
87
+ <div class="row spacer">
88
+ <fieldset>
89
+ <label>
90
+ <input type="radio" class="radio" value="none" name="value" <?php if ( $module_settings['value'] == 'none' ) { ?>checked="checked"<?php } ?>> <span>none</span>
91
+ </label>
92
+ <label>
93
+ <input type="radio" class="radio" value="master-only" name="value" <?php if ( $module_settings['value'] == 'master-only' ) { ?>checked="checked"<?php } ?>> <span>master-only</span>
94
+ </label>
95
+ <label>
96
+ <input type="radio" class="radio" value="by-content-type" name="value" <?php if ( $module_settings['value'] == 'by-content-type' ) { ?>checked="checked"<?php } ?>> <span>by-content-type</span>
97
+ </label>
98
+ <label>
99
+ <input type="radio" class="radio" value="by-ftp-filename" name="value" <?php if ( $module_settings['value'] == 'by-ftp-filename' ) { ?>checked="checked"<?php } ?>> <span>by-ftp-filename</span>
100
+ </label>
101
+ <label>
102
+ <input type="radio" class="radio" value="all" name="value" <?php if ( $module_settings['value'] == 'all' ) { ?>checked="checked"<?php } ?>> <span>all</span>
103
+ </label>
104
+ </fieldset>
105
+ </div>
106
+
107
+
108
+
109
+ <?php
110
+ }
111
+
112
+
113
+ function _module_option_processing( $field_name )
114
+ {
115
+
116
+ $results = array();
117
+
118
+ $module_settings = shortcode_atts ( $this->_get_default_options(), array() );
119
+ foreach ( $module_settings as $setting_name => $setting_value )
120
+ {
121
+ if ( ! isset ( $_POST[ $setting_name ] ) )
122
+ continue;
123
+
124
+ $value = preg_replace( '/[^a-zA-Z0-9-_]/m' , '', $_POST[ $setting_name ] );
125
+ if ( empty ( $value ) )
126
+ continue;
127
+
128
+ $module_settings[ $setting_name ] = $value;
129
+ }
130
+
131
+ $results['value'] = $module_settings;
132
+
133
+ return $results;
134
+
135
+ }
136
+
137
+
138
+ function _callback_saved_x_permitted_cross_domain_policies($saved_field_data)
139
+ {
140
+
141
+ if ( empty ( $saved_field_data ) || $saved_field_data['enabled'] == 'no' )
142
+ return FALSE;
143
+
144
+ $processing_response = array();
145
+
146
+ $rewrite = '';
147
+
148
+ if($this->wph->server_htaccess_config === TRUE)
149
+ {
150
+ $rewrite .= "\n" . ' Header set X-Permitted-Cross-Domain-Policies "' . $saved_field_data['value'] .'"';
151
+ }
152
+
153
+ if($this->wph->server_web_config === TRUE)
154
+ {
155
+
156
+ }
157
+
158
+ $processing_response['rewrite'] = $rewrite;
159
+ $processing_response['type'] = 'header';
160
+
161
+ return $processing_response;
162
+
163
+ }
164
+
165
+
166
+ }
167
+ ?>
modules/components/security-header-x-xss-protection.php ADDED
@@ -0,0 +1,174 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_general_security_header_x_xss_protection extends WPH_module_component
6
+ {
7
+
8
+ private $headers = array ();
9
+
10
+ function get_component_title()
11
+ {
12
+ return "X-XSS-Protection";
13
+ }
14
+
15
+ function get_module_settings()
16
+ {
17
+
18
+ $this->module_settings[] = array(
19
+ 'id' => 'x_xss_protection',
20
+ 'label' => __('X-XSS-Protection', 'wp-hide-security-enhancer'),
21
+
22
+ 'help' => array(
23
+ 'title' => __('Help', 'wp-hide-security-enhancer') . ' - ' . __('X-XSS-Protection', 'wp-hide-security-enhancer'),
24
+ 'description' => __("The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').", 'wp-hide-security-enhancer') .
25
+ "<br /><br />" . __("Options:", 'wp-hide-security-enhancer') .
26
+ "<br /><b>0</b> - " . __("Disables XSS filtering.", 'wp-hide-security-enhancer') .
27
+ "<br /><b>1</b> - " . __("Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).", 'wp-hide-security-enhancer') .
28
+ "<br /><b>1; mode=block</b> - " . __("Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.", 'wp-hide-security-enhancer') .
29
+ "<br /><b>1; report=</b> - " . __("Chromium only. Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.", 'wp-hide-security-enhancer')
30
+ ),
31
+
32
+ 'input_type' => 'custom',
33
+
34
+ 'module_option_html_render' => array( $this, '_module_option_html' ),
35
+ 'module_option_processing' => array( $this, '_module_option_processing' ),
36
+
37
+ );
38
+
39
+
40
+ return $this->module_settings;
41
+
42
+ }
43
+
44
+ function _get_default_options()
45
+ {
46
+
47
+ $options = array (
48
+ 'enabled' => 'no',
49
+ 'value' => '0',
50
+ 'report_to' => ''
51
+ );
52
+ return $options;
53
+ }
54
+
55
+
56
+ function _init_x_xss_protection( $saved_field_data )
57
+ {
58
+
59
+ }
60
+
61
+
62
+ function _module_option_html( $module_settings )
63
+ {
64
+
65
+ $values = $this->wph->functions->get_module_item_setting( $module_settings['id'] );
66
+ $module_settings = shortcode_atts ( $this->_get_default_options(), (array)$values )
67
+
68
+ ?>
69
+ <div class="row xspacer header">
70
+ <p><?php _e('Enable Header', 'wp-hide-security-enhancer') ?></p>
71
+ <fieldset>
72
+ <label>
73
+ <input type="radio" class="radio" value="no" name="enabled" <?php if ( $module_settings['enabled'] == 'no' ) { ?>checked="checked"<?php } ?>> <span>No</span>
74
+ </label>
75
+ <label>
76
+ <input type="radio" class="radio" value="yes" name="enabled" <?php if ( $module_settings['enabled'] == 'yes' ) { ?>checked="checked"<?php } ?>> <span>Yes</span>
77
+ </label>
78
+ </fieldset>
79
+ </div>
80
+
81
+ <p><?php _e('Header Options', 'wp-hide-security-enhancer') ?></p>
82
+ <div class="row spacer option-item">
83
+ <fieldset>
84
+ <label>
85
+ <input type="radio" class="radio" value="0" name="value" <?php if ( $module_settings['value'] == '0' ) { ?>checked="checked"<?php } ?>> <span>0</span>
86
+ </label>
87
+ <label>
88
+ <input type="radio" class="radio" value="1" name="value" <?php if ( $module_settings['value'] == '1' ) { ?>checked="checked"<?php } ?>> <span>1</span>
89
+ </label>
90
+ <label>
91
+ <input type="radio" class="radio" value="1; mode=block" name="value" <?php if ( $module_settings['value'] == '1; mode=block' ) { ?>checked="checked"<?php } ?>> <span>1; mode=block</span>
92
+ </label>
93
+ <label>
94
+ <input type="radio" class="radio" value="1; report=" name="value" <?php if ( $module_settings['value'] == '1; report=' ) { ?>checked="checked"<?php } ?>> <span>1; report=</span>
95
+ </label>
96
+ <label>
97
+ <input style="<?php if ( $module_settings['value'] != '1; report=' ) { echo 'display: none';} ?>" type="text" placeholder="Report URI" value="<?php echo $module_settings['report_to']; ?>" name="report_to">
98
+ </label>
99
+ </fieldset>
100
+ </div>
101
+
102
+ <script type='text/javascript'>
103
+
104
+ jQuery( '.option-item input[name="value"]' ).on('change', function() {
105
+ var val = jQuery( this ).val();
106
+ if ( val == '1; report=' )
107
+ jQuery(this).closest('.option-item').find('input[name="report_to"]').show('fast');
108
+ else
109
+ jQuery(this).closest('.option-item').find('input[name="report_to"]').hide('fast');
110
+ });
111
+ </script>
112
+
113
+ <?php
114
+ }
115
+
116
+
117
+ function _module_option_processing( $field_name )
118
+ {
119
+
120
+ $results = array();
121
+
122
+ $module_settings = shortcode_atts ( $this->_get_default_options(), array() );
123
+ foreach ( $module_settings as $setting_name => $setting_value )
124
+ {
125
+ if ( ! isset ( $_POST[ $setting_name ] ) )
126
+ continue;
127
+
128
+ $value = preg_replace( '/[^a-zA-Z0-9-_;:.=\/ ]/m' , '', $_POST[ $setting_name ] );
129
+ if ( empty ( $value ) )
130
+ continue;
131
+
132
+ $module_settings[ $setting_name ] = $value;
133
+ }
134
+
135
+ $results['value'] = $module_settings;
136
+
137
+ return $results;
138
+
139
+ }
140
+
141
+
142
+ function _callback_saved_x_xss_protection( $saved_field_data )
143
+ {
144
+
145
+ if ( empty ( $saved_field_data ) || $saved_field_data['enabled'] == 'no' )
146
+ return FALSE;
147
+
148
+ $processing_response = array();
149
+
150
+ $rewrite = '';
151
+
152
+ if($this->wph->server_htaccess_config === TRUE)
153
+ {
154
+ $rewrite .= "\n" . ' Header set X-XSS-Protection "' . $saved_field_data['value'];
155
+ if ( $saved_field_data['value'] == '1; report=' )
156
+ $rewrite .= ';' . $saved_field_data['report_to'];
157
+ $rewrite .= '"';
158
+ }
159
+
160
+ if($this->wph->server_web_config === TRUE)
161
+ {
162
+
163
+ }
164
+
165
+ $processing_response['rewrite'] = $rewrite;
166
+ $processing_response['type'] = 'header';
167
+
168
+ return $processing_response;
169
+
170
+ }
171
+
172
+
173
+ }
174
+ ?>
modules/module-admin.php CHANGED
@@ -42,7 +42,7 @@
42
  {
43
  $interface_data = array();
44
 
45
- $interface_data['menu_title'] = __('Admin', 'wp-hide-security-enhancer');
46
  $interface_data['menu_slug'] = self::get_module_slug();
47
  $interface_data['menu_position'] = 30;
48
 
42
  {
43
  $interface_data = array();
44
 
45
+ $interface_data['menu_title'] = __('<span class="wph-info">Hide&rarr;</span> Admin', 'wp-hide-security-enhancer');
46
  $interface_data['menu_slug'] = self::get_module_slug();
47
  $interface_data['menu_position'] = 30;
48
 
modules/module-cdn.php CHANGED
@@ -40,7 +40,7 @@
40
  {
41
  $interface_data = array();
42
 
43
- $interface_data['menu_title'] = __('CDN', 'wp-hide-security-enhancer');
44
  $interface_data['menu_slug'] = self::get_module_slug();
45
  $interface_data['menu_position'] = 50;
46
 
40
  {
41
  $interface_data = array();
42
 
43
+ $interface_data['menu_title'] = __('<span class="wph-info">Settings&rarr;</span> CDN', 'wp-hide-security-enhancer');
44
  $interface_data['menu_slug'] = self::get_module_slug();
45
  $interface_data['menu_position'] = 50;
46
 
modules/module-general.php CHANGED
@@ -30,6 +30,9 @@
30
  include(WPH_PATH . "/modules/components/general-scripts.php");
31
  $this->components[] = new WPH_module_general_scripts();
32
 
 
 
 
33
  include(WPH_PATH . "/modules/components/general-oembed.php");
34
  $this->components[] = new WPH_module_general_oembed();
35
 
@@ -66,7 +69,7 @@
66
  {
67
  $interface_data = array();
68
 
69
- $interface_data['menu_title'] = __('General / Html', 'wp-hide-security-enhancer');
70
  $interface_data['menu_slug'] = self::get_module_slug();
71
  $interface_data['menu_position'] = 20;
72
 
30
  include(WPH_PATH . "/modules/components/general-scripts.php");
31
  $this->components[] = new WPH_module_general_scripts();
32
 
33
+ include(WPH_PATH . "/modules/components/general-feed.php");
34
+ $this->components[] = new WPH_module_general_feed();
35
+
36
  include(WPH_PATH . "/modules/components/general-oembed.php");
37
  $this->components[] = new WPH_module_general_oembed();
38
 
69
  {
70
  $interface_data = array();
71
 
72
+ $interface_data['menu_title'] = __('<span class="wph-info">Hide&rarr;</span> General / Html', 'wp-hide-security-enhancer');
73
  $interface_data['menu_slug'] = self::get_module_slug();
74
  $interface_data['menu_position'] = 20;
75
 
modules/module-rewrite.php CHANGED
@@ -42,8 +42,6 @@
42
  include(WPH_PATH . "/modules/components/rewrite-json-rest.php");
43
  $this->components[] = new WPH_module_rewrite_json_rest();
44
 
45
- include(WPH_PATH . "/modules/components/general-feed.php");
46
- $this->components[] = new WPH_module_general_feed();
47
 
48
  include(WPH_PATH . "/modules/components/rewrite-root-files.php");
49
  $this->components[] = new WPH_module_rewrite_root_files();
@@ -77,7 +75,7 @@
77
  {
78
  $interface_data = array();
79
 
80
- $interface_data['menu_title'] = __('Rewrite', 'wp-hide-security-enhancer');
81
  $interface_data['menu_slug'] = self::get_module_slug();
82
  $interface_data['menu_position'] = 1;
83
 
@@ -88,7 +86,7 @@
88
  {
89
  $interface_data = array();
90
 
91
- $interface_data['title'] = __('WP Hide & Security Enhancer', 'wp-hide-security-enhancer') . ' - ' . __('Rewrite', 'wp-hide-security-enhancer');
92
  $interface_data['description'] = '';
93
  $interface_data['handle_title'] = '';
94
 
42
  include(WPH_PATH . "/modules/components/rewrite-json-rest.php");
43
  $this->components[] = new WPH_module_rewrite_json_rest();
44
 
 
 
45
 
46
  include(WPH_PATH . "/modules/components/rewrite-root-files.php");
47
  $this->components[] = new WPH_module_rewrite_root_files();
75
  {
76
  $interface_data = array();
77
 
78
+ $interface_data['menu_title'] = __('<span class="wph-info">Hide&rarr;</span> Rewrite / URLs', 'wp-hide-security-enhancer');
79
  $interface_data['menu_slug'] = self::get_module_slug();
80
  $interface_data['menu_position'] = 1;
81
 
86
  {
87
  $interface_data = array();
88
 
89
+ $interface_data['title'] = __('WP Hide & Security Enhancer', 'wp-hide-security-enhancer') . ' - ' . __('Rewrites', 'wp-hide-security-enhancer');
90
  $interface_data['description'] = '';
91
  $interface_data['handle_title'] = '';
92
 
modules/module-security_headers.php ADDED
@@ -0,0 +1,93 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
4
+
5
+ class WPH_module_security_headers extends WPH_module
6
+ {
7
+
8
+ function load_components()
9
+ {
10
+
11
+ //add components
12
+ include( WPH_PATH . "modules/components/security-check_headers.php");
13
+ $this->components[] = new WPH_module_general_security_check_headers();
14
+
15
+ include( WPH_PATH . "modules/components/security-header-cross-origin-embedder-policy.php");
16
+ $this->components[] = new WPH_module_general_security_header_cross_origin_embedder_policy();
17
+
18
+ include( WPH_PATH . "modules/components/security-header-cross-origin-opener-policy.php");
19
+ $this->components[] = new WPH_module_general_security_header_cross_origin_opener_policy();
20
+
21
+ include( WPH_PATH . "modules/components/security-header-cross-origin-resource-policy.php");
22
+ $this->components[] = new WPH_module_general_security_header_cross_origin_resource_policy();
23
+
24
+ include( WPH_PATH . "modules/components/security-header-x-content-type-options.php");
25
+ $this->components[] = new WPH_module_general_security_header_x_content_type_options();
26
+
27
+ include( WPH_PATH . "modules/components/security-header-x-download-options.php");
28
+ $this->components[] = new WPH_module_general_security_header_x_download_options();
29
+
30
+ include( WPH_PATH . "modules/components/security-header-x-frame-options.php");
31
+ $this->components[] = new WPH_module_general_security_header_x_frame_options();
32
+
33
+ include( WPH_PATH . "modules/components/security-header-x-permitted-cross-domain-policies.php");
34
+ $this->components[] = new WPH_module_general_security_header_x_permitted_cross_domain_policies();
35
+
36
+ include( WPH_PATH . "modules/components/security-header-x-xss-protection.php");
37
+ $this->components[] = new WPH_module_general_security_header_x_xss_protection();
38
+
39
+ //action available for mu-plugins
40
+ do_action('wp-hide/module_load_components', $this);
41
+
42
+ }
43
+
44
+ function use_tabs()
45
+ {
46
+
47
+ return TRUE;
48
+ }
49
+
50
+ function get_module_id()
51
+ {
52
+
53
+ return 'security';
54
+ }
55
+
56
+ function get_module_slug()
57
+ {
58
+
59
+ return 'wp-hide-security';
60
+ }
61
+
62
+ function get_interface_menu_data()
63
+ {
64
+ $interface_data = array();
65
+
66
+ $interface_data['menu_title'] = __('<span class="wph-info">Security&rarr;</span> Headers', 'wp-hide-security-enhancer');
67
+ $interface_data['menu_slug'] = self::get_module_slug();
68
+ $interface_data['menu_position'] = 70;
69
+
70
+ return $interface_data;
71
+ }
72
+
73
+ function get_interface_data()
74
+ {
75
+
76
+ $interface_data = array();
77
+
78
+ $interface_data['title'] = __('WP Hide & Security Enhancer - Security Headers', 'wp-hide-security-enhancer');
79
+ $interface_data['description'] = '';
80
+ $interface_data['handle_title'] = '';
81
+
82
+ return $interface_data;
83
+
84
+ }
85
+
86
+
87
+
88
+
89
+
90
+ }
91
+
92
+
93
+ ?>
readme.txt CHANGED
@@ -1,164 +1,165 @@
1
  === WP Hide & Security Enhancer ===
2
  Contributors: nsp-code, tdgu
3
  Donate link: https://www.nsp-code.com/
4
- Tags: wordpress hide, hide, security, improve security, hacking, wp hide, custom login, wp-loging.php, wp-admin, admin hide, login change,
5
  Requires at least: 2.8
6
- Tested up to: 5.9
7
- Stable tag: 1.7.6
8
  License: GPLv2 or later
9
 
10
- Hide WordPress, wp-content, wp-includes, wp-admin, login URL, plugins, themes etc. Block the defaults for being still accessible. No files and data are changed on your server.
11
 
12
  == Description ==
13
 
14
- The **easy way to completely hide your WordPress** core files, login page, theme and plugins paths from being show on front side. This is a huge improvement over Site Security, no one will know you actually run a WordPress. Provide a simple way to clean up html by removing all WordPress fingerprints.
15
 
16
  **No file and directory change!**
17
- No file and directory are being changed anywhere, everything is processed virtually! The plugin code use URL rewrite techniques and WordPress filters to apply all internal functionality and features. Everything is done automatically, there's no user intervention require at all.
18
 
19
  **Real hide of WordPress core files and plugins**
20
- The plugin not only allow to change default urls of you WordPress, but it hide/block defaults! Other similar plugins, just change the slugs, but the default are still accessible, obviously revealing WordPress as CMS
21
 
22
- Change the default WordPress login urls from wp-admin and wp-login.php to something totally arbitrary. No one will ever know where to try to guess a login and hack into your site. Totally invisible !!
23
 
24
  [vimeo http://vimeo.com/185046480]
25
 
26
  <br />Full plugin documentation available at <a target="_blank" href="https://wp-hide.com/documentation/">WordPress Hide and Security Enhancer Documentation</a>
27
 
28
- When testing with WordPress theme and plugins detector services/sites, any setting change may not reflect right away on their reports, since they use cache. So you may want to check again later, or try a different inner url, homepage url usage is not mandatory.
29
 
30
- Being the best content management system, widely used, WordPress is susceptible to a large range of hacking attacks including brute-force, SQL injections, XSS, XSRF etc. Despite the fact the WordPress core is a very secure code maintained by a team of professional enthusiast, the additional plugins and themes makes the vulnerable spot of every website. In many cases, those are created by pseudo-developers who do not follow the best coding practices or simply do not own the experience to create a secure plugin.
31
- Statistics reveal that every day new vulnerabilities are discovered, many affecting hundreds of thousands of WordPress websites.
32
- Over 99,9% of hacked WordPress websites are target of automated malware scripts, who search for certain WordPress fingerprints. This plugin hide or replace those traces, making the hacking boots attacks useless.
33
 
34
- Works fine with custom WordPress directory structures e.g. custom plugins, themes, uplaods folder.
35
 
36
- Once configured, you need to **clear server cache data and/or any cache plugins** (e.g. W3 Cache), for a new html data to be created. If use CDN this should be cache clear as well.
37
 
38
  **Sample usage**
39
  [vimeo https://vimeo.com/192011678]
40
 
41
  **Main plugin functionality:**
42
 
43
- * Custom Admin Url
44
- * Block default admin Url
45
- * Block any direct folder access to completely hide the structure
46
- * Custom wp-login.php filename
47
- * Block default wp-login.php
48
- * Block default wp-signup.php
49
- * Block XML-RPC API
50
- * New XML-RPC path
51
- * Adjustable theme url
52
- * New child Theme url
53
- * Change theme style file name
54
- * Clean any headers for theme style file
55
- * Custom wp-include
56
- * Block default wp-include paths
57
- * Block defalt wp-content
58
- * Custom plugins urls
59
- * Individual plugin url change
60
- * Block default plugins paths
61
- * New upload url
62
- * Block default upload urls
63
- * Remove wordpress version
64
- * Meta Generator block
65
- * Disble the emoji and required javascript code
66
- * Remove pingback tag
67
- * Remove wlwmanifest Meta
68
- * Remove rsd_link Meta
69
- * Remove wpemoji
70
- * Minify Html, Css, JavaScript
 
 
71
 
72
  and many more.
73
 
74
- **No other plugins functionality is being blocked or interfered in any way, everything will function the same**
75
 
76
- This plugin allow to change default Admin Url's from **wp-login.php** and **wp-admin** to something else. All original links return default theme 404 Not Found page, like nothing exists there. Beside the huge security advantage, this save lots of server processing time by reducing php code and MySQL usage since brute-force attacks trigger wrong urls.
77
 
78
- **Important:** Compared to all other similar plugins which mainly use redirects, this plugin return a default theme 404 error page for all **block url** functionality, so is not revealing at all the link existence.
79
 
80
- Since version 1.2 Change individual plugin urls which make them unrecognizable, for example change default WooCommerce plugin urls and dependencies from domain.com/wp-content/plugins/woocommerce/ to domain.com/ecommerce/cdn/ or anything customized.
81
 
82
  = Plugin Sections =
83
 
84
- **Rewrite > Theme**
85
 
86
- * New Theme Path - Change default theme path
87
- * New Style File Path - Change default style file name and path
88
- * Remove description header from Style file - Replace any WordPress metadata informations (like theme name, version etc) from style file
89
- * Child - New Theme Path - Change default child theme path
90
- * Child - New Style File Path - Change child theme stylesheed file path and name
91
- * Child - Remove description header from Style file - Replace any WordPress metadata informations (like theme name, version etc) from style file
92
 
93
- **Rewrite > WP includes**
94
 
95
- * New Includes Path - Change default wp-includes path / url
96
- * Block wp-includes URL - Block default wp-includes url
97
 
98
- **Rewrite > WP content**
99
 
100
- * New Content Path - Change default wp-content path / url
101
- * Block wp-content URL - Block default content url
102
 
103
- **Rewrite > Plugins**
104
 
105
- * New Plugins Path - Change default wp-content/plugins path / url
106
- * Block plugins URL - Block default wp-content/plugins url
107
- * New path / url for Every Active Plugin
108
- * Custom path and name for any active plugins
109
 
110
- **Rewrite > Uploads**
111
 
112
- * New Uploads Path - Change default media files path / url
113
- * Block uploads URL - Block default media files url
114
 
115
- **Rewrite > Comments**
116
 
117
  * New wp-comments-post.php Path
118
  * Block wp-comments-post.php
119
 
120
- **Rewrite > Author**
121
 
122
  * New Author Path
123
  * Block default path
124
 
125
- **Rewrite > Search**
126
 
127
  * New Search Path
128
  * Block default path
129
 
130
- **Rewrite > XML-RPC**
131
 
132
- * New XML-RPC Path - Change default XML-RPC path / url
133
- * Block default xmlrpc.php - Block default XML-RPC url
134
- * Disable XML-RPC authentication - Filter whether XML-RPC methods requiring authentication
135
- * Remove pingback - Remove pingback link tag from theme
136
 
137
- **Rewrite > JSON REST**
138
 
139
  * Clean the REST API response
140
- * Disable JSON REST V1 service - Disable an API service for WordPress which is active by default.
141
- * Disable JSON REST V2 service - Disable an API service for WordPress which is active by default.
142
- * Block any JSON REST calls - Any call for JSON REST API service will be blocked.
143
  * Disable output the REST API link tag into page header
144
  * Disable JSON REST WP RSD endpoint from XML-RPC responses
145
  * Disable Sends a Link header for the REST API
146
 
147
- **Rewrite > Root Files**
148
 
149
- * Block license.txt - Block access to license.txt root file
150
- * Block readme.html - Block access to readme.html root file
151
- * Block wp-activate.php - Block access to wp-activate.php file
152
- * Block wp-cron.php - Block access to wp-cron.php file
153
- * Block wp-signup.php - Block default wp-signup.php file
154
- * Block other wp-*.php files - Block other wp-*.php files within WordPress Root
155
 
156
- **Rewrite > URL Slash**
157
 
158
- * URL's add Slash - Add a slash to any links without. This disguise any existing for a file, folder or a wrong url, they all be all slashed.
159
 
160
-
161
- **General / Html > Meta**
162
 
163
  * Remove WordPress Generator Meta
164
  * Remove Other Generator Meta
@@ -173,50 +174,50 @@ Since version 1.2 Change individual plugin urls which make them unrecognizable,
173
  * Remove profile link
174
  * Remove canonical link
175
 
176
- **General / Emulate CMS**
177
 
178
  * Emulate CMS
179
 
180
- **General / Html > Admin Bar**
181
 
182
  * Remove WordPress Admin Bar for specified urser roles
183
 
184
- **General / Feed**
185
 
186
  * Remove feed|rdf|rss|rss2|atom links
187
 
188
- **General / Robots.txt**
189
 
190
- * Disable admin url within Robots.txt
191
 
192
- **General / Html > Emoji**
193
 
194
  * Disable Emoji
195
  * Disable TinyMC Emoji
196
 
197
- **General / Html > Styles**
198
 
199
  * Remove Version
200
  * Remove ID from link tags
201
 
202
- **General / Html > Scripts**
203
 
204
  * Remove Version
205
 
206
- **General / Html > Oembed**
207
 
208
  * Remove Oembed
209
 
210
- **General / Html > Headers**
211
 
212
  * Remove Link Header
213
  * Remove X-Powered-By Header
214
  * Remove X-Pingback Header
215
 
216
- **General / Html > HTML**
217
 
218
  * Remove HTML Comments
219
- * Minify Html, Css, JavaScript
220
  * Disable right mouse click
221
  * Remove general classes from body tag
222
  * Remove ID from Menu items
@@ -224,25 +225,36 @@ Since version 1.2 Change individual plugin urls which make them unrecognizable,
224
  * Remove general classes from post
225
  * Remove general classes from images
226
 
227
- **Admin > wp-login.php**
228
 
229
- * New wp-login.php - Map a new wp-login.php instead default
230
- * Block default wp-login.php - Block default wp-login.php file from being accesible
231
 
232
- **Admin > Admin URL**
233
 
234
- * New Admin Url - Create a new admin url instead default /wp-admin. This also apply for admin-ajax.php calls
235
- * Block default Admin Url - Block default admin url and files from being accesible
236
 
237
- **CDN**
238
 
239
- * CDN Url - Set-up CDN if apply, some providers replace site assets with custom urls.
 
 
 
 
 
 
 
 
 
 
 
240
 
241
  <br />This free version works with Apache and IIS server types. For all server types, check with <a target="_blank" href="https://wp-hide.com/">WP Hide PRO</a>
242
 
243
  <br />This is a basic version that can hide everything for basic sites, example <a target="_blank" href="https://demo.wp-hide.com/">https://demo.wp-hide.com/</a>. When using complex plugins and themes, the WP Hide PRO may be required. We provide free assistance to hide everything on your site, along with the commercial product.
244
 
245
- <br />Something is wrong with this plugin on your site? Just use the forum or get in touch with us at <a target="_blank" href="https://wp-hide.com/contact/">Contact</a> and we'll check it out.
246
 
247
  <br />A website example can be found at <a target="_blank" href="https://demo.wp-hide.com/">https://demo.wp-hide.com/</a> or our website <a target="_blank" href="https://wp-hide.com/">WP Hide and Security Enhancer</a>
248
 
@@ -253,7 +265,7 @@ Since version 1.2 Change individual plugin urls which make them unrecognizable,
253
 
254
  == Installation ==
255
 
256
- 1. Install the plugin through the WordPress plugins screen directly or upload the pacckage to `/wp-content/plugins/wp-hide-security-enhancer` directory.
257
  2. Activate the plugin through the 'Plugins' screen in WordPress.
258
  3. Use the WP Hide menu screen to configure the plugin.
259
 
@@ -261,22 +273,22 @@ Since version 1.2 Change individual plugin urls which make them unrecognizable,
261
 
262
  Feel free to contact us at contact@wp-hide.com for fast support.
263
 
264
- = Does the plugin change anything on my server =
265
 
266
- Absolute None!
267
- No files and directories are being changed on your server, everything is processed virtually! The plugin code use URL rewrite techniques and WordPress filters to apply all internal functionality and features.
268
 
269
- = I have no PHP knowledge at all, is this plugin for me? =
270
 
271
- There's no requirements on php knowledge. All plugin features and functionality are applied automatically, controlled through a descriptive admin interface.
272
 
273
  = Is there any demo I can check? =
274
 
275
  A demo instance can be found at <a target="_blank" href="https://demo.wp-hide.com/">https://demo.wp-hide.com/</a> or our own website <a target="_blank" href="https://wp-hide.com/">WP Hide and Security Enhancer</a>
276
 
277
- = Can I use the plugin on my Nginx server ? =
278
 
279
- If the server runs full-stack Nginx, the free plugin can't generate the required format Nginx rewrite rules. It works with Apache, LiteSpeed, IIS, Nginx as a reverse proxy and compatible.
280
 
281
  = Can I still update WordPress, my plugins and themes? =
282
 
@@ -284,48 +296,52 @@ Everything works as before, no functionality is being broken. You can run update
284
 
285
  = Does the plugin affect the SEO aspects of my website? =
286
 
287
- No, the plugin changes only assets links ( CSS, JavaScript, media files ) and not actual content URLs. There will be no negative impact from SEO perspective, whatsoever.
288
 
289
  = Does the plugin work with my site cache? =
290
 
291
  Yes, the plugin works with any cache plugin deployed on your site.
292
 
293
- = What servers this plugin can work with =
 
 
294
 
295
- This free code can with Apache, IIS server types and any other set-up which rely on .htaccess usage.
296
- For all other checks the PRO version at <a target="_blank" href="https://wp-hide.com">WP Hide PRO</a>
297
 
298
- = How to make it work with my OpenLiteSpeed server =
 
299
 
300
- There are few things to consider when run on litespeed servers:
301
 
302
- * Ensure the liteserver actually process the .htaccess file where the rewrite data is being saved. Check with the following topic regarding this issue <a target="_blank" href="https://www.litespeedtech.com/support/forum/threads/htaccess-is-ignored.15500/">Post</a>
 
 
303
 
304
  * If you use Litespeed Cache plugin, in the Optimization Settings area, disable the CSS / JS Minify
305
 
306
- * If your litespeed server requires to place the rewrite lines in a different file e.g. config file or interface, consider upgrading to PRO version which includes a Setup page where you can get the rewrite code <a href="https://wp-hide.com/wp-hide-pro-now-available/">WP Hide PRO</a>.
307
 
308
 
309
- = How to use on my Bitnami setup =
310
- As default, on Bitnami LAMP set-ups, the system will not process the .htaccess file, so none of the rewrites will work. You can change this behavior by updating the main config file located at /opt/bitnami/apps/APPNAME/conf/httpd-app.conf , update the line
311
  <pre><code>AllowOverride None</code></pre>
312
  to
313
  <pre><code>AllowOverride All</code></pre>
314
- Restart the Apache service through ssh
315
  <pre><code>sudo /opt/bitnami/ctlscript.sh restart</code></pre>
316
  More details can be found at <a href="https://docs.bitnami.com/general/apps/redmine/administration/use-htaccess/">Bitnami Default .Htaccess
317
  </a>
318
 
319
- You can still keep the configuration as is using the <a target="_blank" href="https://wp-hide.com">WP Hide PRO</a>, more details at <a href="https://wp-hide.com/documentation/setup-the-plugin-on-bitnami-wordpress-lamp-stack/">Setup the plugin on Bitnami WordPress LAMP stack
320
  </a>
321
 
322
 
323
- = .htaccess file writing error - Unable to write custom rules to your .htaccess. Is this file writable? =
324
 
325
- I'm seeing this error "Unable to write custom rules to your .htaccess. Is this file writable" what does it mean?
326
- The error appear when the plugin is not able to write to .htaccess file located in your WordPress root. You can try the followings to make a fix:
327
 
328
- * Check if your .htaccess file is writable. This can be different from server to server, but usually require rw-rw-r– / 0664 Also ensure the file owner is the same group as php
329
 
330
  * Sometimes the other codes wrongly use the flush_rules() which hijack the default filters for rewrite. Try to disable the other plugins and theme to figure out which ones produce the issue.
331
 
@@ -337,23 +353,23 @@ The error appear when the plugin is not able to write to .htaccess file located
337
 
338
  * There will be no harm.
339
  * Go to admin and change some of the plugin options to see which one causes the problem. Then report it to the forum or get in touch with us to fix it.
340
- * If you can't log in to admin, use the Recovery Link which has been sent to your e-mail. This will reset the login to default.
341
- * If you can't find the recovery link or none of the above worked, delete the plugin from your wp-content/plugins directory. Then remove any lines in your .htaccess file between
342
  BEGIN WP Hide & Security Enhancer
343
  ..
344
  END WP Hide & Security Enhancer
345
 
346
- * At this point, the site should run as before. If for some reason still not working, you missed something, please get in touch with us at contact@wp-hide.com and we'll fix it for you in no time!
347
 
348
- = How to use the Recovery Link =
349
 
350
- The Recovery Link can be used to reset all plugin options and restore the site to the default state.
351
- The link should be entered into the browser URL bar. After the operation is completed, a system message will show "The plugin options have been reset successfully".
352
  If the message does not show, there is a cache on your site that prevents the code to run. Locate your cache data, usually at /wp-content/cache/ and remove the files. Then re-load the recovery link.
353
 
354
- = I can't find a functionality that i'am looking for =
355
 
356
- Please get in touch with us and we'll do our best to include it for a next version.
357
 
358
  == Screenshots ==
359
 
@@ -362,6 +378,16 @@ Please get in touch with us and we'll do our best to include it for a next versi
362
 
363
  == Changelog ==
364
 
 
 
 
 
 
 
 
 
 
 
365
  = 1.7.6 =
366
  * Run on revision posts, to match URLs and revert to default WordPress ( e.g. when using Gutenberg editor )
367
  * Require a .php for the customization of the default wp-login.php to avoid cookie issues on password change area.
@@ -907,4 +933,4 @@ Always keep plugin up to date.
907
  == Localization ==
908
  Please help and translate this plugin to your language at <a href="https://translate.wordpress.org/projects/wp-plugins/wp-hide-security-enhancer">https://translate.wordpress.org/projects/wp-plugins/wp-hide-security-enhancer</a>
909
 
910
- Please help by promoting this plugin with an article on your site or any other place. If you liked this code or helped with your project, consider to leave a 5 star review on this board.
1
  === WP Hide & Security Enhancer ===
2
  Contributors: nsp-code, tdgu
3
  Donate link: https://www.nsp-code.com/
4
+ Tags: wordpress hide, hide, security, secuirty headers, improve security, hacking, wp hide, custom login, wp-loging.php, wp-admin, admin hide, login change,
5
  Requires at least: 2.8
6
+ Tested up to: 5.9.3
7
+ Stable tag: 1.7.8
8
  License: GPLv2 or later
9
 
10
+ Hide WordPress, wp-content, wp-includes, wp-admin, login URL, plugins, themes etc. Block the default URLs. Security Headers etc.
11
 
12
  == Description ==
13
 
14
+ WP-Hide has launched the **easiest way to completely hide your WordPress** core files, login page, theme and plugins paths from being shown on front side. This is a huge improvement over Site Security, since no one will know whether you are running or not a WordPress. It also provides a simple way to clean up html by removing all WordPress fingerprints.
15
 
16
  **No file and directory change!**
17
+ No file and directory will be changed anywhere. Everything is processed virtually. The plugin code uses URL rewrite techniques and WordPress filters to apply all internal functionality and features. Everything is done automatically without user intervention required at all.
18
 
19
  **Real hide of WordPress core files and plugins**
20
+ The plugin not only allows you to change default URLs of you WordPress, but it also hides/blocks such defaults. Other similar plugins, just change the slugs, but the defaults are still accessible, obviously revealing WordPress as CMS.
21
 
22
+ You can change the default WordPress login URL from wp-admin and wp-login.php to something totally arbitrary. No one will ever know where to try to guess a login and hack into your site. It becomes totally invisible.
23
 
24
  [vimeo http://vimeo.com/185046480]
25
 
26
  <br />Full plugin documentation available at <a target="_blank" href="https://wp-hide.com/documentation/">WordPress Hide and Security Enhancer Documentation</a>
27
 
28
+ When testing with WordPress theme and plugins detector services/sites, any setting change may not reflect right away on their reports, since they use cache. So, you may want to check again later, or try a different inner URL. Homepage URL usage is not mandatory.
29
 
30
+ Being the best content management system, widely used, WordPress is susceptible to a large range of hacking attacks including brute-force, SQL injections, XSS, XSRF etc. Despite the fact the WordPress core is a very secure code maintained by a team of professional enthusiast, the additional plugins and themes make ita vulnerable spot for every website. In many cases, those are created by pseudo-developers who do not follow the best coding practices or simply do not own the experience to create a secure plugin.
31
+ Statistics reveal that every day new vulnerabilities are discovered, many affecting hundreds of thousands of WordPress websites.
32
+ Over 99,9% of hacked WordPress websites are target of automated malware scripts, which search for certain WordPress fingerprints. This plugin hides or replaces those traces, making the hacking boots attacks useless.
33
 
34
+ It works well with custom WordPress directory structures,e.g. custom plugins, themes, and upload folders.
35
 
36
+ Once configured, you need to **clear server cache data and/or any cache plugins** (e.g. W3 Cache), for a new html data to be created. If you use CDN this should be cache clear as well.
37
 
38
  **Sample usage**
39
  [vimeo https://vimeo.com/192011678]
40
 
41
  **Main plugin functionality:**
42
 
43
+ * Customizes Admin URL
44
+ * Blocks default admin URL
45
+ * Blocks any direct folder access to completely hide the structure
46
+ * Customize wp-login.php filename
47
+ * Blocks default wp-login.php
48
+ * Blocks default wp-signup.php
49
+ * Blocks XML-RPC API
50
+ * Creates New XML-RPC paths
51
+ * Adjusts theme URL
52
+ * Creates New child Theme URL
53
+ * Changes theme style file name
54
+ * Cleans any headers for theme style file
55
+ * Customizes wp-include
56
+ * Blocks default wp-include paths
57
+ * Blocks default wp-content
58
+ * Customizes plugins URL
59
+ * Changes Individual plugin URL
60
+ * Blocks default plugins paths
61
+ * Creates New upload URL
62
+ * Blocks default upload URL
63
+ * Removes WordPress version
64
+ * Blocks Meta Generator
65
+ * Disables the emoji and required javascript code
66
+ * Removes pingback tag
67
+ * Removes wlwmanifest Meta
68
+ * Removes rsd_link Meta
69
+ * Removes wpemoji
70
+ * Minifies Html, Css, JavaScript
71
+
72
+ * Security Headers
73
 
74
  and many more.
75
 
76
+ **No other plugin functionality will be blocked or interfered in any way by WP-Hide**
77
 
78
+ This plugin allows to change the default Admin URL from **wp-login.php** and **wp-admin** to something else. All original links turn the default theme to “404 Not Found page, as if nothing exists there. Besides the huge security advantage, the WP-Hide plugin saves lots of server processing time by reducing php code and MySQL usage since brute-force attacks target the weakURL.
79
 
80
+ **Important:** Compared to all other similar plugins which mainly use redirects, this plugin turns a default theme to“404 error page for all **blocked URL** functionalities, without revealing the link existence at all.
81
 
82
+ Since version 1.2, WP-Hide change individual plugin URLs and made them unrecognizable. For example,the change of the default WooCommerce plugin URL and its dependencies from domain.com/wp-content/plugins/woocommerce/ into domain.com/ecommerce/cdn/ or anything customized.
83
 
84
  = Plugin Sections =
85
 
86
+ **Hide -> Rewrite > Theme**
87
 
88
+ * New Theme Path Changes default theme path
89
+ * New Style File Path Changes default style file name and path
90
+ * Remove description header from Style file Replaces any WordPress metadata information (like theme name, version etc.,) from style file
91
+ * Child New Theme Path Changes default child theme path
92
+ * Child New Style File Path Changes child theme style-sheet file path and name
93
+ * Child Remove description header from Style file Replaces any WordPress metadata information (like theme name, version etc.,) from style file
94
 
95
+ **Hide -> Rewrite > WP includes**
96
 
97
+ * New Include Path Changes default wp-include path/URL
98
+ * Block wp-include URL Blocks default wp-include URL
99
 
100
+ **Hide -> Rewrite > WP content**
101
 
102
+ * New Content Path Change default wp-content path/URL
103
+ * Block wp-content URL Blocks the default content URL
104
 
105
+ **Hide -> Rewrite > Plugins**
106
 
107
+ * New Plugin Path Changes default wp-content/plugins path/URL
108
+ * Block plugin URL Blocks default wp-content/plugins URL
109
+ * New path / URL for Every Active Plugin
110
+ * Customize path and name for any active plugins
111
 
112
+ **Hide -> Rewrite > Uploads**
113
 
114
+ * New Upload Path Changes default media files path/URL
115
+ * Block upload URL Blocks default media files URL
116
 
117
+ **Hide -> Rewrite > Comments**
118
 
119
  * New wp-comments-post.php Path
120
  * Block wp-comments-post.php
121
 
122
+ **Hide -> Rewrite > Author**
123
 
124
  * New Author Path
125
  * Block default path
126
 
127
+ **Hide -> Rewrite > Search**
128
 
129
  * New Search Path
130
  * Block default path
131
 
132
+ **Hide -> Rewrite > XML-RPC**
133
 
134
+ * New XML-RPC Path Changes default XML-RPC path / URL
135
+ * Block default xmlrpc.php Blocks default XML-RPC URL
136
+ * Disable XML-RPC authentication Filters whether XML-RPC methods require authentication
137
+ * Remove pingback Removes pingback link tag from theme
138
 
139
+ **Hide -> Rewrite > JSON REST**
140
 
141
  * Clean the REST API response
142
+ * Disable JSON REST V1 service Disables an API service for WordPress which is active by default
143
+ * Disable JSON REST V2 service Disables an API service for WordPress which is active by default
144
+ * Block any JSON REST calls Any call for JSON REST API service will be blocked
145
  * Disable output the REST API link tag into page header
146
  * Disable JSON REST WP RSD endpoint from XML-RPC responses
147
  * Disable Sends a Link header for the REST API
148
 
149
+ **Hide -> Rewrite > Root Files**
150
 
151
+ * Block license.txt Blocks access to license.txt root file
152
+ * Block readme.html Blocks access to readme.html root file
153
+ * Block wp-activate.php Blocks access to wp-activate.php file
154
+ * Block wp-cron.php Blocks outside access to wp-cron.php file
155
+ * Block wp-signup.php Blocks default wp-signup.php file
156
+ * Block other wp-*.php files Blocks other wp-.php files within WordPress Root
157
 
158
+ **Hide -> Rewrite > URL Slash**
159
 
160
+ * URLs add Slash Add a slash to any links without it. This disguisesthe existence of a file, folder or a wrong URL, which will all be slashed.
161
 
162
+ **Hide -> General / Html > Meta**
 
163
 
164
  * Remove WordPress Generator Meta
165
  * Remove Other Generator Meta
174
  * Remove profile link
175
  * Remove canonical link
176
 
177
+ **Hide -> General / Emulate CMS**
178
 
179
  * Emulate CMS
180
 
181
+ **Hide -> General / Html > Admin Bar**
182
 
183
  * Remove WordPress Admin Bar for specified urser roles
184
 
185
+ **Hide -> General / Feed**
186
 
187
  * Remove feed|rdf|rss|rss2|atom links
188
 
189
+ **Hide -> General / Robots.txt**
190
 
191
+ * Disable admin URL within Robots.txt
192
 
193
+ **Hide -> General / Html > Emoji**
194
 
195
  * Disable Emoji
196
  * Disable TinyMC Emoji
197
 
198
+ **Hide -> General / Html > Styles**
199
 
200
  * Remove Version
201
  * Remove ID from link tags
202
 
203
+ **Hide -> General / Html > Scripts**
204
 
205
  * Remove Version
206
 
207
+ **Hide -> General / Html > Oembed**
208
 
209
  * Remove Oembed
210
 
211
+ **Hide -> General / Html > Headers**
212
 
213
  * Remove Link Header
214
  * Remove X-Powered-By Header
215
  * Remove X-Pingback Header
216
 
217
+ **Hide -> General / Html > HTML**
218
 
219
  * Remove HTML Comments
220
+ * Minify Html, CSS, JavaScript
221
  * Disable right mouse click
222
  * Remove general classes from body tag
223
  * Remove ID from Menu items
225
  * Remove general classes from post
226
  * Remove general classes from images
227
 
228
+ **Hide -> Admin > wp-login.php**
229
 
230
+ * New wp-login.php Maps a new wp-login.php instead of the default one
231
+ * Block default wp-login.php Blocks default wp-login.php file from being accessible
232
 
233
+ **Hide -> Admin > Admin URL**
234
 
235
+ * New Admin URL Creates a new admin URL instead of the default ”/wp-admin”. This also applies for admin-ajax.php calls
236
+ * Block default Admin Url Blocks default admin URL and files from being accessible
237
 
238
+ **Settings -> CDN**
239
 
240
+ * CDN Url Sets-up CDN if applied. Some providers replace site assets with custom URLs.
241
+
242
+ **Security -> Headers**
243
+ HTTP Response Headers are a powerful tool to Harden Your Website Security.
244
+ * Cross-Origin-Embedder-Policy (COEP)
245
+ * Cross-Origin-Opener-Policy (COOP)
246
+ * Cross-Origin-Resource-Policy (CORP)
247
+ * X-Content-Type-Options
248
+ * X-Download-Options
249
+ * X-Frame-Options (XFO)
250
+ * X-Permitted-Cross-Domain-Policies
251
+ * X-XSS-Protection
252
 
253
  <br />This free version works with Apache and IIS server types. For all server types, check with <a target="_blank" href="https://wp-hide.com/">WP Hide PRO</a>
254
 
255
  <br />This is a basic version that can hide everything for basic sites, example <a target="_blank" href="https://demo.wp-hide.com/">https://demo.wp-hide.com/</a>. When using complex plugins and themes, the WP Hide PRO may be required. We provide free assistance to hide everything on your site, along with the commercial product.
256
 
257
+ <br />Anything wrong with this plugin on your site? Just use the forum or get in touch with us at <a target="_blank" href="https://wp-hide.com/contact/">Contact</a> and we'll check it out.
258
 
259
  <br />A website example can be found at <a target="_blank" href="https://demo.wp-hide.com/">https://demo.wp-hide.com/</a> or our website <a target="_blank" href="https://wp-hide.com/">WP Hide and Security Enhancer</a>
260
 
265
 
266
  == Installation ==
267
 
268
+ 1. Install the plugin through the WordPress plugins interface or upload the package to `/wp-content/plugins/wp-hide-security-enhancer` directory.
269
  2. Activate the plugin through the 'Plugins' screen in WordPress.
270
  3. Use the WP Hide menu screen to configure the plugin.
271
 
273
 
274
  Feel free to contact us at contact@wp-hide.com for fast support.
275
 
276
+ = Does the plugin change anything on my server? =
277
 
278
+ Absolutely Nothing!
279
+ No files and directories will be changed on your server, since everything is processed virtually. The plugin code use URL rewrite techniques and WordPress filters to apply all internal functionalities and features.
280
 
281
+ = Since I have no PHP knowledge at all, is this plugin for me? =
282
 
283
+ There is no requirement for php knowledge. All plugin features and functionalities are applied automatically, controlled through a descriptive admin interface.
284
 
285
  = Is there any demo I can check? =
286
 
287
  A demo instance can be found at <a target="_blank" href="https://demo.wp-hide.com/">https://demo.wp-hide.com/</a> or our own website <a target="_blank" href="https://wp-hide.com/">WP Hide and Security Enhancer</a>
288
 
289
+ = Can I use the plugin on my Nginx server? =
290
 
291
+ If the server runs full-stack Nginx, the free plugin cant generate the required format Nginx rewrite rules. It works with Apache, LiteSpeed, IIS, Nginx as a reverse proxy and compatible.
292
 
293
  = Can I still update WordPress, my plugins and themes? =
294
 
296
 
297
  = Does the plugin affect the SEO aspects of my website? =
298
 
299
+ No, the plugin changes only asset links (CSS, JavaScript, media files),but not actual content URLs. There will be no negative impact from SEO perspective, whatsoever.
300
 
301
  = Does the plugin work with my site cache? =
302
 
303
  Yes, the plugin works with any cache plugin deployed on your site.
304
 
305
+ = What are HTTP Security Headers? =
306
+
307
+ HTTP Response Headers are a powerful tool to Harden Your Website Security. The plugin provides an easy way to add Security Response Headers through a graphical interface. No additional codding and file editing is necessary.
308
 
309
+ = What servers this plugin can work with? =
 
310
 
311
+ This free code/WP-Hide can work with Apache, IIS server types and any other set-up which rely on .htaccess usage.
312
+ For all other cases, check the PRO version at <a target="_blank" href="https://wp-hide.com">WP Hide PRO</a>
313
 
314
+ = How to make it work with my OpenLiteSpeed server? =
315
 
316
+ There are few things to consider when you run on litespeed servers:
317
+
318
+ * Ensure the liteserveractually processes the .htaccess file, where the rewrite data is being saved. Check with the following topic regarding this issue <a target="_blank" href="https://www.litespeedtech.com/support/forum/threads/htaccess-is-ignored.15500/">Post</a>
319
 
320
  * If you use Litespeed Cache plugin, in the Optimization Settings area, disable the CSS / JS Minify
321
 
322
+ * If your litespeed server requires to place the rewrite lines in a different file,e.g. config file or interface, consider upgrading to PRO version which includes a Setup page where you can get the rewrite code <a href="https://wp-hide.com/wp-hide-pro-now-available/">WP Hide PRO</a>.
323
 
324
 
325
+ = How to use on my Bitnami setup? =
326
+ As default, on Bitnami LAMP set-ups, the system will not process the .htaccess file, so none of the rewrites will work. You can change this behavior by updating the main config file located at /opt/bitnami/apps/APPNAME/conf/httpd-app.conf , update the line
327
  <pre><code>AllowOverride None</code></pre>
328
  to
329
  <pre><code>AllowOverride All</code></pre>
330
+ Restart the Apache service through SSH
331
  <pre><code>sudo /opt/bitnami/ctlscript.sh restart</code></pre>
332
  More details can be found at <a href="https://docs.bitnami.com/general/apps/redmine/administration/use-htaccess/">Bitnami Default .Htaccess
333
  </a>
334
 
335
+ You can still keep the configuration as it is using the <a target="_blank" href="https://wp-hide.com">WP Hide PRO</a>, more details at <a href="https://wp-hide.com/documentation/setup-the-plugin-on-bitnami-wordpress-lamp-stack/">Setup the plugin on Bitnami WordPress LAMP stack
336
  </a>
337
 
338
 
339
+ = .htaccess file writing error Unable to write custom rules to your .htaccess. Is this file writable? =
340
 
341
+ Im seeing this error Unable to write custom rules to your .htaccess. Is this file writable”? What does it mean?
342
+ The error appears when the plugin is not able to write to .htaccess file located in your WordPress root directory. You can try the followings to make a fix:
343
 
344
+ * Check if your .htaccess file is writable. This can be different from server to server, but usually require rw-rw-r– / 0664. Also ensure the file owner is the same group as php.
345
 
346
  * Sometimes the other codes wrongly use the flush_rules() which hijack the default filters for rewrite. Try to disable the other plugins and theme to figure out which ones produce the issue.
347
 
353
 
354
  * There will be no harm.
355
  * Go to admin and change some of the plugin options to see which one causes the problem. Then report it to the forum or get in touch with us to fix it.
356
+ * If you cant log in to admin, use the Recovery Link which has been sent to your e-mail. This will reset the login to default.
357
+ * If you cant find the recovery link or none of the above worked, delete the plugin from your wp-content/plugins directory. Then remove any lines in your .htaccess file between:
358
  BEGIN WP Hide & Security Enhancer
359
  ..
360
  END WP Hide & Security Enhancer
361
 
362
+ * At this point, the site should run as before. If for some reason still not working, you missed something, please get in touch with us at contact@wp-hide.com and well fix it for you in no time!
363
 
364
+ = How to use the Recovery Link? =
365
 
366
+ The Recovery Link can be used to reset all plugin options and restore the site to the default state.
367
+ The link should be entered into the browser URL bar. After the operation is completed, a system message will show The plugin options have been reset successfully”.
368
  If the message does not show, there is a cache on your site that prevents the code to run. Locate your cache data, usually at /wp-content/cache/ and remove the files. Then re-load the recovery link.
369
 
370
+ = What to do if I cant find a functionality that I’m looking for? =
371
 
372
+ Please get in touch with us and well do our best to include it inthe next version.
373
 
374
  == Screenshots ==
375
 
378
 
379
  == Changelog ==
380
 
381
+ = 1.7.8 =
382
+ * New Security Functionality - Headers. HTTP Response Headers are a powerful tool to Harden Your Website Security.
383
+ * Security Headers - Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP), X-Content-Type-Options, X-Download-Options, X-Frame-Options (XFO), X-Permitted-Cross-Domain-Policies, X-XSS-Protection.
384
+ * Security Headers - Protection Level graph
385
+ * Security Headers - Sample Setup
386
+ * Security Headers - Recovery functionality
387
+ * Styles and layout improvements
388
+ * Code clean-up
389
+ * Fix: Append URL arguments to login URL, if exists
390
+
391
  = 1.7.6 =
392
  * Run on revision posts, to match URLs and revert to default WordPress ( e.g. when using Gutenberg editor )
393
  * Require a .php for the customization of the default wp-login.php to avoid cookie issues on password change area.
933
  == Localization ==
934
  Please help and translate this plugin to your language at <a href="https://translate.wordpress.org/projects/wp-plugins/wp-hide-security-enhancer">https://translate.wordpress.org/projects/wp-plugins/wp-hide-security-enhancer</a>
935
 
936
+ You are kindly asked to promote this plugin if it comes up to your expectations via an article on your site or any other place. If you liked this code/WP-Hide or if it helped with your project, why not leave a 5 star review on this board.
wp-hide.php CHANGED
@@ -5,7 +5,7 @@ Plugin URI: https://wp-hide.com/
5
  Description: Hide and increase Security for your WordPress website instance using smart techniques. No files are changed on your server.
6
  Author: Nsp Code
7
  Author URI: http://www.nsp-code.com
8
- Version: 1.7.6
9
  Text Domain: wp-hide-security-enhancer
10
  Domain Path: /languages/
11
  */
5
  Description: Hide and increase Security for your WordPress website instance using smart techniques. No files are changed on your server.
6
  Author: Nsp Code
7
  Author URI: http://www.nsp-code.com
8
+ Version: 1.7.8
9
  Text Domain: wp-hide-security-enhancer
10
  Domain Path: /languages/
11
  */