WP Security Audit Log - Version 2.6.3

Version Description

(2017-05-03) =

  • Security Update
    • Updated third party session libraries to a more secure version
Download this release

Release Info

Developer WPWhiteSecurity
Plugin Icon 128x128 WP Security Audit Log
Version 2.6.3
Comparing to
See all releases

Code changes from version 2.6.2 to 2.6.3

Files changed (4) hide show
  1. classes/Lib/class-wp-session-utils.php +139 -0
  2. classes/Lib/class-wp-session.php +10 -14
  3. readme.txt +7 -2
  4. wp-security-audit-log.php +6 -1
classes/Lib/class-wp-session-utils.php ADDED
@@ -0,0 +1,139 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ /**
4
+ * Utility class for sesion utilities
5
+ *
6
+ * THIS CLASS SHOULD NEVER BE INSTANTIATED
7
+ */
8
+ class WP_Session_Utils {
9
+ /**
10
+ * Count the total sessions in the database.
11
+ *
12
+ * @global wpdb $wpdb
13
+ *
14
+ * @return int
15
+ */
16
+ public static function count_sessions() {
17
+ global $wpdb;
18
+
19
+ $query = "SELECT COUNT(*) FROM $wpdb->options WHERE option_name LIKE '_wp_session_expires_%'";
20
+
21
+ /**
22
+ * Filter the query in case tables are non-standard.
23
+ *
24
+ * @param string $query Database count query
25
+ */
26
+ $query = apply_filters( 'wp_session_count_query', $query );
27
+
28
+ $sessions = $wpdb->get_var( $query );
29
+
30
+ return absint( $sessions );
31
+ }
32
+
33
+ /**
34
+ * Create a new, random session in the database.
35
+ *
36
+ * @param null|string $date
37
+ */
38
+ public static function create_dummy_session( $date = null ) {
39
+ // Generate our date
40
+ if ( null !== $date ) {
41
+ $time = strtotime( $date );
42
+
43
+ if ( false === $time ) {
44
+ $date = null;
45
+ } else {
46
+ $expires = date( 'U', strtotime( $date ) );
47
+ }
48
+ }
49
+
50
+ // If null was passed, or if the string parsing failed, fall back on a default
51
+ if ( null === $date ) {
52
+ /**
53
+ * Filter the expiration of the session in the database
54
+ *
55
+ * @param int
56
+ */
57
+ $expires = time() + (int) apply_filters( 'wp_session_expiration', 30 * 60 );
58
+ }
59
+
60
+ $session_id = self::generate_id();
61
+
62
+ // Store the session
63
+ add_option( "_wp_session_{$session_id}", array(), '', 'no' );
64
+ add_option( "_wp_session_expires_{$session_id}", $expires, '', 'no' );
65
+ }
66
+
67
+ /**
68
+ * Delete old sessions from the database.
69
+ *
70
+ * @param int $limit Maximum number of sessions to delete.
71
+ *
72
+ * @global wpdb $wpdb
73
+ *
74
+ * @return int Sessions deleted.
75
+ */
76
+ public static function delete_old_sessions( $limit = 1000 ) {
77
+ global $wpdb;
78
+
79
+ $limit = absint( $limit );
80
+ $keys = $wpdb->get_results( "SELECT option_name, option_value FROM $wpdb->options WHERE option_name LIKE '_wp_session_expires_%' ORDER BY option_value ASC LIMIT 0, {$limit}" );
81
+
82
+ $now = time();
83
+ $expired = array();
84
+ $count = 0;
85
+
86
+ foreach( $keys as $expiration ) {
87
+ $key = $expiration->option_name;
88
+ $expires = $expiration->option_value;
89
+
90
+ if ( $now > $expires ) {
91
+ $session_id = preg_replace("/[^A-Za-z0-9_]/", '', substr( $key, 20 ) );
92
+
93
+ $expired[] = $key;
94
+ $expired[] = "_wp_session_{$session_id}";
95
+
96
+ $count += 1;
97
+ }
98
+ }
99
+
100
+ // Delete expired sessions
101
+ if ( ! empty( $expired ) ) {
102
+ $placeholders = array_fill( 0, count( $expired ), '%s' );
103
+ $format = implode( ', ', $placeholders );
104
+ $query = "DELETE FROM $wpdb->options WHERE option_name IN ($format)";
105
+
106
+ $prepared = $wpdb->prepare( $query, $expired );
107
+ $wpdb->query( $prepared );
108
+ }
109
+
110
+ return $count;
111
+ }
112
+
113
+ /**
114
+ * Remove all sessions from the database, regardless of expiration.
115
+ *
116
+ * @global wpdb $wpdb
117
+ *
118
+ * @return int Sessions deleted
119
+ */
120
+ public static function delete_all_sessions() {
121
+ global $wpdb;
122
+
123
+ $count = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name LIKE '_wp_session_%'" );
124
+
125
+ return (int) ( $count / 2 );
126
+ }
127
+
128
+ /**
129
+ * Generate a new, random session ID.
130
+ *
131
+ * @return string
132
+ */
133
+ public static function generate_id() {
134
+ require_once( ABSPATH . 'wp-includes/class-phpass.php' );
135
+ $hash = new PasswordHash( 8, false );
136
+
137
+ return md5( $hash->get_random_bytes( 32 ) );
138
+ }
139
+ }
classes/Lib/class-wp-session.php CHANGED
@@ -72,29 +72,25 @@ final class WP_Session extends Recursive_ArrayAccess implements Iterator, Counta
72
  * @uses apply_filters Calls `wp_session_expiration` to determine how long until sessions expire.
73
  */
74
  protected function __construct() {
75
- if (isset($_COOKIE[WP_SESSION_COOKIE])) {
76
- $cookie = stripslashes($_COOKIE[WP_SESSION_COOKIE]);
77
- $cookie_crumbs = explode('||', $cookie);
78
 
79
- if ($this->is_valid_md5($cookie_crumbs[0])) {
80
- $this->session_id = $cookie_crumbs[0];
81
- } else {
82
- $this->regenerate_id(true);
83
- }
84
-
85
- $this->expires = $cookie_crumbs[1];
86
  $this->exp_variant = $cookie_crumbs[2];
87
 
88
  // Update the session expiration if we're past the variant time
89
- if (time() > $this->exp_variant) {
90
  $this->set_expiration();
91
- delete_option("_wp_session_expires_{$this->session_id}");
92
- add_option("_wp_session_expires_{$this->session_id}", $this->expires, '', 'no');
93
  }
94
  } else {
95
- $this->session_id = $this->generate_id();
96
  $this->set_expiration();
97
  }
 
98
  $this->read_data();
99
 
100
  $this->set_cookie();
72
  * @uses apply_filters Calls `wp_session_expiration` to determine how long until sessions expire.
73
  */
74
  protected function __construct() {
75
+ if ( isset( $_COOKIE[WP_SESSION_COOKIE] ) ) {
76
+ $cookie = stripslashes( $_COOKIE[WP_SESSION_COOKIE] );
77
+ $cookie_crumbs = explode( '||', $cookie );
78
 
79
+ $this->session_id = $cookie_crumbs[0];
80
+ $this->expires = $cookie_crumbs[1];
 
 
 
 
 
81
  $this->exp_variant = $cookie_crumbs[2];
82
 
83
  // Update the session expiration if we're past the variant time
84
+ if ( time() > $this->exp_variant ) {
85
  $this->set_expiration();
86
+ delete_option( "_wp_session_expires_{$this->session_id}" );
87
+ add_option( "_wp_session_expires_{$this->session_id}", $this->expires, '', 'no' );
88
  }
89
  } else {
90
+ $this->session_id = WP_Session_Utils::generate_id();
91
  $this->set_expiration();
92
  }
93
+
94
  $this->read_data();
95
 
96
  $this->set_cookie();
readme.txt CHANGED
@@ -7,7 +7,7 @@ License URI: http://www.gnu.org/licenses/gpl.html
7
  Tags: wordpress security plugin, wordpress security audit log, audit log, wordpress log, event log wordpress, wordpress user tracking, wordpress activity log, wordpress audit, security event log, audit trail, security audit trail, wordpress security alerts, wordpress monitor, wordpress security monitor, wordpress admin, wordpress admin monitoring, analytics, activity, admin, multisite, wordpress multisite, actions, dashboard, log, notification, wordpress monitoring, email notification, wordpress email alerts, tracking, user tracking, user activity report, wordpress audit trail
8
  Requires at least: 3.6
9
  Tested up to: 4.7.4
10
- Stable tag: 2.6.2
11
 
12
  Keep an audit trail of all changes and under the hood WordPress activity to ensure productivity and thwart possible WordPress hacker attacks.
13
 
@@ -139,7 +139,7 @@ We need help translating the plugin and the WordPress Security Alerts. Please vi
139
 
140
  * Italian translation by [Leonardo Musumeci](http://leonardomusumeci.net/)
141
  * German translation by [Mourad Louha](http://excel-translator.de)
142
- * Spanish translation by the [WP Body](https://wpbody.com/) team
143
 
144
  = Related Links and Documentation =
145
  For more information and to get started with WordPress Security, check out the following:
@@ -186,6 +186,11 @@ Please refer to the [FAQs page](https://www.wpsecurityauditlog.com/documentation
186
 
187
  == Changelog ==
188
 
 
 
 
 
 
189
  = 2.6.2 (2017-04-22) =
190
 
191
  * **New alerts to record actions & profile changes**
7
  Tags: wordpress security plugin, wordpress security audit log, audit log, wordpress log, event log wordpress, wordpress user tracking, wordpress activity log, wordpress audit, security event log, audit trail, security audit trail, wordpress security alerts, wordpress monitor, wordpress security monitor, wordpress admin, wordpress admin monitoring, analytics, activity, admin, multisite, wordpress multisite, actions, dashboard, log, notification, wordpress monitoring, email notification, wordpress email alerts, tracking, user tracking, user activity report, wordpress audit trail
8
  Requires at least: 3.6
9
  Tested up to: 4.7.4
10
+ Stable tag: 2.6.3
11
 
12
  Keep an audit trail of all changes and under the hood WordPress activity to ensure productivity and thwart possible WordPress hacker attacks.
13
 
139
 
140
  * Italian translation by [Leonardo Musumeci](http://leonardomusumeci.net/)
141
  * German translation by [Mourad Louha](http://excel-translator.de)
142
+ * Spanish translation by the [WP Body team](https://wpbody.com/)
143
 
144
  = Related Links and Documentation =
145
  For more information and to get started with WordPress Security, check out the following:
186
 
187
  == Changelog ==
188
 
189
+ = 2.6.3 (2017-05-03) =
190
+
191
+ * **Security Update**
192
+ * Updated third party session libraries to a more secure version
193
+
194
  = 2.6.2 (2017-04-22) =
195
 
196
  * **New alerts to record actions & profile changes**
wp-security-audit-log.php CHANGED
@@ -4,7 +4,7 @@ Plugin Name: WP Security Audit Log
4
  Plugin URI: http://www.wpsecurityauditlog.com/
5
  Description: Identify WordPress security issues before they become a problem. Keep track of everything happening on your WordPress including WordPress users activity. Similar to Windows Event Log and Linux Syslog, WP Security Audit Log generates a security alert for everything that happens on your WordPress blogs and websites. Use the Audit Log Viewer included in the plugin to see all the security alerts.
6
  Author: WP White Security
7
- Version: 2.6.2
8
  Text Domain: wp-security-audit-log
9
  Author URI: http://www.wpsecurityauditlog.com/
10
  License: GPL2
@@ -137,6 +137,11 @@ class WpSecurityAuditLog {
137
  require_once('classes/Lib/class-wp-session.php');
138
  require_once('classes/Lib/wp-session.php');
139
  }
 
 
 
 
 
140
 
141
  // load autoloader and register base paths
142
  require_once('classes/Autoloader.php');
4
  Plugin URI: http://www.wpsecurityauditlog.com/
5
  Description: Identify WordPress security issues before they become a problem. Keep track of everything happening on your WordPress including WordPress users activity. Similar to Windows Event Log and Linux Syslog, WP Security Audit Log generates a security alert for everything that happens on your WordPress blogs and websites. Use the Audit Log Viewer included in the plugin to see all the security alerts.
6
  Author: WP White Security
7
+ Version: 2.6.3
8
  Text Domain: wp-security-audit-log
9
  Author URI: http://www.wpsecurityauditlog.com/
10
  License: GPL2
137
  require_once('classes/Lib/class-wp-session.php');
138
  require_once('classes/Lib/wp-session.php');
139
  }
140
+
141
+ if (!class_exists('WP_Session_Utils')) {
142
+ require_once('classes/Lib/class-wp-session-utils.php');
143
+ }
144
+
145
 
146
  // load autoloader and register base paths
147
  require_once('classes/Autoloader.php');