Shield Security for WordPress - Version 6.6.3

Version Description

  • Current Release = Released: 30th March, 2018 - Release Notes

  • (v.1-3) FIXED: Various small fixes and improvements

  • (v.0) NEW: [PRO] Keyless Activation of Pro licenses.

  • (v.0) ADDED: WordPress Password Policies.

  • (v.0) ADDED: Pwned Passwords Detection.

  • (v.0) IMPROVED: Major rewrite of plugin AJAX handling.

  • (v.0) IMPROVED: Notices to indicate the time of the last scans.

  • (v.0) FIXED: A few bugs

Download this release

Release Info

Developer paultgoodchild
Plugin Icon 128x128 Shield Security for WordPress
Version 6.6.3
Comparing to
See all releases

Code changes from version 6.6.2 to 6.6.3

Files changed (8) hide show
  1. changelog.txt +0 -1075
  2. icwp-wpsf.php +1 -1
  3. plugin-spec.php +2 -2
  4. readme.txt +12 -8
  5. src/common/icwp-edd.php +2 -1
  6. src/processors/audit_trail_emails.php +16 -10
  7. src/processors/loginprotect_intentprovider_base.php +2 -1
  8. src/processors/loginprotect_yubikey.php +35 -22
changelog.txt DELETED
@@ -1,1075 +0,0 @@
1
-
2
- = 6.4 Series =
3
- *Released: 26th February, 2018* - [Release Notes](http://icwp.io/br)
4
-
5
- * **(v.1-4)** FIXED: Various Fixes
6
- * **(v.0)** ADDED: [**PRO**] New Scanner to [detect file changes for active plugins and themes](http://icwp.io/bq)
7
- * **(v.0)** IMPROVED: Automatic updates for vulnerable plugins ignores [automatic updates delay setting](http://icwp.io/bc)
8
- * **(v.0)** CHANGED: Email notifications for scanners will now link to the Wizard where possible, instead of listing files.
9
-
10
- = 6.3 Series =
11
- *Released: 12th February, 2018* - [Release Notes](http://icwp.io/bc)
12
-
13
- * **(v.3)** FIXED: Bug with automatic updates delay setting
14
- * **(v.2)** CHANGED: Changed a text that seems to cause servers to swallow-up emails. [See here for more reliable email](http://icwp.io/bi)
15
- * **(v.1)** FIXED: Options page javascript to work around conflicts.
16
- * **(v.0)** ADDED: [**PRO**] [Automatic updates stability delay](http://icwp.io/bc)
17
- * **(v.0)** IMPROVED: Complete [plugin UI rebuild](http://icwp.io/bd), using the new Bootstrap 4.
18
- * **(v.0)** FIXED: A few bugs with Google Authenticator.
19
-
20
- = 6.2 Series =
21
- *Released: 31st January, 2018* - [Release Notes](http://icwp.io/b6)
22
-
23
- * **(v.2)** FIXED: Fix for IP Manager PHP error.
24
- * **(v.2)** IMPROVED: Two-factor verification email.
25
- * **(v.1)** FIXED: Bug where administrator login email notification setting is not being honoured.
26
- * **(v.1)** IMPROVED: If a site is having trouble with database creation, User Sessions wont lock you out.
27
- * **(v.0)** IMPROVED: Major overhaul of the Shield User Sessions system.
28
- * **(v.0)** IMPROVED: Link the Security Admin authentication with the new Sessions system.
29
- * **(v.0)** IMPROVED: Major overhaul to plugin's user meta data storage, limiting to a single DB entry for all data.
30
- * **(v.0)** ADDED: [**PRO**] Ability to increase frequency of file system scans up to once every hour.
31
- * **(v.0)** ADDED: [**PRO**] Add a "remember me" option, to allow users to skip Multi-factor authentication for a set number of days.
32
-
33
- = 6.1 Series =
34
- *Released: 15th January, 2018* - [Release Notes](http://icwp.io/ay)
35
-
36
- * **(v.1)** FIXED: Verify link missing from the two-factor authentication verification email.
37
- * **(v.0)** ADDED: 3x more Shield Wizards: Multi-factor Authentication, Core File Scanning, Unrecognised File Scanning.
38
- * **(v.0)** ADDED: You can now use regular expressions for file exclusions in the 'Unrecognised File Scanner'.
39
- * **(v.0)** CHANGED: File Scanner email notifications now link to the appropriate scanner wizard directly.
40
- * **(v.0)** IMPROVED: Plugin options pages restyling.
41
- * **(v.0)** IMPROVED: Plugin refactoring and improvements.
42
-
43
- = 6.0 Series =
44
- *Released: 18th December, 2017*
45
-
46
- * **(v.0)** ADDED: All-new Shield Welcome and Setup Wizard - more helpful guided wizards to come.
47
- * **(v.0)** ADDED: [**PRO**] [Shield options import and export](http://icwp.io/at)
48
- * **(v.0)** ADDED: [**PRO**] In conjunction with import/export - Shield Security Network: automated options syncing.
49
- * **(v.0)** CHANGED: Going forward, new features and options will [support only PHP 5.4+](http://icwp.io/au). Existing features will remain unaffected.
50
-
51
- = 5.20 Series =
52
- *Released: 11th December, 2017*
53
-
54
- * **(v.0)** IMPROVED: [**PRO**] Audit Trail length are configurable. Length for free is 50 entries (the original unpaginated limit)
55
- * **(v.0)** IMPROVED: Large redesign of options sections to be more intuitive and cleaner
56
- * **(v.0)** IMPROVED: Added dedicated help section for each module.
57
- * **(v.0)** IMPROVED: Certain modules have an new *Actions* centre, such a Audit Trail viewer and User Sessions manager
58
- * **(v.0)** IMPROVED: Audit Trails are now ajax-paginated. You can browse through all your audit trail entries
59
- * **(v.0)** IMPROVED: User session tables are also ajax-paginated.
60
-
61
- = 5.19 Series =
62
- *Released: 4th December, 2017*
63
-
64
- * **(v.1)** FIXED: Plugin Vulnerabilities scan for premium plugins.
65
- * **(v.0)** ADDED: [**PRO**] Automated WordPress plugins vulnerability scanner with auto updates email notifications
66
- * **(v.0)** ADDED: Added Google reCAPTCHA support for register/forget password pages.
67
- * **(v.0)** ADDED: [**PRO**] Support for Multi-Factor Authentication for WooCommerce and other 3rd party plugins.
68
- * **(v.0)** ADDED: [**PRO**] Bot-protection/Google reCAPTCHA support for BuddyPress register pages.
69
-
70
- = 5.18 Series =
71
- *Released: 27th November, 2017*
72
-
73
- * **(v.0)** ADDED: [**PRO**] Invisible Google reCAPTCHA option.
74
- * **(v.0)** ADDED: [**PRO**] Support for Google reCAPTCHA themes - light and dark.
75
- * **(v.0)** IMPROVEMENT: Google reCAPTCHA is more reliable and configurable.
76
-
77
- = 5.17 Series =
78
- *Released: 23rd November, 2017*
79
-
80
- * **(v.0)** ADDED: Shield Security goes Pro! Added new options and extras to premium clients.
81
- * **(v.0)** IMPROVEMENT: Fix and improvement to Google reCAPTCHA.
82
- * **(v.0)** ADDED: [**PRO**] Support for Woocommerce and Easy Digital Downloads login/registration form protection.
83
- * **(v.0)** ADDED: [**PRO**] Ability to customise most user-facing texts.
84
- * **(v.0)** ADDED: [**PRO**] Extra IP Transgression signal.
85
-
86
- = 5.16 Series =
87
- *Released: 16th October, 2017*
88
-
89
- With this release, we fixed a clash of options for Google reCAPTCHA. Every attempt was made to ensure no interruption to your existing settings, but please check to ensure your reCAPTCHA settings are as you expect them to be.
90
-
91
- * **(v.4)** FIX: Error with incorrect/unprefixed database table name used in SQL query.
92
- * **(v.3)** IMPROVEMENT: Tweak to the Visitor IP Auto-detection to better ensure CloudFlare IP addresses are ignored.
93
- * **(v.3)** IMPROVEMENT: Plugin Badge will now stay closed when a visitor closes it.
94
- * **(v.2)** FIX: Removed some namespace parsing that broke on sites with PHP 5.2.
95
- * **(v.1)** FIX: 404 page displayed for password reset request when Login URL is renamed.
96
- * **(v.0)** IMPROVEMENT: Much better auto-detection of valid request/visitor IP addresses.
97
- * **(v.0)** FIX: Clashing of reCAPTCHA options for Comments and Login Protection.
98
- * **(v.0)** IMPROVEMENT: Statistic Reporting database management and pruning.
99
- * **(v.0)** FIX: Various system fixes and improvements.
100
-
101
- = 5.15 Series =
102
- *Released: 21st September, 2017*
103
-
104
- * **(v.1)** FIX: Processing AJAX requests from the Network Admin side of WordPress.
105
- * **(v.1)** IMPROVEMENTS: Better handling of file exclusions in the Hack Guard module.
106
- * **(v.1)** IMPROVEMENTS: Better handling of fatal errors in loading Shield where some core files are missing.
107
- * **(v.0)** ADDED: New HTTP Security Header: Referrer Policy.
108
- * **(v.0)** ADDED: Supports paths for file exclusions in the Unrecognised File Scanner.
109
- * **(v.0)** IMPROVEMENTS: Better interception of unintentional redirects to the hidden Login URL (e.g. /wp-admin/customize.php).
110
- * **(v.0)** IMPROVEMENTS: Better handling of email sending entries in the Audit Trail.
111
- * **(v.0)** IMPROVEMENTS: Improved (tabbed) display of Audit Trail.
112
- * **(v.0)** IMPROVEMENTS: Better generation & handling of the One Time Password for email-based two-factor authentication.
113
- * **(v.0)** IMPROVEMENTS: Some code clean up and refactoring.
114
-
115
- = 5.14 Series =
116
- *Released: 9th September, 2017*
117
-
118
- * **(v.0)** ADDED: Option for administrators to manually override and set the source of the visitor IP address.
119
- * **(v.0)** UPDATED: In-plugin documentation links to updated and revised helpdesk articles/blogs.
120
- * **(v.0)** IMPROVEMENTS: Strip out any non-alphanumeric characters uses in the generation of Google Authenticator URLs.
121
- * **(v.0)** FIX: Shield now ignores any requests sent to Rest API URIs with respect to Shield user sessions.
122
-
123
- = 5.13 Series =
124
- *Released: 15th August, 2017*
125
-
126
- * **(v.2)** IMPROVEMENTS: Small adjustment to handling of Shield User sessions in conjunction with WordPress sessions.
127
- * **(v.2)** FIX: Restore display of help links for options.
128
- * **(v.1)** FIX: PHP 5.2 incompatibility.
129
- * **(v.0)** ADDED: New option for [Unrecognised File Scanner](http://icwp.io/94) to scan the Uploads folder for JS and PHP files.
130
- * **(v.0)** ADDED: Option to provide custom list of files to be excluded from the [Unrecognised File Scanner](http://icwp.io/94).
131
-
132
- = 5.12 Series =
133
- *Released: 3rd August, 2017*
134
-
135
- * **(v.2)** IMPROVEMENTS: Improved support for Windows IIS hosting for [Unrecognised File Scanner](http://icwp.io/94)
136
- * **(v.2)** CHANGED: Removed the email-based 2FA automatic login link.
137
- * **(v.2)** FIX: Potential bug with Shield not recognising plugin configuration updates and not rebuilding options accordingly.
138
- * **(v.1)** ADDED: A few more exclusions for the [Unrecognised File Scanner](http://icwp.io/94)
139
- * **(v.1)** FIX: Fix for Fatal error.
140
- * **(v.0)** ADDED: [Unrecognised File Scanner](http://icwp.io/94) release. Automatically detect and delete
141
- any files present in core WordPress directories that aren't part of your core installation.
142
- * **(v.0)** ADDED: Updated Firewall rules for SQL under the 'Aggressive' rule set.
143
-
144
- = 5.11 Series =
145
- *Released: 26th July, 2017*
146
-
147
- * **(v.1)** FIX: JSON syntax
148
- * **(v.0)** IMPROVEMENTS: Final preparation for [Shield Central](http://icwp.io/83) release.
149
-
150
- = 5.10 Series =
151
- *Released: 19th June, 2017*
152
-
153
- * **(v.2)** FIXED: Fatal error with GASP + Password Reset.
154
- * **(v.2)** FIXED: Fatal error with failing reCAPTCHA HTTP requests.
155
- * **(v.1)** IMPROVEMENTS: Further preparation for [Shield Central](http://icwp.io/83) release.
156
- * **(v.0)** ADDED: More in-depth reporting and statistics gathering - options for reports will be made available
157
- in a later release.
158
-
159
- = 5.9 Series =
160
- *Released: 31st May, 2017*
161
-
162
- * **(v.0)** ADDED: Help Videos for 1 or 2 modules. More to come and just testing format and uptake.
163
- * **(v.0)** ADDED: Special handling for WP Fastest Cache.
164
- * **(v.0)** CHANGE: Configuration for automatic self-update for the Shield plugin has been removed.
165
- * **(v.0)** CHANGE: No longer remove an existing user session when accessed from another IP address. Just redirect.
166
- Protects existing, legitimate sessions from being forcefully expired.
167
- * **(v.0)** FIXED: Danish string translation.
168
-
169
- = 5.8 Series =
170
- *Released: 7th April, 2017*
171
-
172
- * **(v.2)** IMPROVEMENTS: The core file scanner now works more reliably for international WordPress installations.
173
- * **(v.2)** CHANGE: Login Cooldown now uses only the flag file as an indicator of login times.
174
- * **(v.2)** CHANGE: Filter to allow for changing the two factor timeout period, from 5 (minutes). Filter: `icwp-wpsf-login_intent_timeout`
175
- * **(v.2)** CHANGE: Changed timeout for two-factor authentication email to 5 minutes to account for slower email-sending providers.
176
- * **(v.2)** CHANGE: Added further clarification to the Login Notification email indicating that two-factor authentication was pending.
177
- * **(v.1)** FIXED: Fixed a couple of bugs with the Login Authentication Portal, for certain edge cases.
178
- * **(v.0)** CHANGE: Major overhaul of [Two-Factor / Multi-Factor Login Authentication](http://icwp.io/87).
179
- * **(v.0)** CHANGE: [Introduction of Login Authentication Portal](http://icwp.io/86) for improved Multi-Factor Authentication.
180
- * **(v.0)** ADDED: Option to choose between two-factor or multi-factor login authentication.
181
- * **(v.0)** ADDED: Administrators can remove Google Authenticator from another user's profile.
182
- * **(v.0)** ADDED: When Security Admin is active, only Security Admins may remove Google Authenticator from other admins.
183
- * **(v.0)** CHANGE: Yubikey login authentication is now managed directly from the User Profile screen, as with Google Authenticator.
184
- * **(v.0)** CHANGE: Email-based login authentication no longer uses a separate database table.
185
- * **(v.0)** FIXED: Core file scanning now adequately handles Windows/Unix new lines during scan.
186
- * **(v.0)** FIXED: Certain crons weren't setup correctly.
187
- * **(v.0)** IMPROVEMENTS: Further preparation for [Shield Central](http://icwp.io/83) release.
188
-
189
- = 5.7 Series =
190
-
191
- * **(v.3)** FIXED: Attempt to improve the Google Authenticator flow for more reliable activation.
192
- * **(v.2)** IMPROVEMENTS: More admin notices when saving Google Authenticator settings.
193
- * **(v.2)** IMPROVEMENTS: Further preparation for [Shield Central](http://icwp.io/83) release.
194
- * **(v.1)** Skipped
195
- * **(v.0)** ADDED: Shortcode for displaying plugin badge in pages/posts.
196
- * **(v.0)** CHANGE: Enabled JS eval() for the Content Security Policy by default.
197
- * **(v.0)** IMPROVEMENTS: Replace YAML configuration files with JSON.
198
- * **(v.0)** IMPROVEMENTS: Preparation for [Shield Central](http://icwp.io/83) release.
199
- * **(v.0)** IMPROVEMENTS: Security Admin notices are more refined and optimized.
200
- * **(v.0)** IMPROVEMENTS: Removed unnecessary files/code.
201
-
202
- = 5.6 Series =
203
-
204
- * **(v.2)** CHANGE: Fix an instance where the hidden Login URL would be leaded.
205
- * **(v.1)** CHANGE: Replaying of Yubikey one-time-passwords is no longer permitted.
206
- * **(v.1)** ADDED: Filter for login form GASP fields.
207
- * **(v.1)** ADDED: Filter for comment form GASP fields.
208
- * **(v.1)** CHANGE: Improved compatibility of HTTP Headers with WP Super Cache.
209
- * **(v.0)** ADDED: Option to disable anonymous Rest API access. WordPress v4.7+ only. Note that if another plugin
210
- or service authenticates the request it will be honoured, whether anonymous or not.
211
- = 5.5 Series =
212
-
213
- * **(v.6)** IMPROVED: Fixed possible leak of the Login URL from the 'Hide WP Login URL' feature.
214
- * **(v.5)** ADDED: Ability to add custom protocols to the domains (apart from http/s) to the Content Security Policy
215
- * **(v.5)** FIXED: Bug where automatic update emails would contain empty plugins.
216
- * **(v.5)** FIXED: Javascript scope on GASP form elements.
217
- * **(v.5)** FIXED: Various fixes and code improvements.
218
- * **(v.4)** FIXED: Bug with data cleaning/storage that caused stored options to balloon resulting in database timeouts. (only certain options affected)
219
- * **(v.4)** IMPROVED: Sometimes "anti-virus" scanners scared normal, everyday hard-working folk by identifying a Shield file as being a virus, because they're not very clever - reduced chances of this.
220
- * **(v.3)** ADDED: Fix for WordPress Multisite where the correct database prefix wasn't being used.
221
- * **(v.2)** ADDED: Filter to allow modification of the email footer
222
- * **(v.2)** ADDED: Block auto-updates on Shield itself if PHP < 5.3 and new version is v6.0+
223
- * **(v.2)** FIXED: Missing Link
224
- * **(v.2)** FIXED: Plugin Installation ID wasn't always being set
225
- * **(v.2)** TRANSLATIONS: Dutch (56%)
226
- * **(v.1)** ADDED: Built-in forceful protection in the form of a wp_die() against the (currently) un-patched W3 Total Cache XSS vulnerability [more info](http://icwp.io/7j)
227
- * **(v.1)** IMPROVED: Better XMLRPC Lockdown - prevents ANY XMLRPC command processing.
228
- * **(v.1)** IMPROVED: Make certain strings translatable
229
- * **(v.1)** IMPROVED: Wrap-up certain login form elements into spans/divs to allow styling etc.
230
- * **(v.1)** IMPROVED: PHP Version number cleaning during stats tracking.
231
- * **(v.0)** ADDED: Options and statistics tracking ability. Over time we are looking to share statistics and performance metrics of Shield.
232
- * **(v.0)** IMPROVED: Performance for options loading, especially for web hosts that don't permit file writing
233
- * **(v.0)** CHANGED: Numerous fixes and code improvements.
234
- * **(v.0)** CHANGED: Removed query that deletes old GASP comment tokens on normal page loads.
235
- * **(v.0)** CHANGED: Google reCAPTCHA is now based on the locale of the website, not auto-detected.
236
- * **(v.0)** FIXED: Now URL encodes the username in the link for two-factor authentication by email.
237
- * **(v.0)** FIXED: If the xmlrpc.php has been deleted, this is now ignore by the file scanner
238
- * **(v.0)** TRANSLATIONS: Dutch (38%), Portuguese (32%)
239
-
240
- = 5.4 Series =
241
-
242
- * **(v.5)** CHANGED: User Management module is no-longer enabled by default on clean installations
243
- * **(v.5)** CHANGED: Made the GASP checkbox for Login protection clickable by label. [Thanks Aubrey!](https://github.com/FernleafSystems/Shield/pull/22)
244
- * **(v.5)** CHANGED: Shield Statistics only shows for WordPress admins (instead of all users)
245
- * **(v.5)** FIXED: Added a couple of guards to ensure data is of the correct format to prevent spurious errors
246
- * **(v.5)** FIXED: Bug where automatic file repair links from emails we're not working.
247
- * **(v.4)** SKIPPED.
248
- * **(v.3)** FIXED: Various fixes and improvements
249
- * **(v.3)** CHANGED: Lots of cleaning of old code.
250
- * **(v.3)** REMOVED: Various old, unused options, and the force_ssl_login option as it's deprecated by WordPress Core
251
- * **(v.3)** TRANSLATIONS: Dutch (36%), Swedish (35%)
252
- * **(v.3)** FIXED: Various fixes and improvements
253
- * **(v.3)** CHANGED: Lots of cleaning of old code.
254
- * **(v.3)** REMOVED: Various old, unused options, and the force_ssl_login option as it's deprecated by WordPress Core
255
- * **(v.3)** TRANSLATIONS: Dutch (36%), Swedish (35%)
256
- * **(v.2)** ADDED: A guard around certain modules like, User Sessions, to ensure the DB has been initiated properly before use.
257
- * **(v.2)** ADDED: Exclusion for Swedish license files that don't exist in the SVN repo.
258
- * **(v.2)** ADDED: Parameter exclusion for reCAPTCHA.
259
- * **(v.2)** CHANGED: [HTTP Security Headers](http://icwp.io/7b) module is enabled by default on new installs.
260
- * **(v.1)** FIXED: Nasty bug that caused an infinite loop bug in some configurations.
261
- * **(v.0)** ADDED: Per-site plugin statistics gathering - summary display on admin dashboard.
262
- * **(v.0)** ADDED: HTML class to the "I'm a human" checkbox field.
263
- * **(v.0)** ADDED: Ability to change minimum user role for login notification emails with use of `add_filter()`. See FAQs.
264
- * **(v.0)** REMOVED: Option 'Prevent Remote Login' causes more trouble with than it's worth with too many hosting configurations.
265
- * **(v.0)** CHANGED: For websites that don't run WP Crons correctly, added code for automatic database cleaning.
266
- * **(v.0)** CLEANED: Removed Twig render code as it was never being used.
267
-
268
- = 5.3 Series =
269
-
270
- * **(v.2)** IMPROVED: [HTTP Security Headers](http://icwp.io/7b) Content Security Policy now supports specifying HTTPS for domains/hosts.
271
- * **(v.2)** FIXED: Human Comment SPAM Feature didn't fire under certain circumstances.
272
- * **(v.2)** FIXED: Fixed parsing of Human Comment SPAM dictionary words.
273
- * **(v.1)** TRANSLATIONS: Dutch (32%)
274
- * **(v.0)** ADDED: New Feature - [HTTP Security Headers](http://icwp.io/7b).
275
- * **(v.0)** FIXED: Prevent renaming WP Login to "/login"
276
-
277
- = 5.2 Series =
278
-
279
- * **(v.0)** ADDED: Guard against core file scanner and automatic WordPress updates clashing.
280
- * **(v.0)** CHANGED: Logic for brute force login checking is improved - they all run before username/password checking
281
- * **(v.0)** FIXED: Certain older versions of PHP don't like combined IPv4 and IPv6 filter flags
282
- * **(v.0)** FIXED: Google reCAPTCHA for WordPress sites that have restrictive settings for sockets etc.
283
- * **(v.0)** REMOVED: [Plugin vulnerabilities scanner](http://icwp.io/75). It's out-of-date and unsuitable.
284
-
285
- = 5.1 Series =
286
-
287
- * **(v.0)** FIXED: Improved compatibility with bbPress.
288
- * **(v.0)** CHANGED: Optimizations around options and definitions (storing fewer options data)
289
- * **(v.0)** CHANGED: Improved styling and responsiveness of plugin badge.
290
- * **(v.0)** ADDED: Ability to programmatically export/import options - further preparation for iControlWP+Shield integration.
291
- * **(v.0)** FIXED: Issue where Core automatic updates would fail, but notification email was sent anyway
292
-
293
- = 5.0 Series =
294
-
295
- * **(v.3)** FIXED: Issue with setting session cookies with PHP 7
296
- * **(v.2)** FIXED: [Rename WordPress Login URL](http://icwp.io/5s) bug
297
- * **(v.2)** CHANGED: reCAPTCHA text usage corrected throughout plugin.
298
- * **(v.1)** CHANGED: Removed the whole 'wp-content' directory from the [Core File Scanner](http://icwp.io/wpsf40) feature.
299
- * **(v.1)** CHANGED: A WordPress filter to change the plugin badge text content (see FAQ)
300
- * **(v.1)** CHANGED: Tweaked the plugin badge styling.
301
- * **(v.1)** CHANGED: All emails sent by the plugin contain the name of the site and the current plugin version in the email footer.
302
- * **(v.1)** ADDED: In-plugin links to blogs and info articles for Google ReCaptcha and [Google Authenticator](http://icwp.io/wpsf43)
303
- * **(v.0)** NEW: WordPress Simple Firewall plugin has been re-branded and is called **Shield**
304
- * **(v.0)** ADDED: NEW feature - [Google ReCaptcha](http://icwp.io/shld2) for Comment SPAM and Login protection.
305
- * **(v.0)** ADDED: Support for this plugin is now Premium. Added Premium Support page that links to Helpdesk.
306
- * **(v.0)** CHANGED: Refactor of comment spam code.
307
- * **(v.0)** CHANGED: Core File Scanner now handles the odd Hungarian distribution.
308
-
309
- = 4.17 Series =
310
- *Released: 17th February, 2016*
311
-
312
- * **(v.0)** ADDED: NEW feature - [Google Authenticator Login option](http://icwp.io/wpsf43).
313
- * **(v.0)** ADDED: [Core File Scanner](http://icwp.io/wpsf40) now includes an automatic link to repair files (you must be logged in as admin for this link to work!).
314
- * **(v.0)** ADDED: NEW - if you already have a logged-in session and you open the login screen, you'll be provided with a link to go straight to the admin area.
315
- * **(v.0)** CHANGED: Email-based Two-Factor Authentication is now stateless/session-less - it will not check validity per-page load.
316
- * **(v.0)** CHANGED: Changes to the email-based authentication system - now only 1 option and it no longer locks to IP or browser.
317
- * **(v.0)** CHANGED: Various efficiency improvements including reduced SQL updates.
318
- * **(v.0)** CHANGED: Email system is improved and now send emails from the default WordPress sender. This may be [changed with filter](https://icontrolwp.freshdesk.com/support/solutions/articles/3000048723).
319
-
320
- = 4.16 Series =
321
- *Released: 20th January, 2016*
322
-
323
- * **(v.2)** CHANGED: Further changes and improvements to the [Core File Scanner](http://icwp.io/wpsf40).
324
- * **(v.2)** CHANGED: Improvements to the [automatic black list system](http://icwp.io/wpsf27) for failed login attempts.
325
- * **(v.2)** TRANSLATIONS: Turkish (100%)
326
- * **(v.1)** CHANGED: Improved the contents of the [Core File Scanner](http://icwp.io/wpsf40) notification email with links to original source files.
327
- * **(v.1)** CHANGED: Now also excluding the /wp-content/languages/ directory since translations may update independently.
328
- * **(v.1)** CHANGED: Handles the special case of [old index.php files](https://wordpress.org/support/topic/problem-with-checksum-hashes)
329
- * **(v.0)** ADDED: Feature: [Automatically scans WordPress Core files](http://icwp.io/wpsf40) and detects alterations from the default WordPress Core File data
330
- * **(v.0)** ADDED: Feature: to automatically attempt to repair/replace WordPress Core files that are discovered which have been altered.
331
- * **(v.0)** ADDED: Option to toggle the [Plugin Vulnerabilities cron](http://icwp.io/wpsf41).
332
- * **(v.0)** ADDED: Two-Factor Authentication links now honour the WordPress 'redirect_to' parameter.
333
-
334
- = 4.15 Series =
335
- *Released: 6th January, 2016*
336
-
337
- * **(v.0)** ADDED: New and updated Firewall rules as well as a new 'Aggressive' option that looks for additional request data. Disabled by default, but may cause an increase in false positives.
338
- * **(v.0)** CHANGED: Improved and optimized Firewall processing.
339
- * **(v.0)** FIXED: [Issue](https://github.com/FernleafSystems/wp-simple-firewall/issues/3) where automatic update notification emails are sent out without any update notices (probably due to failed updates).
340
- * **(v.0)** FIXED: Small conflict with WP Login Rename and other security plugins.
341
- * **(v.0)** TRANSLATIONS: Czech (91%), Finnish (98%), Turkish (98%).
342
-
343
- = 4.14 Series =
344
- *Released: 20th November, 2015*
345
-
346
- * **(v.2)** ADDED: User notice message displayed when the 'Theme My Login' plugin is active and you try to rename your login URL - It is not compatible.
347
- * **(v.1)** ADDED: Added WordPress filter option to specify URL instead of present a 404 when Rename WP Login is active. [more info](https://icontrolwp.freshdesk.com/solution/articles/3000044812)
348
- * **(v.1)** ADDED: Added 'Unique Plugin Installation ID' to be utilized in the future.
349
- * **(v.1)** FIXED: WordPress Comments bug where some comments didn't pass through the SPAM filters in a certain scenario.
350
- * **(v.0)** ADDED: [Custom Automatic Update Notifications Email](http://icwp.io/wpsf33) that runs separately to the in-built WordPress core notification email.
351
- * **(v.0)** ADDED: Filter to remove the admin area IP address footer text
352
- * **(v.0)** CHANGED: Added native support for PayPal return links - whitelisting "verify_sign" parameter.
353
- * **(v.0)** CHANGED: Tweak patterns for matching on 'WordPress terms'.
354
- * **(v.0)** TRANSLATIONS: Danish (100%), Czech (92%), Turkish (92%), Finnish (88%),
355
- * **(v.0)** FIXED: Small bugs and readying for WordPress 4.4
356
-
357
- = 4.13 Series =
358
- *Released: 22nd October, 2015*
359
-
360
- * **(v.0)** NEW: Added option to block the modification, addition/promotion and deletion of WordPress administrators users within the 'Security Admin' module.
361
- * **(v.0)** NEW: Renamed 'Admin Access' module to 'Security Admin'.
362
- * **(v.0)** CHANGED: Simplified and consolidated the use of cookies for User Session - sets and removes cookies better to reduce their usage.
363
- * **(v.0)** CHANGED: Simplified and consolidated the use of cookies for Two Factor Login Authentication.
364
- * **(v.0)** CHANGED: Cleaned up some Comment SPAM filtering code.
365
- * **(v.0)** CHANGED: Comments Filter doesn't use cookies unless a session cookie for the visitor already exists.
366
- * **(v.0)** CHANGED: IP Manager Automatic Black List - default black list duration is now 1 minute & default transgressions limit is 10
367
- * **(v.0)** CHANGED: Improvements to the database create queries: use MySQL Engine defaults (instead of MyISAM); use WordPress dbDelta() for updates.
368
- * **(v.0)** CHANGED: Various code optimizations and cleaning.
369
-
370
- = 4.12 Series =
371
- *Released: 10th October, 2015*
372
-
373
- * **(v.0)** NEW: Option to completely disable the XML-RPC system. [more info](http://icwp.io/wpsf31)
374
- * **(v.0)** CHANGED: Logged-in users are automatically forwarded to the WordPress admin only if they are Administrators.
375
-
376
- = 4.11 Series =
377
- *Released: 5th October, 2015*
378
-
379
- * **(v.0)** NEW: Ability to now completely block the update/changing of certain WordPress site options. [more info](http://icwp.io/wpsf30)
380
- * **(v.0)** FIXED: Various small bugs with the IP Manager UI ajax.
381
- * **(v.0)** FIXED: Uncaught PHP Exception when a site's hosting isn't properly configured to handle IPv6 addresses.
382
- * **(v.0)** TRANSLATIONS: Danish - 57%, Czech - 100%, Finnish - 94%
383
-
384
- = 4.10 Series =
385
- *Released: 23rd August, 2015*
386
-
387
- * **(v.4)** REFACTOR: Notifications system is more reliable and most notices can be hidden/closed (at least for the current page load as some notices are persistent).
388
- * **(v.4)** REMOVED: The old manual black list option has been completely removed - in favour of the automatic black list system.
389
- * **(v.4)** CHANGED: Revised the order of certain hooks being created to avoid the possibility of pluggable.php not being loaded for PHP Shutdown.
390
- * **(v.4)** CHANGED: The presence of IP addresses in the IP Whitelist will force the IP Manager feature to be enabled.
391
- * **(v.4)** CHANGED: We now make an attempt to prevent the caching of WordPress wp_die() pages that we generate. (compatible with at least W3TC, Super Cache)
392
- * **(v.4)** TRANSLATIONS: Turkish - 100%, Danish - 3%
393
-
394
- * **(v.3)** FIXED: Another PHP 5.2 incompatibility.
395
- * **(v.2)** ADDED: White Listing UI to the IP Manager - CIDR ranges are supported (also automatically migrates IPs, except ranges, from legacy to new)
396
- * **(v.2)** ADDED: Returned the black marking of failed WP login attempts to the automatic black list system
397
- * **(v.2)** ADDED: Using a 3rd party API service: [ipify.org](https://www.ipify.org/) - to find the server's own IP address so we can ensure it's not used in the black lists
398
- * **(v.2)** CHANGED: AJAX calls are handled more robustly with actual error messages where possible.
399
- * **(v.2)** FIXED: A few black list processing bugs.
400
-
401
- * **(v.1)** ADDED: UI to view and remove IP address from Automatic Black List Engine.
402
- * **(v.1)** FIX: Removed transgression counting on failed logins - WP data is inconsistent.
403
- * **(v.1)** CHANGED: Original legacy white list now takes priority over new auto black list
404
- * **(v.1)** CHANGED: Default transgressions limit is now 7
405
- * **(v.1)** ADDED: Ability to reset plugin options to default using 'reset' flag file. [more info](http://icwp.io/wpsf28)
406
- * **(v.0)** NEW FEATURE: 'FABLE' - [Fully Automatic Black Listing Engine](http://icwp.io/wpsf27).
407
-
408
- Simply put, FABLE will automatically block all malicious traffic by IP, based on their activity. This Security Plugin will track malicious behaviour
409
- and count all transgressions that visitors make against the site. Once a particular visitor exceeds the specified number transgressions, FABLE
410
- will outright block any access they have to your WordPress site.
411
-
412
- What makes the FABLE system better?
413
-
414
- * Hands Free - Automatic. No more need for maintaining manual black lists.
415
- * Loads first before other plugins.
416
- * Automatic pruning. Based on expiration time you specify, older IP address will be removed.
417
- * Increased Performance. With automatic pruning, IP look-up tables remain small and concise so page load times for legitimate visitors is minimally affected.
418
- * Adaptive. It wont just block based on 1 misdemeanour - instead you may allow any given visitor grace to legitimately get things wrong (like login passwords).
419
- * Intelligent. With an fully integrated plugin such as this, it uses login failure attempts, spam comment attempts, login brute force attempts to capture malicious visitors.
420
-
421
- Which actions will trigger an ABLE transgression?
422
-
423
- * Attempt to login with an invalid username/password combination
424
- * Any attempt to login while the login cooldown system is in-effect
425
- * Any login attempt that trips the GASP Login protection system
426
- * Any login attempt with a username that doesn't exist
427
- * Any attempt to access /wp-admin/, /login/, or wp-login.php while the Rename WP Login setting is active
428
- * Any comment that gets labelled as SPAM by the plugin
429
- * Failed attempt to authenticate with the plugin's Admin Access Protection module
430
- * Any trigger of a Firewall block rule
431
-
432
- = 4.9 Series =
433
- *Released: 7th July, 2015*
434
-
435
- * **(v.8)** CHANGED: Firewall, User Sessions and Lockdown Feature Modules are now enabled by default for new installations.
436
- * **(v.8)** FIX: Some server email programs can't handle colons (:) in the email subject (because supporting all characters would be waaay too radical man).
437
- * **(v.8)** ADDED: Function to better get the WordPress home URL to prevent interference from other plugins.
438
- * **(v.8)** CHANGED: Updated Text For [Author Scan Block](http://icwp.io/6e) feature.
439
- * **(v.7)** CHANGED: How author query blocking works to be more reliable and stricter - only runs when users are not logged in, and it will DIE instead of redirect.
440
- * **(v.6)** ADDED: New Option: prevent detection of usernames using the ?author=N query. (location under section: Lockdown -> Obscurity)
441
- * **(v.6)** FIXED: Infinite redirect loop logic prevents redirect for rejected comment SPAM that's posted in bulk. This results in email notifications for spam comments.
442
- * **(v.5)** ADDED: The plugin will load itself first before all other plugins
443
- * **(v.5)** FIXED: No longer using parse_url() to determine the request URL as it's too inconsistent and unreliable.
444
- * **(v.4)** FIX: Audit Trail Viewer display issue with non-escaped HTML (Thanks Chris!)
445
- * **(v.4)** ADDED: An admin warning for sites with PHP version less than 5.3.2 (future versions will require this as a minimum)
446
- * **(v.4)** TRANSLATIONS: Danish - 6%, Spanish - 76%
447
- * **(v.3)** ADDED: Further checking for availability of certain PHP/server data before enabling the rename WordPress login feature
448
- * **(v.3)** ADDED: Option to add the Plugin Badge as a Widget to your side-bar or page footer, or any other widget area.
449
- * **(v.3)** TRANSLATIONS: Polish - 100%
450
- * **(v.2)** ADDED: Email notifications sent out to report email address on a daily cron. [more info](https://www.icontrolwp.com/2015/07/plugin-vulnerability-email-notifications/)
451
- * **(v.2)** FIX: Work around a WordPress inline plugin update Javascript bug.
452
- * **(v.1)** FIX: Fix syntax support for earlier versions of PHP.
453
- * **(v.0)** FEATURE: Plugin Vulnerabilities Detection: If you're running plugins with known vulnerabilities you will be warned - [more info](http://icwp.io/wpsf22)
454
-
455
- = 4.8 Series =
456
- *Released: 21st June, 2015*
457
-
458
- * **(v.0)** FEATURE: Admin Access Restriction Areas - Restrict access to certain WordPress areas and functionality to **Administrators** with the Admin Access key.
459
- * **(v.0)** ADDED: Admin Access Restriction Area - Plugins. You can now restrict access to certain Plugin actions - activate, install, update, delete.
460
- * **(v.0)** ADDED: Admin Access Restriction Area - Themes. You can now restrict access to certain Theme actions - activate, install, update, delete.
461
- * **(v.0)** ADDED: Admin Access Restriction Area - Pages/Post. You can now restrict access to certain Page/Post actions - Create/Edit, Publish, Delete.
462
-
463
- = 4.7 Series =
464
- *Released: 29th April, 2015*
465
-
466
- * **(v.7)** FIXED: The text used to explain why some comments were marked as spam was broken.
467
- * **(v.7)** FIXED: Group sign-up form now honours your SSL setting.
468
- * **(v.7)** TRANSLATIONS: Spanish - 74%, Russian - 91%, Turkish - 94%, Polish- 95%, Finnish - 100%
469
- * **(v.6)** FIXED: Verifying ability to send/receive email doesn't complete if Admin Access Protection is turned on.
470
- * **(v.6)** FIXED: GASP Login Protection feature breaks because certain key options aren't initialized when the feature is enabled.
471
- * **(v.6)** FIXED: Some "more info" links were empty.
472
- * **(v.4)** ADDED: Email Sending Verification when enabling two-factor authentication - this ensures your site can send (and you can receive) emails.
473
- * **(v.4)** ADDED: Section Summaries - each option tab contains a small text summary outlining the purpose and recommendation for each.
474
- * **(v.4)** CHANGED: The Admin Access Key input is now a password field.
475
- * **(v.4)** CHANGED: Custom Login URL now works with or without trailing slash.
476
- * **(v.4)** CHANGED: Streamlining and improvement of PHP UI templates
477
- * **(v.4)** ADDED: Implemented TWIG for templates (not yet activated)
478
- * **(v.4)** TRANSLATIONS: Romanian (100%), Spanish-Spain (63%)
479
- * **(v.3)** ADDED: Integrated protection against 2x RevSlider vulnerabilities (Local File Include and Arbitrary File Upload)
480
- * **(v.3)** CHANGED: Reverted the addition of Permalinks/Rewrite rules flushing, in case this is a problem for some.
481
- * **(v.2)** UPDATED/FIX: Major fixes and improvements to the rename wp-login.php feature.
482
- * **(v.2)** TRANSLATIONS: Mexican-Spanish (61%), Arabic (38%)
483
- * **(v.1)** FIX: Silence warnings from filesystem touch() command.
484
- * **(v.1)** TRANSLATIONS: Polish (100%), Finnish (100%), Czech (73%), Arabic (34%)
485
- * **(v.0)** UPDATED: Options page user interface re-design.
486
- * **(v.0)** FIX: Audit trail time now reflects the user's timezone correctly.
487
- * **(v.0)** FIX: Better compatibility with BBPress.
488
- * **(v.0)** UPDATED: Underlying plugin code improvements.
489
- * **(v.0)** TRANSLATIONS: Russian (100%), Czech (70%), Polish (97%)
490
-
491
- = 4.6 Series =
492
- *Released: 10th April, 2015*
493
-
494
- * **(v.3)** SECURITY: Added protection against XSS vulnerability in WordPress comments. [Learn More](http://icwp.io/63) - Note: This is not a vulnerability with the Firewall plugin.
495
- * **(v.3)** SECURITY: Added extra precautions to WordPress URL redirects. [Learn More](http://icwp.io/64).
496
- * **(v.3)** TRANSLATIONS: Russian (70%), Czech (67%)
497
- * **(v.2)** FIX: Bug with the database table verification logic.
498
- * **(v.2)** TRANSLATIONS: Russian (New- 54%), Romanian (100%), Turkish (89%), Czech (53%)
499
- * **(v.1)** FIX: XMLRPC compatibility logic was preventing other non-XMLRPC related code from running.
500
- * **(v.1)** UPDATED: Plugin Badge styling
501
- * **(v.1)** UPDATED: Updated Czech(41%) and Spanish (60%) translations
502
- * **(v.0)** ADDED: New feature that displays the last login time for all users on the users listing page (User Management feature must be enabled).
503
- * **(v.0)** ADDED: **Completely optional** promotional Plugin Badge option - help us promote the plugin and reassure your site visitors at the same time. [Learn More](http://icwp.io/5x)
504
- * **(v.0)** UPDATED: Updated Czech(38%) translations
505
-
506
- = 4.5 Series =
507
- *Released: 6th March, 2015*
508
-
509
- * **(v.5)** CHANGED: Updated Finnish (100%), Czech (16%) translations
510
- * **(v.5)** CHANGED: Change logs now more clearly display changes between versions
511
- * **(v.5)** FIX: Small translation coverage
512
- * **(v.4)** ADDED: New and updated language translations including Polish (100%), Finnish
513
- * **(v.4)** FIX: Better string translation coverage for menus etc.
514
- * **(v.3)** ADDED: New and updated language translations including Polish, Czech and German
515
- * **(v.3)** CHANGED: Only set the plugin cookie if necessary
516
- * **(v.2)** CHANGED: Attempt to resolve DB errors related to transient options reported on WP Engine
517
- * **(v.1)** ADDED: New feature- GASP Login Protection can now be applied to lost password form - enabled by default
518
- * **(v.0)** ADDED: New feature- GASP Login Protection can now be applied to user registrations - enabled by default
519
-
520
- = 4.4 Series =
521
- *Released: 21st February, 2015*
522
-
523
- * **(v.2)** ADDED: Romanian Translation.
524
- * **(v.2)** ADDED: A plugin minimum-requirements processing system.
525
- * **(v.2)** IMPROVED: The WordPress admin-UI code is simpler and cleaner.
526
- * **(v.1)** ADDED: **Significant** performance enhancement in plugin loading times (up to 50% reduction).
527
- * **(v.0)** CHANGED: The 'Prevent Remote Login' option now tries to detect web hosting server compatibility before allowing it to be enabled.
528
- * **(v.0)** CHANGED: More lax in finding the 'forceOff' file when users are trying to turn off the firewall.
529
- * **(v.0)** CHANGED: Parsing the URL no longer outputs warnings that might interfere with response headers.
530
-
531
- = 4.3 Series =
532
- *Released: 15th January, 2015*
533
-
534
- * **(v.6)** FIXES: More thorough validation of whitelisted IP addresses
535
- * **(v.5)** FIXES: Some hosting environments need absolute file paths for PHP include()/require()
536
- * **(v.5)** CHANGED: Streamlined the detection of whitelisting and added in-plugin notification if **you** are whitelisted
537
- * **(v.4)** FIXES: Work around for cases where PHP can't successfully run parse_url()
538
- * **(v.2)** IMPROVED: Refactoring for better code organisation
539
- * ADDED: New Feature - [Rename WP Login Page](http://icwp.io/5s).
540
- * ADDED: UI indicators on whether plugins will be automatically updated in the plugins listing.
541
- * CHANGED: IP Address WhiteList is now global for the whole plugin, and can be accessed under the "Dashboard" area
542
- * IMPROVED: Firewall processing code is simplified and more efficient.
543
-
544
- = 4.2.1 =
545
- *Released: 22th December, 2014*
546
-
547
- * FIXED: Changes to how feature specifications are read from disk to prevent .tmp file build up.
548
-
549
- = 4.2.0 =
550
- *Released: 12th December, 2014*
551
-
552
- * ADDED: Audit Trail Auto Cleaning - default cleans out entries older than 30 days.
553
- * FIXED: Various small bug fixes and code cleaning.
554
-
555
- = 4.1.4 =
556
- *Released: 24th November, 2014*
557
-
558
- * FIXED: Fixed small logic bug which prevented deactivation of the plugin on the UI.
559
-
560
- = 4.1.3 =
561
- *Released: 19th November, 2014*
562
-
563
- * IMPROVED: User Sessions are simplified.
564
- * UPDATED: a few translation files based on the latest available contributions.
565
-
566
- = 4.1.2 =
567
-
568
- * ADDED: Self-correcting database table validation - if the structure of a database table isn't what is expected, it'll be re-created.
569
-
570
- = 4.1.1 =
571
-
572
- * WARNING: Due to new IPv6 support, all databases tables will be rebuilt - all active user sessions will be destroyed.
573
- * ADDED: Preliminary support for IPv6 addresses throughout. We don't support whitelist ranges but IPv6 addresses are handled much more reliably in general.
574
- * ADDED: New audit trail concept added called "immutable" that represents entries that will never be deleted - such entries would usually involve actions taken on the audit trail itself.
575
- * FIXED: Support for audit trail events with longer names.
576
- * IMPROVED: Comments Filtering - It now honours the WordPress settings for previously approved comment authors and never filters such comments.
577
- * REMOVED: Option to enable GASP Comments Filtering for logged-in users has been completely removed - this reduces plugin options complexity. All logged-in users by-pass **all** comments filtering.
578
- * FIXED: Prevention against plugin redirect loops under certain conditions.
579
- * FIXED: IP whitelisting wasn't working under certain cases.
580
-
581
- = 4.0.0 =
582
-
583
- * ADDED: New Feature - Audit Trail
584
- * ADDED: Audit Trail options include: Plugins, Themes, Email, WordPress Core, Posts/Pages, Shield plugin
585
- * FIXED: Full and proper cleanup of plugin options, crons, and databases upon deactivation.
586
- * REMOVED: Firewall Log. This is no longer an option and is instead integrated into the "Shield" Audit Trail.
587
-
588
- = 3.5.5 =
589
-
590
- * ADDED: Better admin notifications for events such as options saving etc.
591
- * CHANGE: Some plugin styling to highlight features and options better.
592
- * FIXED: Small bug with options default values.
593
-
594
- = 3.5.3 =
595
-
596
- * ADDED: A warning message on the WordPress admin if the "forceOff" override is active.
597
- * CHANGED: The 'forceOff' system is now temporary - i.e. it doesn't save the configuration, and so once this file is removed, the plugin returns to the settings specified.
598
- * CHANGED: The 'forceOn' option is now removed.
599
- * FIXED: Problems with certain hosting environments reading in files with the ".yaml" extension - [support ref](https://wordpress.org/support/topic/yaml-breaks-plugin)
600
- * FIXED: Small issue where when the file system paths change, some variables don't update properly.
601
-
602
- = 3.5.0 =
603
-
604
- * CHANGED: Plugin features are now configured [using YAML](https://github.com/mustangostang/spyc/) - no more in-PHP configuration.
605
- * REMOVED: A few options from User Sessions Management as they were unnecessary.
606
- * CHANGED: Database storing tables now have consistent naming.
607
- * FIXED: Issue with User Sessions Management where '0' was specified for session length, resulting in lock out.
608
- * FIXED: Firewall log gathering.
609
- * FIXED: Various PHP warning notices.
610
-
611
- = 3.4.0 =
612
-
613
- * ADDED: Option to limit number of simultaneous sessions per WordPress user login name (User Management section)
614
-
615
- = 3.3.0 =
616
-
617
- * ADDED: Option to send notification when an administrator user logs in successfully (under User Management menu).
618
- * CHANGED: Refactoring for how GET and POST data is retrieved
619
-
620
- = 3.2.1 =
621
-
622
- * FIXED: Custom Comment Filter message problem when using more than one substitution. [ref](http://wordpress.org/support/topic/warning-sprintf-too-few-arguments-in-hometnrastropublic_htmlwpwp-conten?replies=8#post-5927337)
623
-
624
- = 3.2.0 =
625
-
626
- * ADDED: Options to allow by-pass XML-RPC so as to be compatible with WordPress iPhone/Android apps.
627
- * UPDATED: Login screen message when you're forced logged-out due to 2-factor auth failure on IP or cookie.
628
- * CHANGED: Tweaked method for setting admin access protection on/off
629
- * CHANGED: comment filtering code refactoring.
630
- * FIXED: Options that were "multiple selects" weren't saving correctly
631
-
632
- = 3.1.5 =
633
-
634
- * FIX: Where some comments would fail GASP comment token checking.
635
-
636
- = 3.1.4 =
637
-
638
- * FIX: Logout URL parameters are now generated correctly so that the correct messages are shown.
639
- * CHANGED: small optimizations and code refactoring.
640
- * UPDATED: a few translation files based on the latest available contributions.
641
-
642
- = 3.1.3 =
643
-
644
- * FIX: issue with login cooldown timeouts not being updated where admin access restriction is in place.
645
-
646
- = 3.1.2 =
647
-
648
- * FIX: auto-updates feature not loading
649
- * FIX: simplified implementation of login protection feature to reduce possibility for bugs/lock-outs
650
- * FIX: auto-forwarding for wp-login.php was preventing user logout
651
-
652
- = 3.1.0 =
653
-
654
- * ADDED: option to check the logged-in user session only on WordPress admin pages (now the default setting)
655
- * ADDED: option to auto-forward to the WordPress dashboard when you go to wp-login.php and you're already logged in.
656
- * ADDED: message to login screen when no user session is found
657
- * CHANGED: does not verify session when performing AJAX request. (need to build appropriate AJAX response)
658
- * FIX: for wp_login action not passing second argument
659
-
660
- = 3.0.0 =
661
-
662
- * FEATURE: User Management. Phase 1 - create user sessions to track current and attempted logged in users.
663
- * CHANGED: MASSIVE plugin refactoring for better performance and faster, more reliable future development of features
664
- * ADDED: Obscurity Feature - ability to remove the WP Generator meta tag.
665
- * ADDED: ability to change user login session length in days
666
- * ADDED: ability to set session idle timeout in hours
667
- * ADDED: ability to lock session to a particular IP address (2-factor auth by IP is separate)
668
- * ADDED: ability to view active user sessions
669
- * ADDED: ability to view last page visited for active sessions
670
- * ADDED: ability to view last active time for active sessions
671
- * ADDED: ability to view failed or attempted logins in the past 48hrs
672
- * ADDED: Support for GASP login using WooCommerce
673
- * CHANGED: Admin Access Restriction now has a separate options/feature page
674
- * CHANGED: Admin styling to better see some selected options
675
- * ADDED: Support for WP Wall shoutbox plugin (does no GASP comment checks)
676
- * CHANGED: Removed support for upgrading from versions prior to 2.0
677
- * CHANGED: Removed support for importing from Firewall 2 plugin - to import, manually install plugin v2.6.6, import settings, then upgrade.
678
-
679
- = 2.6.6 =
680
-
681
- * FIX: Improved compatibility with bbPress.
682
-
683
- = 2.6.5 =
684
-
685
- * FIX: Could not enable Admin Access Protection feature on new installs due to too aggressive testing on security.
686
-
687
- = 2.6.4 =
688
-
689
- * ENHANCED: Dashboard now shows a more visual summary of settings and removes duplicate options settings with links to sections.
690
- * ENHANCED: WordPress Lock Down options now also set the corresponding WordPress defines if they're not already.
691
-
692
- = 2.6.3 =
693
-
694
- * ADDED: More in-line plugin links to help/blog resources
695
- * ENHANCED: [Admin Access Protection](http://icwp.io/5b) is further enhanced in 3 ways:
696
-
697
- 1. More robust cookie values using MD5s
698
- 1. Blocks plugin options updating right at the point of WordPress options update so nothing can rewrite the actual plugin options.
699
- 1. Locks the current Admin Access session to your IP address - effectively only 1 Shield admin allowed at a time.
700
-
701
- = 2.6.2 =
702
-
703
- * ENHANCED: Added option to completely reject a SPAM comment and redirect to the home page (so it doesn't fill up your database with rubbish)
704
- * ADDED: Plugin now has an internal stats counter for spam and other significant plugin events.
705
-
706
- = 2.6.1 =
707
-
708
- * ADDED: Plugin now installs with default SPAM blacklist.
709
- * ADDED: Now automatically checks and updates the SPAM blacklist when it's older than 48hrs.
710
- * ENHANCED: Comment messages indicate where the SPAM content was found when marking human-based spam messages.
711
-
712
- = 2.6.0 =
713
-
714
- **Major Features Release: Please review SPAM comments filtering options to determine where SPAM goes**
715
-
716
- * FEATURE: Added Human SPAM comments filtering - replacement for Akismet that doesn't use or send any data to 3rd party services. Uses [Blacklist provided and maintained by Grant Hutchinson](https://github.com/splorp/wordpress-comment-blacklist)
717
- * ENHANCED: Two-Factor Login now automatically logs in the user to the admin area without them having to re-login again.
718
- * ENHANCED: Added ability to terminate all currently (two-factor) verified logins.
719
- * ENHANCED: Spam filter/scanning adds an explanation to the SPAM content to show why a message was filtered.
720
- * FIXES: For PHP warnings while in php strict mode.
721
- * CLEAN: Much cleaning up of code.
722
-
723
- = 2.5.9 =
724
-
725
- * FEATURE: Added option to try and exclude search engine bots from firewall checking option - OFF by default.
726
-
727
- = 2.5.8 =
728
-
729
- * FEATURE: Added 'PHP Code' Firewall checking option.
730
-
731
- = 2.5.7 =
732
-
733
- * IMPROVED: Handling and logic of two-factor authentication and user roles/levels
734
-
735
- = 2.5.6 =
736
-
737
- * FEATURE: Added ability to specify the particular WordPress user roles that are subject to 2-factor authentication. (Default: Contributors, Authors, Editors and Administrators)
738
-
739
- = 2.5.5 =
740
-
741
- * FEATURE: Added 'Lockdown' feature to force login to WordPress over SSL.
742
- * FEATURE: Added 'Lockdown' feature to force WordPress Admin dashboard to be delivered over SSL.
743
- * FIX: Admin restricted access feature wasn't disabled with the "forceOff" option.
744
-
745
- = 2.5.4 =
746
-
747
- * FIX: How WordPress Automatic/Background Updates filters worked was changed with WordPress 3.8.2.
748
-
749
- = 2.5.3 =
750
-
751
- * UPDATED: Translations. And confirmed compatibility with WordPress 3.9
752
-
753
- = 2.5.2 =
754
-
755
- * FEATURE: Option to Prevent Remote Posting to the WordPress Login system. Will check that the login form was submitted from the same site.
756
-
757
- = 2.5.1 =
758
-
759
- * UPDATED: Translations and added some partials (Catalan, Persian)
760
- * FIX: for cleanup cron running on non-existent tables.
761
-
762
- = 2.5.0 =
763
-
764
- * FEATURE: Two-Factor Authenticated Login using [Yubikey](http://icwp.io/4i) One Time Passwords (OTP).
765
-
766
- = 2.4.3 =
767
-
768
- * ADDED: Translations: Spanish, Italian, Turkish. (~15% complete)
769
- * UPDATED: Hebrew Translations (100%)
770
-
771
- = 2.4.2 =
772
-
773
- * ADDED: Contextual help links for many options. More to come...
774
- * ADDED: More Portuguese (Brazil) translations (~80%)
775
-
776
- = 2.4.1 =
777
-
778
- * ADDED: More strings to the translation set for better multilingual support
779
- * ADDED: Portuguese (Brazil) translations (~40%)
780
- * UPDATED: Hebrew Translations
781
- * FIXED: Automatic cleaning of database logs wasn't actually working as expected. Should now be fixed.
782
-
783
- = 2.4.0 =
784
-
785
- * NEW: Option to enable Two-Factor Authentication based on Cookie. In this way you can tie a user session to a single browser.
786
- * FIX: Better WordPress Multisite (WPMS) Support.
787
-
788
- = 2.3.4 =
789
-
790
- * FIX: Automatic updating of itself.
791
-
792
- = 2.3.3 =
793
-
794
- * ADDED: Hebrew Translations. Thanks [Ahrale](http://atar4u.com)!
795
- * ADDED: Automatic trimming of the Firewall access log to 7 days - it just grows too large otherwise.
796
- * FIX: The previously added automatic clean up of old comments and login protect database entries was wiping out the valid login protect
797
- entries and was forcing users to re-login every 24hrs.
798
- * FIX: Some small bugs, errors, and PHPDoc Comments.
799
-
800
- = 2.3.2 =
801
-
802
- * ADDED: Automatic cleaning of GASP Comments Filter and Login Protection database entries (older than 24hrs) using WordPress Cron (everyday @ 6am)
803
- * CHANGED: Huge code refactoring to allow for more easily use with other WordPress plugins.
804
-
805
- = 2.2.5 =
806
-
807
- * ADDED: Email sending options for automatic update notifications - options to change the notification email address, or turn it off completely.
808
-
809
- = 2.2.4 =
810
-
811
- * FIX: Small bug fix.
812
- * CHANGED: When running a force automatic updates process, tries to remove influence from other plugins and uses only this plugin's automatic updates settings.
813
- * CHANGED: A bit of automatic updates code refactoring.
814
-
815
- = 2.2.2 =
816
-
817
- * CHANGED: Changed all options to be disabled by default.
818
- * CHANGED: The option for admin notices will turn off all main admin notices except after you update options.
819
-
820
- = 2.2.1 =
821
-
822
- * ADDED: Verified compatibility with WordPress 3.8
823
-
824
- = 2.2.0 =
825
-
826
- * CHANGED: Certain filesystem calls are more compatible with restrictive hosting environments.
827
- * CHANGED: Plugin is now ready to integate with [iControlWP automatic background updates system](http://www.icontrolwp.com/2013/11/manage-wordpress-automatic-background-updates-icontrolwp/).
828
- * FIX: Login Protection Cooldown feature may not operate properly in certain scenarios.
829
-
830
- = 2.1.5 =
831
-
832
- * IMPROVED: Improved logic for Firewall whitelisting for pages and parameters to ensure whitelisting rules are followed.
833
- * CHANGED: The whitelisting rule for posting pages/posts is only for the "content" and the firewall checking will apply to all other page parameters.
834
-
835
- = 2.1.4 =
836
-
837
- * FIX: When you run the Force Automatic Background Updates, it disables the plugins. This problem is now fixed.
838
-
839
- = 2.1.2 =
840
-
841
- * FIX: A bug that prevented auto-updates of this plugin.
842
- * FIX: Not being able to hide translations and upgrade notices.
843
- * ADDED: Tweaks to auto-update feature to allow interfacing with the iControlWP service to customize the auto update system.
844
-
845
- = 2.1.0 =
846
-
847
- * ADDED: A button that lets you run the WordPress Automatic Updates process on-demand (so you don't have to wait for WordPress cron).
848
- * CHANGED: The plugin now sets more options to be turned on by default when the plugin is first activated.
849
- * CHANGED: A lot of optimizations and code refactoring.
850
-
851
- = 2.0.3 =
852
-
853
- * FIX: Whoops, sorry, accidentally removed the option to toggle "disable file editing". It's back now.
854
-
855
- = 2.0.2 =
856
-
857
- * CHANGED: WordPress filters used to programmatically update whitelists now update the Login Protection IP whitelist
858
-
859
- = 2.0.1 =
860
-
861
- * ADDED: Localization capabilities. All we need now are translators! [Go here to get started](http://translate.icontrolwp.com/).
862
- * ADDED: Option to mask the WordPress version so the real version is never publicly visible.
863
-
864
- = 1.9.2 =
865
-
866
- * CHANGED: Simplified the automatic WordPress Plugin updates into 1 filter for consistency
867
-
868
- = 1.9.1 =
869
-
870
- * ADDED: Increased admin access security features - blocks the deactivation of itself if you're not authenticated fully with the plugin.
871
- * ADDED: If you're not authenticated with the plugin, the plugin listing view wont have 'Deactivate' or 'Edit' links.
872
-
873
- = 1.9.0 =
874
-
875
- * ADDED: New WordPress Automatic Updates Configuration settings
876
-
877
- = 1.8.2 =
878
-
879
- * ADDED: Notification of available plugin upgrade is now an option under the 'Dashboard'
880
- * CHANGED: Certain admin and upgrade notices now only appear when you're authenticated with the plugin (if this is enabled)
881
- * FIXED: PHP Notice with undefined index.
882
-
883
- = 1.8.1 =
884
-
885
- * ADDED: Feature- Access Key Restriction [more info](http://icwp.io/2s).
886
- * ADDED: Feature- WordPress Lockdown. Currently only provides 1 option, but more to come.
887
-
888
- = 1.7.3 =
889
-
890
- * CHANGED: Reworked a lot of the plugin to optimize for further performance.
891
- * FIX: Potential infinite loop in processing firewall.
892
-
893
- = 1.7.1 =
894
-
895
- * ADDED: Much more efficiency yet again in the loading/saving of the plugin options.
896
-
897
- = 1.7.0 =
898
-
899
- * ADDED: Preliminary WordPress Multisite (WPMS/WPMU) Support.
900
- * CHANGED: The Firewall now kicks in on the 'plugins_loaded' hook instead of as the actual firewall plugin is initialized (as a result
901
- of WP Multisite support).
902
-
903
- = 1.6.2 =
904
-
905
- * REMOVED: Automatic upgrade option until I can ascertain what caused the plugin to auto-disable.
906
-
907
- = 1.6.1 =
908
-
909
- * ADDED: Options to fully customize the text displayed by the GASP comments section.
910
- * ADDED: Option to include logged-in users in the GASP Comments Filter.
911
-
912
- = 1.6.0 =
913
-
914
- * ADDED: A new section - 'Comments Filtering' that will form the basis for filtering comments with SPAM etc.
915
- * ADDED: Option to add enhanced GASP based comments filtering to prevent SPAM bots posting comments to your site.
916
-
917
- = 1.5.6 =
918
-
919
- * IMPROVED: Whitelist/Blacklist IP range processing to better cater for ranges when saving, with more thorough checking.
920
- * IMPROVED: Whitelist/Blacklist IP range processing for 32-bit systems.
921
- * FIXED: A bug with Whitelist/Blacklist IP checking.
922
-
923
- = 1.5.5 =
924
-
925
- * FIXED: Quite a few bugs fixed.
926
-
927
- = 1.5.4 =
928
-
929
- * FIXED: Typo error.
930
-
931
- = 1.5.3 =
932
-
933
- * FIXED: Some of the firewall processors were saving unnecessary data.
934
-
935
- = 1.5.2 =
936
-
937
- * CHANGED: The method for finding the client IP address is more thorough, in a bid to work with Proxy servers etc.
938
- * FIXED: PHP notice reported here: http://wordpress.org/support/topic/getting-errors-when-logged-in
939
-
940
- = 1.5.1 =
941
-
942
- * FIXED: Bug fix where IP address didn't show in email.
943
- * FIXED: Attempt to fix problem where update message never hides.
944
-
945
- = 1.5.0 =
946
-
947
- * ADDED: A new IP whitelist on the Login Protect that lets you by-pass login protect rules for given IP addresses.
948
- * REMOVED: Firewall rule for wp-login.php and whitelisted IPs.
949
-
950
- = 1.4.2 =
951
-
952
- * ADDED: The plugin now has an option to automatically upgrade itself when an update is detected - enabled by default.
953
-
954
- = 1.4.1 =
955
-
956
- * ADDED: The plugin will now displays an admin notice when a plugin upgrade is available with a link to immediately update.
957
- * ADDED: Plugin collision: removes the main hook by 'All In One WordPress Security'. No need to have both plugins running.
958
- * ADDED: Improved Login Cooldown Feature- works more like email throttling as it now uses an extra filesystem-based level of protection.
959
- * FIXED: Login Cooldown Feature didn't take effect in certain circumstances.
960
-
961
- = 1.4.0 =
962
-
963
- * ADDED: All-new plugin options handling making them more efficient, easier to manage/update, using far fewer WordPress database options.
964
- * CHANGED: Huge improvements on database calls and efficiency in loading plugin options.
965
- * FIXED: Nonce implementation.
966
-
967
- = 1.3.2 =
968
-
969
- * FIXED: Small compatibility issue with Quick Cache menu not showing.
970
-
971
- = 1.3.0 =
972
-
973
- * ADDED: Email Throttle Feature - this will prevent you getting bombarded by 1000s of emails in case you're hit by a bot.
974
- * ADDED: Another Firewall die() option. New option will print a message and uses the wp_die() function instead.
975
- * ADDED: Refactored and improved the logging system (upgrading will delete your current logs!).
976
- * ADDED: Option to separately log Login Protect features.
977
- * ADDED: Option to by-pass 2-factor authentication in the case sending the verification email fails
978
- (so you don't get locked out if your hosting doesn't support email!).
979
- * CHANGED: Login Protect checking now better logs out users immediately with a redirect.
980
- * CHANGED: We now escape the log data being printed - just in case there's any HTML/JS etc in there we don't want.
981
- * CHANGED: Optimized and cleaned a lot of the option caching code to improve reliability and performance (more to come).
982
-
983
- = 1.2.7 =
984
-
985
- * FIX: Bug where the GASP Login protection was only working when you had 2-factor authentication enabled.
986
-
987
- = 1.2.6 =
988
-
989
- * ADDED: Ability to import settings from WordPress Firewall 2 plugin options - note, doesn't import page and variables whitelisting.
990
- * FIX: A reported bug - parameter values could also be arrays.
991
-
992
- = 1.2.5 =
993
-
994
- * ADDED: New Feature - Option to add a checkbox that blocks automated SPAM Bots trying to log into your site.
995
- * ADDED: Added a clear user message when they verify their 2-factor authentication.
996
- * FIX: A few bugfixes and logic corrections.
997
-
998
- = 1.2.4 =
999
-
1000
- * CHANGED: Documentation on the dashboard, and the message after installing the firewall have been updated to be clearer and more informative.
1001
- * FIX: A few bugfixes and logic corrections.
1002
-
1003
- = 1.2.3 =
1004
-
1005
- * FIX: bugfix.
1006
-
1007
- = 1.2.2 =
1008
-
1009
- * FIX: Some warnings and display bugs.
1010
-
1011
- = 1.2.1 =
1012
-
1013
- * ADDED: New Feature - Login Wait Interval. To reduce the effectiveness of brute force login attacks, you can add an interval by
1014
- which WordPress will wait before processing any more login attempts on a site.
1015
- * CHANGED: Optimized some settings for performance.
1016
- * CHANGED: Cleaned up the UI when the Firewall / Login Protect features are disabled (more to come).
1017
- * CHANGED: Further code improvements (more to come).
1018
-
1019
- = 1.2.0 =
1020
-
1021
- * ADDED: New Feature - **Login Protect**. Added 2-Factor Login Authentication for all users and their associated IP addresses.
1022
- * CHANGED: The method for processing the IP address lists is improved.
1023
- * CHANGED: Improved .htaccess rules (thanks MickeyRoush)
1024
- * CHANGED: Mailing method now uses WP_MAIL
1025
- * CHANGED: Lot's of code improvements.
1026
-
1027
- = 1.1.6 =
1028
-
1029
- * ADDED: Option to include Cookies in the firewall checking.
1030
-
1031
- = 1.1.5 =
1032
-
1033
- * ADDED: Ability to whitelist particular pages and their parameters (see FAQ)
1034
- * CHANGED: Quite a few improvements made to the reliability of the firewall processing.
1035
-
1036
- = 1.1.4 =
1037
-
1038
- * FIX: Left test path in plugin.
1039
-
1040
- = 1.1.3 =
1041
-
1042
- * ADDED: Option to completely ignore logged-in Administrators from the Firewall processing (they wont even trigger logging etc).
1043
- * ADDED: Ability to (un)blacklist and (un)whitelist IP addresses directly from within the log.
1044
- * ADDED: helpful link to IP WHOIS from within the log.
1045
-
1046
- = 1.1.2 =
1047
-
1048
- * CHANGED: Logging now has its own dedicated database table.
1049
-
1050
- = 1.1.1 =
1051
-
1052
- * Fix: Block notification emails weren't showing the user-friendly IP Address format.
1053
-
1054
- = 1.1.0 =
1055
-
1056
- * You can now specify IP ranges in whitelists and blacklists. To do this separate the start and end address with a hyphen (-) E.g. For everything between 1.2.3.4 and 1.2.3.10, you would do: 1.2.3.4-1.2.3.10
1057
- * You can now specify which email address to send the notification emails.
1058
- * You can now add a comment to IP addresses in the whitelist/blacklist. To do this, write your IP address then type a SPACE and write whatever you want (don't take a new line).
1059
- * You can now set to delete ALL firewall settings when you deactivate the plugin.
1060
- * Improved formatting of the firewall log.
1061
-
1062
- = 1.0.2 =
1063
- * First Release
1064
-
1065
- == Upgrade Notice ==
1066
-
1067
- = 1.1.2 =
1068
-
1069
- * CHANGED: Logging now has its own dedicated database table.
1070
- * Fix: Block notification emails weren't showing the user-friendly IP Address format.
1071
- * You can now specify IP ranges in whitelists and blacklists. To do this separate the start and end address with a hyphen (-) E.g. For everything between 1.2.3.4 and 1.2.3.10, you would do: 1.2.3.4-1.2.3.10
1072
- * You can now specify which email address to send the notification emails.
1073
- * You can now add a comment to IP addresses in the whitelist/blacklist. To do this, write your IP address then type a SPACE and write whatever you want (don't take a new line).
1074
- * You can now set to delete ALL firewall settings when you deactivate the plugin.
1075
- * Improved formatting of the firewall log.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
icwp-wpsf.php CHANGED
@@ -3,7 +3,7 @@
3
  * Plugin Name: Shield Security
4
  * Plugin URI: http://icwp.io/2f
5
  * Description: Powerful, Easy-To-Use #1 Rated WordPress Security System
6
- * Version: 6.6.2
7
  * Text Domain: wp-simple-firewall
8
  * Domain Path: /languages/
9
  * Author: One Dollar Plugin
3
  * Plugin Name: Shield Security
4
  * Plugin URI: http://icwp.io/2f
5
  * Description: Powerful, Easy-To-Use #1 Rated WordPress Security System
6
+ * Version: 6.6.3
7
  * Text Domain: wp-simple-firewall
8
  * Domain Path: /languages/
9
  * Author: One Dollar Plugin
plugin-spec.php CHANGED
@@ -1,7 +1,7 @@
1
  {
2
  "properties": {
3
- "version": "6.6.2",
4
- "release_timestamp": 1521726109,
5
  "slug_parent": "icwp",
6
  "slug_plugin": "wpsf",
7
  "human_name": "Shield",
1
  {
2
  "properties": {
3
+ "version": "6.6.3",
4
+ "release_timestamp": 1522410988,
5
  "slug_parent": "icwp",
6
  "slug_plugin": "wpsf",
7
  "human_name": "Shield",
readme.txt CHANGED
@@ -8,7 +8,7 @@ Requires at least: 3.5.0
8
  Requires PHP: 5.2.4
9
  Recommended PHP: 5.4
10
  Tested up to: 4.9
11
- Stable tag: 6.6.2
12
 
13
  Complete All-In-One Protection for your WordPress sites, that makes Security Easy for Everyone - it doesn't have to be hard anymore.
14
 
@@ -20,17 +20,21 @@ There's no good reason for WordPress security plugins to be so complicated. It d
20
 
21
  Shield is the easiest security plugin to setup - you simply activate it. Then a beautiful, step-by-step wizard will walk you through the basic configuration.
22
 
23
- And whenever you're ready, you can dig deeper.
24
 
25
  #### Trust: Shield Does Exactly What It Says It Will Do
26
 
27
  You've probably been let down in the past, but Shield is the WordPress Security solution that does what it says it'll do - Protect Your Site.
28
 
29
- #### Constant notifications are not okay. You're already busy enough!
 
 
 
 
30
 
31
  Shield is your Silent Guardian. It doesn't squawk at you every time a visitor presses against your defenses.
32
 
33
- Shield notifies you when you need to be alerted to an incident. Otherwise, it'll do *its job* without moaning at you, and let you get on with *your job*.
34
 
35
  #### You're not alone, and there's no risk to test it out.
36
 
@@ -348,10 +352,10 @@ If you don't want to support the work, no problem! You can still continue to use
348
 
349
  You can [go Pro for just $1/month](http://icwp.io/aa).
350
 
351
- = 6.6.2 - Current Release =
352
- *Released: 22nd March, 2018* - [Release Notes](http://icwp.io/c3)
353
 
354
- * **(v.1-2)** FIXED: Various small fixes and improvements
355
  * **(v.0)** NEW: [**PRO**] [Keyless Activation of Pro licenses](http://icwp.io/c1).
356
  * **(v.0)** ADDED: [WordPress Password Policies](http://icwp.io/c2).
357
  * **(v.0)** ADDED: Pwned Passwords Detection.
@@ -362,7 +366,7 @@ You can [go Pro for just $1/month](http://icwp.io/aa).
362
  = 6.6 Series =
363
  *Released: 19th March, 2018* - [Release Notes](http://icwp.io/c3)
364
 
365
- * **(v.1-2)** FIXED: Various small fixes and improvements
366
  * **(v.0)** NEW: [**PRO**] [Keyless Activation of Pro licenses](http://icwp.io/c1).
367
  * **(v.0)** ADDED: [WordPress Password Policies](http://icwp.io/c2).
368
  * **(v.0)** ADDED: Pwned Passwords Detection.
8
  Requires PHP: 5.2.4
9
  Recommended PHP: 5.4
10
  Tested up to: 4.9
11
+ Stable tag: 6.6.3
12
 
13
  Complete All-In-One Protection for your WordPress sites, that makes Security Easy for Everyone - it doesn't have to be hard anymore.
14
 
20
 
21
  Shield is the easiest security plugin to setup - you simply activate it. Then a beautiful, step-by-step wizard will walk you through the basic configuration.
22
 
23
+ And you can dig deeper, any time you're ready.
24
 
25
  #### Trust: Shield Does Exactly What It Says It Will Do
26
 
27
  You've probably been let down in the past, but Shield is the WordPress Security solution that does what it says it'll do - Protect Your Site.
28
 
29
+ #### Constant notifications are not okay. You're already busy!
30
+
31
+ Receiving constant alerts from your security plugins isn't "security". It's just noise. By the time you receive a notification and respond to it, it's already too late.
32
+
33
+ Instead, Shield Security does it what it needs to do, and alerts you if and when you need to informed.
34
 
35
  Shield is your Silent Guardian. It doesn't squawk at you every time a visitor presses against your defenses.
36
 
37
+ It'll do *its job* without moaning at you, and leave you in peace to get on with *your job*.
38
 
39
  #### You're not alone, and there's no risk to test it out.
40
 
352
 
353
  You can [go Pro for just $1/month](http://icwp.io/aa).
354
 
355
+ = 6.6.3 - Current Release =
356
+ *Released: 30th March, 2018* - [Release Notes](http://icwp.io/c3)
357
 
358
+ * **(v.1-3)** FIXED: Various small fixes and improvements
359
  * **(v.0)** NEW: [**PRO**] [Keyless Activation of Pro licenses](http://icwp.io/c1).
360
  * **(v.0)** ADDED: [WordPress Password Policies](http://icwp.io/c2).
361
  * **(v.0)** ADDED: Pwned Passwords Detection.
366
  = 6.6 Series =
367
  *Released: 19th March, 2018* - [Release Notes](http://icwp.io/c3)
368
 
369
+ * **(v.1-3)** FIXED: Various small fixes and improvements
370
  * **(v.0)** NEW: [**PRO**] [Keyless Activation of Pro licenses](http://icwp.io/c1).
371
  * **(v.0)** ADDED: [WordPress Password Policies](http://icwp.io/c2).
372
  * **(v.0)** ADDED: Pwned Passwords Detection.
src/common/icwp-edd.php CHANGED
@@ -112,7 +112,8 @@ class ICWP_WPSF_Edd extends ICWP_WPSF_Foundation {
112
  $oLicense = null;
113
 
114
  $aLicenseLookupParams = array(
115
- 'body' => array_merge(
 
116
  array(
117
  'edd_action' => $sAction,
118
  'license' => $sKey,
112
  $oLicense = null;
113
 
114
  $aLicenseLookupParams = array(
115
+ 'timeout' => 10,
116
+ 'body' => array_merge(
117
  array(
118
  'edd_action' => $sAction,
119
  'license' => $sKey,
src/processors/audit_trail_emails.php CHANGED
@@ -15,19 +15,25 @@ class ICWP_WPSF_Processor_AuditTrail_Emails extends ICWP_WPSF_AuditTrail_Auditor
15
  }
16
 
17
  /**
18
- * @param array $aEmailParameters
19
  * @return array
20
  */
21
- public function auditEmailSend( $aEmailParameters ) {
22
- $sTo = isset( $aEmailParameters[ 'to' ] ) ? $aEmailParameters[ 'to' ] : 'no email provided';
23
- if ( is_array( $sTo ) ) {
24
- $sTo = implode( ', ', $sTo );
 
 
 
 
 
 
 
 
25
  }
26
- $this->add( 'emails', 'email_attempt_send', 1,
27
- sprintf( _wpsf__( 'There was an attempt to send an email using the "%s" function.' ), 'wp_mail' )
28
- .' '.sprintf( _wpsf__( 'It was sent to "%s" with the subject "%s".' ), $sTo, $aEmailParameters[ 'subject' ] )
29
- );
30
 
31
- return $aEmailParameters;
 
 
32
  }
33
  }
15
  }
16
 
17
  /**
18
+ * @param array $aEmailParams
19
  * @return array
20
  */
21
+ public function auditEmailSend( $aEmailParams ) {
22
+
23
+ if ( is_array( $aEmailParams ) ) {
24
+ $sTo = isset( $aEmailParams[ 'to' ] ) ? $aEmailParams[ 'to' ] : 'no email address provided';
25
+ if ( is_array( $sTo ) ) {
26
+ $sTo = implode( ', ', $sTo );
27
+ }
28
+ $sMessage = sprintf( _wpsf__( 'There was an attempt to send an email using the "%s" function.' ), 'wp_mail' )
29
+ .' '.sprintf( _wpsf__( 'It was sent to "%s" with the subject "%s".' ), $sTo, $aEmailParams[ 'subject' ] );
30
+ }
31
+ else {
32
+ $sMessage = sprintf( _wpsf__( 'Attempting to log email, but data was not of the correct type (%s)' ), 'array' );
33
  }
 
 
 
 
34
 
35
+ $this->add( 'emails', 'email_attempt_send', 1, $sMessage );
36
+
37
+ return $aEmailParams;
38
  }
39
  }
src/processors/loginprotect_intentprovider_base.php CHANGED
@@ -92,6 +92,7 @@ abstract class ICWP_WPSF_Processor_LoginProtect_IntentProviderBase extends ICWP_
92
  $oWpUsers->deleteUserMeta( $sOldMetaKey, $oUser->ID );
93
  }
94
  }
 
95
  $this->setProfileValidated( $oUser, $bValidated );
96
 
97
  return $bValidated;
@@ -265,7 +266,7 @@ abstract class ICWP_WPSF_Processor_LoginProtect_IntentProviderBase extends ICWP_
265
  * @return string
266
  */
267
  protected function fetchCodeFromRequest() {
268
- return esc_attr( trim( $this->loadDP()->FetchRequest( $this->getLoginFormParameter(), false, '' ) ) );
269
  }
270
 
271
  /**
92
  $oWpUsers->deleteUserMeta( $sOldMetaKey, $oUser->ID );
93
  }
94
  }
95
+ $bValidated = $bValidated && $this->hasValidSecret( $oUser );
96
  $this->setProfileValidated( $oUser, $bValidated );
97
 
98
  return $bValidated;
266
  * @return string
267
  */
268
  protected function fetchCodeFromRequest() {
269
+ return esc_attr( trim( $this->loadDP()->request( $this->getLoginFormParameter(), false, '' ) ) );
270
  }
271
 
272
  /**
src/processors/loginprotect_yubikey.php CHANGED
@@ -8,6 +8,7 @@ require_once( dirname( __FILE__ ).'/loginprotect_intentprovider_base.php' );
8
 
9
  class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_LoginProtect_IntentProviderBase {
10
 
 
11
  /**
12
  * @const string
13
  */
@@ -20,6 +21,7 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
20
  parent::run();
21
  }
22
  }
 
23
  /**
24
  * This MUST only ever be hooked into when the User is looking at their OWN profile, so we can use "current user"
25
  * functions. Otherwise we need to be careful of mixing up users.
@@ -58,7 +60,6 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
58
  /**
59
  * This MUST only ever be hooked into when the User is looking at their OWN profile,
60
  * so we can use "current user" functions. Otherwise we need to be careful of mixing up users.
61
- *
62
  * @param int $nSavingUserId
63
  */
64
  public function handleUserProfileSubmit( $nSavingUserId ) {
@@ -86,7 +87,7 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
86
  // We're trying to validate our OTP to activate
87
  if ( !$this->hasValidatedProfile( $oSavingUser ) ) {
88
 
89
- $this->setSecret( $oSavingUser, substr( $sOtp, 0, 12 ) )
90
  ->setProfileValidated( $oSavingUser );
91
  $oWpNotices->addFlashMessage(
92
  sprintf( _wpsf__( '%s was successfully added to your account.' ),
@@ -130,10 +131,10 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
130
  // $sApiKey = $this->getOption('yubikey_api_key');
131
 
132
  // check that if we have a list of permitted keys, that the one used is on that list connected with the username.
133
- $sYubikey12 = substr( $sOneTimePassword, 0 , 12 );
134
  $fUsernameFound = false; // if username is never found, it means there's no yubikey specified which means we can bypass this authentication method.
135
  $fFoundMatch = false;
136
- foreach( $this->getOption( 'yubikey_unique_keys' ) as $aUsernameYubikeyPair ) {
137
  if ( isset( $aUsernameYubikeyPair[ $sUsername ] ) ) {
138
  $fUsernameFound = true;
139
  if ( $aUsernameYubikeyPair[ $sUsername ] == $sYubikey12 ) {
@@ -145,33 +146,33 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
145
 
146
  // If no yubikey-username pair found for given username, we by-pass Yubikey auth.
147
  if ( !$fUsernameFound ) {
148
- $sAuditMessage = sprintf( _wpsf__('User "%s" logged in without a Yubikey One Time Password because no username-yubikey pair was found for this user.'), $sUsername );
149
  $this->addToAuditEntry( $sAuditMessage, 2, 'login_protect_yubikey_bypass' );
150
  return $oUser;
151
  }
152
 
153
  // Username was found in the list of key pairs, but the yubikey provided didn't match that username.
154
  if ( !$fFoundMatch ) {
155
- $sAuditMessage = sprintf( _wpsf__('User "%s" attempted to login but Yubikey ID "%s" used was not in list of authorised keys.'), $sUsername, $sYubikey12 );
156
  $this->addToAuditEntry( $sAuditMessage, 2, 'login_protect_yubikey_fail_permitted_id' );
157
 
158
  if ( $bErrorOnFailure ) {
159
  $oError->add(
160
  'yubikey_not_allowed',
161
- sprintf( _wpsf__( 'ERROR: %s' ), _wpsf__('The Yubikey provided is not on the list of permitted keys for this user.') )
162
  );
163
  return $oError;
164
  }
165
  }
166
 
167
  if ( $this->processOtp( null, $sOneTimePassword ) ) {
168
- $sAuditMessage = sprintf( _wpsf__('User "%s" successfully logged in using a validated Yubikey One Time Password.'), $sUsername );
169
  $this->addToAuditEntry( $sAuditMessage, 2, 'login_protect_yubikey_login_success' );
170
  $this->getLoginTrack()->addSuccessfulFactor( ICWP_WPSF_Processor_LoginProtect_Track::Factor_Yubikey );
171
  }
172
  else {
173
 
174
- $sAuditMessage = sprintf( _wpsf__('User "%s" attempted to login but Yubikey One Time Password failed to validate due to invalid Yubi API response.".'), $sUsername );
175
  $this->addToAuditEntry( $sAuditMessage, 2, 'login_protect_yubikey_fail_invalid_api_response' );
176
 
177
  $oError->add(
@@ -185,7 +186,7 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
185
 
186
  /**
187
  * @param WP_User $oUser
188
- * @param string $sOneTimePassword
189
  * @return bool
190
  */
191
  protected function processOtp( $oUser, $sOneTimePassword ) {
@@ -198,12 +199,12 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
198
  );
199
  $sRawYubiRequest = $this->loadFS()->getUrlContent( $sUrl );
200
 
201
- $bMatchOtpAndNonce = preg_match( '/otp=' . $sOneTimePassword . '/', $sRawYubiRequest, $aMatches )
202
- && preg_match( '/nonce=' . $sNonce . '/', $sRawYubiRequest, $aMatches );
203
 
204
  return $bMatchOtpAndNonce
205
- && preg_match( '/status=([a-zA-Z0-9_]+)/', $sRawYubiRequest, $aMatchesStatus )
206
- && ( $aMatchesStatus[ 1 ] == 'OK' ); // TODO: in preg_match
207
  }
208
 
209
  /**
@@ -212,14 +213,18 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
212
  protected function auditLogin( $bIsSuccess ) {
213
  if ( $bIsSuccess ) {
214
  $this->addToAuditEntry(
215
- sprintf( _wpsf__('User "%s" successfully logged in using a validated Yubikey One Time Password.'), $this->loadWpUsers()->getCurrentWpUser()->get( 'user_login' ) ),
 
 
216
  2, 'login_protect_yubikey_login_success'
217
  );
218
  $this->doStatIncrement( 'login.yubikey.verified' );
219
  }
220
  else {
221
  $this->addToAuditEntry(
222
- sprintf( _wpsf__( 'User "%s" failed to verify their identity using Yubikey One Time Password.' ), $this->loadWpUsers()->getCurrentWpUser()->get( 'user_login' ) ),
 
 
223
  2, 'login_protect_yubikey_failed'
224
  );
225
  $this->doStatIncrement( 'login.yubikey.failed' );
@@ -233,12 +238,12 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
233
  public function addLoginIntentField( $aFields ) {
234
  if ( $this->getCurrentUserHasValidatedProfile() ) {
235
  $aFields[] = array(
236
- 'name' => $this->getLoginFormParameter(),
237
- 'type' => 'text',
238
  'placeholder' => _wpsf__( 'Use your Yubikey to generate a new code.' ),
239
- 'value' => $this->fetchCodeFromRequest(),
240
- 'text' => _wpsf__( 'Yubikey OTP' ),
241
- 'help_link' => 'http://icwp.io/4i'
242
  );
243
  }
244
  return $aFields;
@@ -265,6 +270,14 @@ class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_Login
265
  * @return bool
266
  */
267
  protected function isSecretValid( $sSecret ) {
268
- return true; // we don't use individual user secrets
 
 
 
 
 
 
 
 
269
  }
270
  }
8
 
9
  class ICWP_WPSF_Processor_LoginProtect_Yubikey extends ICWP_WPSF_Processor_LoginProtect_IntentProviderBase {
10
 
11
+ const SECRET_LENGTH = 12;
12
  /**
13
  * @const string
14
  */
21
  parent::run();
22
  }
23
  }
24
+
25
  /**
26
  * This MUST only ever be hooked into when the User is looking at their OWN profile, so we can use "current user"
27
  * functions. Otherwise we need to be careful of mixing up users.
60
  /**
61
  * This MUST only ever be hooked into when the User is looking at their OWN profile,
62
  * so we can use "current user" functions. Otherwise we need to be careful of mixing up users.
 
63
  * @param int $nSavingUserId
64
  */
65
  public function handleUserProfileSubmit( $nSavingUserId ) {
87
  // We're trying to validate our OTP to activate
88
  if ( !$this->hasValidatedProfile( $oSavingUser ) ) {
89
 
90
+ $this->setSecret( $oSavingUser, substr( $sOtp, 0, $this->getSecretLength() ) )
91
  ->setProfileValidated( $oSavingUser );
92
  $oWpNotices->addFlashMessage(
93
  sprintf( _wpsf__( '%s was successfully added to your account.' ),
131
  // $sApiKey = $this->getOption('yubikey_api_key');
132
 
133
  // check that if we have a list of permitted keys, that the one used is on that list connected with the username.
134
+ $sYubikey12 = substr( $sOneTimePassword, 0, $this->getSecretLength() );
135
  $fUsernameFound = false; // if username is never found, it means there's no yubikey specified which means we can bypass this authentication method.
136
  $fFoundMatch = false;
137
+ foreach ( $this->getOption( 'yubikey_unique_keys' ) as $aUsernameYubikeyPair ) {
138
  if ( isset( $aUsernameYubikeyPair[ $sUsername ] ) ) {
139
  $fUsernameFound = true;
140
  if ( $aUsernameYubikeyPair[ $sUsername ] == $sYubikey12 ) {
146
 
147
  // If no yubikey-username pair found for given username, we by-pass Yubikey auth.
148
  if ( !$fUsernameFound ) {
149
+ $sAuditMessage = sprintf( _wpsf__( 'User "%s" logged in without a Yubikey One Time Password because no username-yubikey pair was found for this user.' ), $sUsername );
150
  $this->addToAuditEntry( $sAuditMessage, 2, 'login_protect_yubikey_bypass' );
151
  return $oUser;
152
  }
153
 
154
  // Username was found in the list of key pairs, but the yubikey provided didn't match that username.
155
  if ( !$fFoundMatch ) {
156
+ $sAuditMessage = sprintf( _wpsf__( 'User "%s" attempted to login but Yubikey ID "%s" used was not in list of authorised keys.' ), $sUsername, $sYubikey12 );
157
  $this->addToAuditEntry( $sAuditMessage, 2, 'login_protect_yubikey_fail_permitted_id' );
158
 
159
  if ( $bErrorOnFailure ) {
160
  $oError->add(
161
  'yubikey_not_allowed',
162
+ sprintf( _wpsf__( 'ERROR: %s' ), _wpsf__( 'The Yubikey provided is not on the list of permitted keys for this user.' ) )
163
  );
164
  return $oError;
165
  }
166
  }
167
 
168
  if ( $this->processOtp( null, $sOneTimePassword ) ) {
169
+ $sAuditMessage = sprintf( _wpsf__( 'User "%s" successfully logged in using a validated Yubikey One Time Password.' ), $sUsername );
170
  $this->addToAuditEntry( $sAuditMessage, 2, 'login_protect_yubikey_login_success' );
171
  $this->getLoginTrack()->addSuccessfulFactor( ICWP_WPSF_Processor_LoginProtect_Track::Factor_Yubikey );
172
  }
173
  else {
174
 
175
+ $sAuditMessage = sprintf( _wpsf__( 'User "%s" attempted to login but Yubikey One Time Password failed to validate due to invalid Yubi API response.".' ), $sUsername );
176
  $this->addToAuditEntry( $sAuditMessage, 2, 'login_protect_yubikey_fail_invalid_api_response' );
177
 
178
  $oError->add(
186
 
187
  /**
188
  * @param WP_User $oUser
189
+ * @param string $sOneTimePassword
190
  * @return bool
191
  */
192
  protected function processOtp( $oUser, $sOneTimePassword ) {
199
  );
200
  $sRawYubiRequest = $this->loadFS()->getUrlContent( $sUrl );
201
 
202
+ $bMatchOtpAndNonce = preg_match( '/otp='.$sOneTimePassword.'/', $sRawYubiRequest, $aMatches )
203
+ && preg_match( '/nonce='.$sNonce.'/', $sRawYubiRequest, $aMatches );
204
 
205
  return $bMatchOtpAndNonce
206
+ && preg_match( '/status=([a-zA-Z0-9_]+)/', $sRawYubiRequest, $aMatchesStatus )
207
+ && ( $aMatchesStatus[ 1 ] == 'OK' ); // TODO: in preg_match
208
  }
209
 
210
  /**
213
  protected function auditLogin( $bIsSuccess ) {
214
  if ( $bIsSuccess ) {
215
  $this->addToAuditEntry(
216
+ sprintf( _wpsf__( 'User "%s" successfully logged in using a validated Yubikey One Time Password.' ), $this->loadWpUsers()
217
+ ->getCurrentWpUser()
218
+ ->get( 'user_login' ) ),
219
  2, 'login_protect_yubikey_login_success'
220
  );
221
  $this->doStatIncrement( 'login.yubikey.verified' );
222
  }
223
  else {
224
  $this->addToAuditEntry(
225
+ sprintf( _wpsf__( 'User "%s" failed to verify their identity using Yubikey One Time Password.' ), $this->loadWpUsers()
226
+ ->getCurrentWpUser()
227
+ ->get( 'user_login' ) ),
228
  2, 'login_protect_yubikey_failed'
229
  );
230
  $this->doStatIncrement( 'login.yubikey.failed' );
238
  public function addLoginIntentField( $aFields ) {
239
  if ( $this->getCurrentUserHasValidatedProfile() ) {
240
  $aFields[] = array(
241
+ 'name' => $this->getLoginFormParameter(),
242
+ 'type' => 'text',
243
  'placeholder' => _wpsf__( 'Use your Yubikey to generate a new code.' ),
244
+ 'value' => '',
245
+ 'text' => _wpsf__( 'Yubikey OTP' ),
246
+ 'help_link' => 'http://icwp.io/4i'
247
  );
248
  }
249
  return $aFields;
270
  * @return bool
271
  */
272
  protected function isSecretValid( $sSecret ) {
273
+ return parent::isSecretValid( $sSecret )
274
+ && preg_match( sprintf( '#^[a-z]{%s}$#i', $this->getSecretLength() ), $sSecret );
275
+ }
276
+
277
+ /**
278
+ * @return int
279
+ */
280
+ protected function getSecretLength() {
281
+ return self::SECRET_LENGTH;
282
  }
283
  }