function __construct()
{
/* Let's initiliaze our class variable array with all of the files and/or directories we wish to check permissions for.
* NOTE: we can add to this list in future if we wish
*/
//Get wp-config.php file path
$wp_config_path = AIOWPSecurity_Utility_File::get_wp_config_file_path();
$this->files_and_dirs_to_check = array(array('name' => 'root directory', 'path' => ABSPATH, 'permissions' => '0755'), array('name' => 'wp-includes/', 'path' => ABSPATH . "wp-includes", 'permissions' => '0755'), array('name' => '.htaccess', 'path' => ABSPATH . ".htaccess", 'permissions' => '0644'), array('name' => 'wp-admin/index.php', 'path' => ABSPATH . "wp-admin/index.php", 'permissions' => '0644'), array('name' => 'wp-admin/js/', 'path' => ABSPATH . "wp-admin/js/", 'permissions' => '0755'), array('name' => 'wp-content/themes/', 'path' => ABSPATH . "wp-content/themes", 'permissions' => '0755'), array('name' => 'wp-content/plugins/', 'path' => ABSPATH . "wp-content/plugins", 'permissions' => '0755'), array('name' => 'wp-admin/', 'path' => ABSPATH . "wp-admin", 'permissions' => '0755'), array('name' => 'wp-content/', 'path' => ABSPATH . "wp-content", 'permissions' => '0755'), array('name' => 'wp-config.php', 'path' => $wp_config_path, 'permissions' => '0644'));
}
function do_other_admin_side_init_tasks()
{
global $aio_wp_security;
//***New Feature improvement for Cookie Based Brute Force Protection***//
//The old "test cookie" used to be too easy to guess because someone could just read the code and get the value.
//So now we will drop a more secure test cookie using a 10 digit random string
if ($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == '1') {
// This code is for users who had this feature saved using an older release. This will drop the new more secure test cookie to the browser and will write it to the .htaccess file too
$test_cookie = $aio_wp_security->configs->get_value('aiowps_cookie_brute_test');
if (empty($test_cookie)) {
$random_suffix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
$test_cookie_name = 'aiowps_cookie_test_' . $random_suffix;
$aio_wp_security->configs->set_value('aiowps_cookie_brute_test', $test_cookie_name);
$aio_wp_security->configs->save_config();
//save the value
AIOWPSecurity_Utility::set_cookie_value($test_cookie_name, "1");
//Write this new cookie to the .htaccess file
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($res == -1) {
$aio_wp_security->debug_logger->log_debug("Error writing new test cookie with random suffix to .htaccess file!", 4);
}
}
}
//For cookie test form submission case
if (isset($_GET['page']) && $_GET['page'] == AIOWPSEC_BRUTE_FORCE_MENU_SLUG && isset($_GET['tab']) && $_GET['tab'] == 'tab2') {
global $aio_wp_security;
if (isset($_POST['aiowps_do_cookie_test_for_bfla'])) {
$random_suffix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
$test_cookie_name = 'aiowps_cookie_test_' . $random_suffix;
$aio_wp_security->configs->set_value('aiowps_cookie_brute_test', $test_cookie_name);
$aio_wp_security->configs->save_config();
//save the value
AIOWPSecurity_Utility::set_cookie_value($test_cookie_name, "1");
$cur_url = "admin.php?page=" . AIOWPSEC_BRUTE_FORCE_MENU_SLUG . "&tab=tab2";
$redirect_url = AIOWPSecurity_Utility::add_query_data_to_url($cur_url, 'aiowps_cookie_test', "1");
AIOWPSecurity_Utility::redirect_to_url($redirect_url);
}
if (isset($_POST['aiowps_enable_brute_force_attack_prevention'])) {
$brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
if (empty($brute_force_feature_secret_word)) {
$brute_force_feature_secret_word = "aiowps_secret";
}
AIOWPSecurity_Utility::set_cookie_value($brute_force_feature_secret_word, "1");
}
if (isset($_REQUEST['aiowps_cookie_test'])) {
$test_cookie = $aio_wp_security->configs->get_value('aiowps_cookie_brute_test');
$cookie_val = AIOWPSecurity_Utility::get_cookie_value($test_cookie);
if (empty($cookie_val)) {
$aio_wp_security->configs->set_value('aiowps_cookie_test_success', '');
} else {
$aio_wp_security->configs->set_value('aiowps_cookie_test_success', '1');
}
$aio_wp_security->configs->save_config();
//save the value
}
}
if (isset($_POST['aiowps_save_wp_config'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-save-wp-config-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on wp_config file save!", 4);
die("Nonce check failed on wp_config file save!");
}
$wp_config_path = AIOWPSecurity_Utility_File::get_wp_config_file_path();
$result = AIOWPSecurity_Utility_File::backup_and_rename_wp_config($wp_config_path);
//Backup the wp_config.php file
AIOWPSecurity_Utility_File::download_a_file_option1($wp_config_path, "wp-config-backup.txt");
}
//Handle export settings
if (isset($_POST['aiowps_export_settings'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-export-settings-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on export AIOWPS settings!", 4);
die("Nonce check failed on export AIOWPS settings!");
}
$config_data = get_option('aio_wp_security_configs');
$output = json_encode($config_data);
AIOWPSecurity_Utility_File::download_content_to_a_file($output);
}
}
function change_db_prefix($table_old_prefix, $table_new_prefix)
{
global $wpdb, $aio_wp_security;
$old_prefix_length = strlen($table_old_prefix);
$error = 0;
//Config file path
$config_file = AIOWPSecurity_Utility_File::get_wp_config_file_path();
//Get the table resource
//$result = mysql_list_tables(DB_NAME);
$result = $this->get_mysql_tables(DB_NAME);
//Fix for deprecated php mysql_list_tables function
//Count the number of tables
if (is_array($result) && count($result) > 0) {
$num_rows = count($result);
} else {
echo '<div class="aio_red_box"><p>' . __('Error - Could not get tables or no tables found!', 'all-in-one-wp-security-and-firewall') . '</p></div>';
return;
}
$table_count = 0;
$info_msg_string = '<p class="aio_info_with_icon">' . __('Starting DB prefix change operations.....', 'all-in-one-wp-security-and-firewall') . '</p>';
$info_msg_string .= '<p class="aio_info_with_icon">' . sprintf(__('Your WordPress system has a total of %s tables and your new DB prefix will be: %s', 'all-in-one-wp-security-and-firewall'), '<strong>' . $num_rows . '</strong>', '<strong>' . $table_new_prefix . '</strong>') . '</p>';
echo $info_msg_string;
//Do a back of the config file
if (!AIOWPSecurity_Utility_File::backup_and_rename_wp_config($config_file)) {
echo '<div class="aio_red_box"><p>' . __('Failed to make a backup of the wp-config.php file. This operation will not go ahead.', 'all-in-one-wp-security-and-firewall') . '</p></div>';
return;
} else {
echo '<p class="aio_success_with_icon">' . __('A backup copy of your wp-config.php file was created successfully!', 'all-in-one-wp-security-and-firewall') . '</p>';
}
//Get multisite blog_ids if applicable
if (AIOWPSecurity_Utility::is_multisite_install()) {
$blog_ids = AIOWPSecurity_Utility::get_blog_ids();
}
//Rename all the table names
foreach ($result as $db_table) {
//Get table name with old prefix
$table_old_name = $db_table;
if (strpos($table_old_name, $table_old_prefix) === 0) {
//Get table name with new prefix
$table_new_name = $table_new_prefix . substr($table_old_name, $old_prefix_length);
//Write query to rename tables name
$sql = "RENAME TABLE `" . $table_old_name . "` TO `" . $table_new_name . "`";
//$sql = "RENAME TABLE %s TO %s";
//Execute the query
if (false === $wpdb->query($sql)) {
$error = 1;
echo '<p class="aio_error_with_icon">' . sprintf(__('%s table name update failed', 'all-in-one-wp-security-and-firewall'), '<strong>' . $table_old_name . '</strong>') . '</p>';
$aio_wp_security->debug_logger->log_debug("DB Security Feature - Unable to change prefix of table " . $table_old_name, 4);
} else {
$table_count++;
}
} else {
continue;
}
}
if ($error == 1) {
echo '<p class="aio_error_with_icon">' . sprintf(__('Please change the prefix manually for the above tables to: %s', 'all-in-one-wp-security-and-firewall'), '<strong>' . $table_new_prefix . '</strong>') . '</p>';
} else {
echo '<p class="aio_success_with_icon">' . sprintf(__('%s tables had their prefix updated successfully!', 'all-in-one-wp-security-and-firewall'), '<strong>' . $table_count . '</strong>') . '</p>';
}
//Get wp-config.php file contents and modify it with new info
$config_contents = file($config_file);
$prefix_match_string = '$table_prefix=';
//this is our search string for the wp-config.php file
foreach ($config_contents as $line_num => $line) {
$no_ws_line = preg_replace('/\\s+/', '', $line);
//Strip white spaces
if (strpos($no_ws_line, $prefix_match_string) !== FALSE) {
$config_contents[$line_num] = str_replace($table_old_prefix, $table_new_prefix, $line);
break;
}
}
//Now let's modify the wp-config.php file
if (AIOWPSecurity_Utility_File::write_content_to_file($config_file, $config_contents)) {
echo '<p class="aio_success_with_icon">' . __('wp-config.php file was updated successfully!', 'all-in-one-wp-security-and-firewall') . '</p>';
} else {
echo '<p class="aio_error_with_icon">' . sprintf(__('The "wp-config.php" file was not able to be modified. Please modify this file manually using your favourite editor and search
for variable "$table_prefix" and assign the following value to that variable: %s', 'all-in-one-wp-security-and-firewall'), '<strong>' . $table_new_prefix . '</strong>') . '</p>';
$aio_wp_security->debug_logger->log_debug("DB Security Feature - Unable to modify wp-config.php", 4);
}
//Now let's update the options table
$update_option_table_query = "UPDATE " . $table_new_prefix . "options \r\r\n SET option_name = '" . $table_new_prefix . "user_roles' \r\r\n WHERE option_name = '" . $table_old_prefix . "user_roles' \r\r\n LIMIT 1";
if (false === $wpdb->query($update_option_table_query)) {
echo '<p class="aio_error_with_icon">' . sprintf(__('Update of table %s failed: unable to change %s to %s', 'all-in-one-wp-security-and-firewall'), $table_new_prefix . 'options', $table_old_prefix . 'user_roles', $table_new_prefix . 'user_roles') . '</p>';
$aio_wp_security->debug_logger->log_debug("DB Security Feature - Error when updating the options table", 4);
//Log the highly unlikely event of DB error
} else {
echo '<p class="aio_success_with_icon">' . sprintf(__('The options table records which had references to the old DB prefix were updated successfully!', 'all-in-one-wp-security-and-firewall')) . '</p>';
}
//Now let's update the options tables for the multisite subsites if applicable
if (AIOWPSecurity_Utility::is_multisite_install()) {
if (!empty($blog_ids)) {
foreach ($blog_ids as $blog_id) {
if ($blog_id == 1) {
continue;
}
//skip main site
$new_pref_and_site_id = $table_new_prefix . $blog_id . '_';
$old_pref_and_site_id = $table_old_prefix . $blog_id . '_';
$update_ms_option_table_query = "UPDATE " . $new_pref_and_site_id . "options\r\r\n SET option_name = '" . $new_pref_and_site_id . "user_roles'\r\r\n WHERE option_name = '" . $old_pref_and_site_id . "user_roles'\r\r\n LIMIT 1";
if (false === $wpdb->query($update_ms_option_table_query)) {
echo '<p class="aio_error_with_icon">' . sprintf(__('Update of table %s failed: unable to change %s to %s', 'all-in-one-wp-security-and-firewall'), $new_pref_and_site_id . 'options', $old_pref_and_site_id . 'user_roles', $new_pref_and_site_id . 'user_roles') . '</p>';
$aio_wp_security->debug_logger->log_debug("DB change prefix feature - Error when updating the subsite options table: " . $new_pref_and_site_id . 'options', 4);
//Log the highly unlikely event of DB error
} else {
echo '<p class="aio_success_with_icon">' . sprintf(__('The %s table records which had references to the old DB prefix were updated successfully!', 'all-in-one-wp-security-and-firewall'), $new_pref_and_site_id . 'options') . '</p>';
}
}
}
}
//Now let's update the user meta table
$custom_sql = "SELECT user_id, meta_key \r\r\n FROM " . $table_new_prefix . "usermeta \r\r\n WHERE meta_key \r\r\n LIKE '" . $table_old_prefix . "%'";
$meta_keys = $wpdb->get_results($custom_sql);
$error_update_usermeta = '';
//Update all meta_key field values which have the old table prefix in user_meta table
foreach ($meta_keys as $meta_key) {
//Create new meta key
$new_meta_key = $table_new_prefix . substr($meta_key->meta_key, $old_prefix_length);
$update_user_meta_sql = "UPDATE " . $table_new_prefix . "usermeta \r\r\n SET meta_key='" . $new_meta_key . "' \r\r\n WHERE meta_key='" . $meta_key->meta_key . "'\r\r\n AND user_id='" . $meta_key->user_id . "'";
if (false === $wpdb->query($update_user_meta_sql)) {
$error_update_usermeta .= '<p class="aio_error_with_icon">' . sprintf(__('Error updating user_meta table where new meta_key = %s, old meta_key = %s and user_id = %s.', 'all-in-one-wp-security-and-firewall'), $new_meta_key, $meta_key->meta_key, $meta_key->user_id) . '</p>';
echo $error_update_usermeta;
$aio_wp_security->debug_logger->log_debug("DB Security Feature - Error updating user_meta table where new meta_key = " . $new_meta_key . " old meta_key = " . $meta_key->meta_key . " and user_id = " . $meta_key->user_id, 4);
//Log the highly unlikely event of DB error
}
}
echo '<p class="aio_success_with_icon">' . __('The usermeta table records which had references to the old DB prefix were updated successfully!', 'all-in-one-wp-security-and-firewall') . '</p>';
//Display tasks finished message
$tasks_finished_msg_string = '<p class="aio_info_with_icon">' . __('DB prefix change tasks have been completed.', 'all-in-one-wp-security-and-firewall') . '</p>';
echo $tasks_finished_msg_string;
}
static function enable_file_edits()
{
global $aio_wp_security;
$edit_file_config_entry_exists = false;
//Config file path
$config_file = AIOWPSecurity_Utility_File::get_wp_config_file_path();
//Get wp-config.php file contents
$config_contents = file($config_file);
foreach ($config_contents as $line_num => $line) {
if (strpos($line, "'DISALLOW_FILE_EDIT', true")) {
$config_contents[$line_num] = str_replace('true', 'false', $line);
$edit_file_config_entry_exists = true;
} else {
if (strpos($line, "'DISALLOW_FILE_EDIT', false")) {
$edit_file_config_entry_exists = true;
//$this->show_msg_updated(__('Your system config file is already configured to allow PHP file editing.', 'all-in-one-wp-security-and-firewall'));
return true;
}
}
}
if (!$edit_file_config_entry_exists) {
//if the DISALLOW_FILE_EDIT settings don't exist in wp-config.php then we don't need to do anything
//$this->show_msg_updated(__('Your system config file is already configured to allow PHP file editing.', 'all-in-one-wp-security-and-firewall'));
return true;
} else {
//Now let's modify the wp-config.php file
if (AIOWPSecurity_Utility_File::write_content_to_file($config_file, $config_contents)) {
//$this->show_msg_updated(__('Settings Saved - Your system is now configured to allow PHP file editing.', 'all-in-one-wp-security-and-firewall'));
return true;
} else {
//$this->show_msg_error(__('Operation failed! Unable to modify wp-config.php file!', 'all-in-one-wp-security-and-firewall'));
//$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Unable to modify wp-config.php",4);
return false;
}
}
}
function render_tab3()
{
global $aio_wp_security;
if (isset($_POST['aiowps_restore_wp_config_button'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-restore-wp-config-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on wp-config file restore!", 4);
die("Nonce check failed on wp-config file restore!");
}
if (empty($_POST['aiowps_wp_config_file'])) {
$this->show_msg_error(__('Please choose a wp-config.php file to restore from.', 'aiowpsecurity'));
} else {
//Let's copy the uploaded wp-config.php file into the active root file
$new_wp_config_file_path = trim($_POST['aiowps_wp_config_file']);
//Verify that file chosen is a wp-config.file
$is_wp_config = $this->check_if_wp_config_contents($new_wp_config_file_path);
if ($is_wp_config == 1) {
$active_root_wp_config = AIOWPSecurity_Utility_File::get_wp_config_file_path();
if (!copy($new_wp_config_file_path, $active_root_wp_config)) {
//Failed to make a backup copy
$aio_wp_security->debug_logger->log_debug("wp-config.php - Restore from backed up wp-config operation failed!", 4);
$this->show_msg_error(__('wp-config.php file restore failed. Please attempt to restore this file manually using FTP.', 'aiowpsecurity'));
} else {
$this->show_msg_updated(__('Your wp-config.php file has successfully been restored!', 'aiowpsecurity'));
}
} else {
$aio_wp_security->debug_logger->log_debug("wp-config.php restore failed - Contents of restore file appear invalid!", 4);
$this->show_msg_error(__('wp-config.php Restore operation failed! Please check the contents of the file you are trying to restore from.', 'aiowpsecurity'));
}
}
}
?>
<h2><?php
_e('wp-config.php File Operations', 'aiowpsecurity');
?>
</h2>
<div class="aio_blue_box">
<?php
echo '<p>' . __('Your "wp-config.php" file is one of the most important in your WordPress installation. It is a primary configuration file and contains crucial things such as details of your database and other critical components.', 'aiowpsecurity') . '
<br />' . __('This feature allows you to backup and save your currently active wp-config.php file should you need to re-use the the backed up file in the future.', 'aiowpsecurity') . '
<br />' . __('You can also restore your site\'s wp-config.php settings using a backed up wp-config.php file.', 'aiowpsecurity') . '
</p>';
?>
</div>
<?php
if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1) {
//Hide config settings if MS and not main site
AIOWPSecurity_Utility::display_multisite_message();
} else {
?>
<div class="postbox">
<h3><label for="title"><?php
_e('Save the current wp-config.php file', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-save-wp-config-nonce');
?>
<p class="description"><?php
_e('Click the button below to backup and download the contents of the currently active wp-config.php file.', 'aiowpsecurity');
?>
</p>
<input type="submit" name="aiowps_save_wp_config" value="<?php
_e('Backup wp-config.php File', 'aiowpsecurity');
?>
" class="button-primary" />
</form>
</div></div>
<div class="postbox">
<h3><label for="title"><?php
_e('Restore from a backed up wp-config file', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-restore-wp-config-nonce');
?>
<table class="form-table">
<tr valign="top">
<th scope="row"><?php
_e('wp-config file to restore from', 'aiowpsecurity');
?>
:</th>
<td>
<input type="button" id="aiowps_wp_config_file_button" name="aiowps_wp_config_file_button" class="button rbutton" value="Select Your wp-config File" />
<input name="aiowps_wp_config_file" type="text" id="aiowps_wp_config_file" value="" size="80" />
<p class="description">
<?php
_e('After selecting your file click the button below to restore your site using the backed up wp-config file (wp-config.php.backup.txt).', 'aiowpsecurity');
?>
</p>
</td>
</tr>
</table>
<input type="submit" name="aiowps_restore_wp_config_button" value="<?php
_e('Restore wp-config File', 'aiowpsecurity');
?>
" class="button-primary" />
</form>
</div></div>
<div class="postbox">
<h3><label for="title"><?php
_e('View Contents of the currently active wp-config.php file', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<?php
$wp_config_file = AIOWPSecurity_Utility_File::get_wp_config_file_path();
$wp_config_contents = AIOWPSecurity_Utility_File::get_file_contents($wp_config_file);
?>
<textarea class="aio_text_area_file_output aio_width_80 aio_spacer_10_tb" rows="20" readonly><?php
echo $wp_config_contents;
?>
</textarea>
</div></div>
<?php
}
//End if statement
}
