function check_requirements()
{
if (rs_wpss_is_admin_sproc(TRUE) || rs_wpss_is_doing_ajax()) {
return;
}
if (current_user_can('manage_network')) {
/* Check for pending admin notices */
$admin_notices = get_option('spamshield_admin_notices');
if (!empty($admin_notices)) {
add_action('network_admin_notices', array($this, 'admin_notices'));
}
/* Make sure not network activated */
if (is_plugin_active_for_network(WPSS_PLUGIN_BASENAME)) {
deactivate_plugins(WPSS_PLUGIN_BASENAME, TRUE, TRUE);
$notice_text = __('Plugin deactivated. WP-SpamShield is not available for network activation.', 'wp-spamshield');
/* TO DO: Fix translation. */
$new_admin_notice = array('style' => 'error notice is-dismissible', 'notice' => $notice_text);
update_option('spamshield_admin_notices', $new_admin_notice);
add_action('network_admin_notices', array($this, 'admin_notices'));
rs_wpss_append_log_data($notice_text, FALSE);
return FALSE;
}
}
if (rs_wpss_is_user_admin()) {
/* Check for deprecated options */
self::deprecated_options_check();
/* Check if plugin has been upgraded */
$this->upgrade_check();
/* Check for outdated WordPress versions with known security flaws */
$this->insecure_wordpress_check();
/* Check for pending admin notices */
$admin_notices = get_option('spamshield_admin_notices');
if (!empty($admin_notices)) {
add_action('admin_notices', array($this, 'admin_notices'));
}
/* Make sure user has minimum required WordPress version, in order to prevent issues */
$wpss_wp_version = WPSS_WP_VERSION;
if (!empty($wpss_wp_version) && version_compare($wpss_wp_version, WPSS_REQUIRED_WP_VERSION, '<')) {
deactivate_plugins(WPSS_PLUGIN_BASENAME);
$notice_text = sprintf(__('Plugin deactivated. WordPress Version %s required. Please upgrade WordPress to the latest version.', 'wp-spamshield'), WPSS_REQUIRED_WP_VERSION);
/* TO DO: Fix translation. */
$new_admin_notice = array('style' => 'error notice is-dismissible', 'notice' => $notice_text);
update_option('spamshield_admin_notices', $new_admin_notice);
add_action('admin_notices', array($this, 'admin_notices'));
rs_wpss_append_log_data($notice_text, FALSE);
return FALSE;
}
/* Make sure user has minimum required PHP version, in order to prevent issues */
$wpss_php_version = WPSS_PHP_VERSION;
if (!empty($wpss_php_version) && version_compare($wpss_php_version, WPSS_REQUIRED_PHP_VERSION, '<')) {
deactivate_plugins(WPSS_PLUGIN_BASENAME);
$notice_text = '<p>' . __('Plugin <strong>deactivated</strong>.') . ' ' . str_replace('WordPress', 'WP-SpamShield', sprintf(__('Your server is running PHP version %1$s but WordPress %2$s requires at least %3$s.'), WPSS_PHP_VERSION, WPSS_VERSION, WPSS_REQUIRED_PHP_VERSION)) . ' ' . sprintf(__('We are no longer supporting PHP 5.2, as it reached its End of Life (no longer supported by the PHP team) <a href=%2$s>in 2011</a>, and there are known security, performance, and compatibility issues. We are phasing out support for PHP 5.3 as it reached End of Life in 2014.</p><p>The version of PHP running on your server is <em>extremely out of date</em>. You should upgrade your PHP version as soon as possible.</p><p>If you need help with this, please contact your web hosting company and ask them to switch your PHP version to 5.5, 5.6, or higher. Please see the <a href=%4$s>plugin documentation</a> and <a href=%5$s>changelog</a> if you have further questions.', 'wp-spamshield'), WPSS_REQUIRED_PHP_VERSION, '"http://php.net/archive/2011.php#id2011-08-23-1" target="_blank" rel="external" ', $wpss_php_version, '"' . rs_wpss_append_url(WPSS_HOME_URL . '?src=' . WPSS_VERSION . '-php-notice#wpss_requirements') . '" target="_blank" rel="external" ', '"' . rs_wpss_append_url(WPSS_HOME_URL . 'version-history/?src=' . WPSS_VERSION . '-php-notice#ver_182') . '" target="_blank" rel="external" ') . '</p>';
/* TO DO: NEEDS TRANSLATION - Added 1.8.2, Updated 1.9.7.4 */
$new_admin_notice = array('style' => 'error notice is-dismissible', 'notice' => $notice_text);
update_option('spamshield_admin_notices', $new_admin_notice);
add_action('admin_notices', array($this, 'admin_notices'));
rs_wpss_append_log_data($notice_text, FALSE);
return FALSE;
}
$wpss_wp_config_error = $this->check_wp_config_status();
/* TO DO: Make version for Network Admins when we add full Multisite compatibility (Network Activation) */
if (!empty($wpss_wp_config_error)) {
deactivate_plugins(WPSS_PLUGIN_BASENAME);
$correct_error = sprintf(__('Please check your <a href="%1$s">settings</a> and correct the error.', 'wp-spamshield'), WPSS_ADMIN_URL . '/options-general.php');
$notice_text = sprintf('<p>%1$s <strong>%2$s %3$s</strong> %4$s</p>', __('Plugin <strong>deactivated</strong>.'), __('There is an error in your WordPress configuration.', 'wp-spamshield'), $wpss_wp_config_error, $correct_error);
/* TO DO: NEEDS TRANSLATION - Added 1.9.7.1 */
$new_admin_notice = array('style' => 'error', 'notice' => $notice_text);
update_option('spamshield_admin_notices', $new_admin_notice);
add_action('admin_notices', array($this, 'admin_notices'));
rs_wpss_append_log_data($notice_text, FALSE);
return FALSE;
}
$this->check_cpn_notices();
/* Security Check - See if(extremely) old version of plugin still active */
$old_version = 'wp-spamfree/wp-spamfree.php';
$old_version_active = WPSS_Compatibility::is_plugin_active($old_version, FALSE);
if (!empty($old_version_active)) {
/**
* Not safe to keep old version active due to unpatched security hole(s), broken PHP, and lack of maintenance.
* For security reasons, deactivate old version.
*/
deactivate_plugins($old_version);
/* Clean up database */
$del_options = array('wp_spamfree_version', 'spamfree_count', 'spamfree_options');
foreach ($del_options as $i => $option) {
delete_option($option);
}
/**
* Good to go!
* Since WP-SpamShield takes over 100% of old version's responsibilities, there is no loss of functionality, only improvements.
* Site speed will improve and server load will now drop dramatically.
*/
}
/* Compatibility Checks */
if (TRUE === WPSS_COMPAT_MODE || defined('WPSS_SOFT_COMPAT_MODE')) {
rs_wpss_admin_jp_fix();
}
rs_wpss_admin_ao_fix();
rs_wpss_admin_fscf_fix();
}
}
function rs_wpss_misc_form_spam_check()
{
/***
* Checks all miscellaneous form POST submissions for spam
* Added 1.8.9.9
***/
if (rs_wpss_is_user_admin() || rs_wpss_is_admin_sproc()) {
return;
}
global $spamshield_options;
if (empty($spamshield_options)) {
$spamshield_options = get_option('spamshield_options');
}
rs_wpss_update_session_data($spamshield_options);
if (!empty($spamshield_options['disable_misc_form_shield'])) {
return;
}
$url = rs_wpss_get_url();
$url_lc = rs_wpss_casetrans('lower', $url);
$req_uri = $_SERVER['REQUEST_URI'];
$req_uri_lc = rs_wpss_casetrans('lower', $req_uri);
/* BYPASS - GENERAL */
if (empty($_POST) || 'POST' !== $_SERVER['REQUEST_METHOD'] || isset($_POST[WPSS_REF2XJS]) || isset($_POST[WPSS_JSONST]) || isset($_POST['wpss_contact_message']) || isset($_POST['signup_username']) || isset($_POST['signup_email']) || isset($_POST['ws_plugin__s2member_registration']) || isset($_POST['_wpcf7_version']) || isset($_POST['gform_submit']) || isset($_POST['gform_unique_id'])) {
return;
}
if (is_admin() && !rs_wpss_is_login_page()) {
return;
}
if (rs_wpss_is_login_page() && (!isset($_GET['action']) || $_GET['action'] !== 'register')) {
return;
}
if (rs_wpss_is_doing_ajax() || rs_wpss_is_doing_cron() || rs_wpss_is_xmlrpc() || defined('WP_INSTALLING')) {
return;
}
if (rs_wpss_is_ajax_request() || rs_wpss_is_comment_request() || is_trackback()) {
return;
}
if (current_user_can('moderate_comments')) {
return;
}
if (is_user_logged_in()) {
return;
}
/* May remove later */
$post_count = count($_POST);
if ($post_count == 4 && isset($_POST['excerpt'], $_POST['url'], $_POST['title'], $_POST['blog_name'])) {
return;
}
$ip = rs_wpss_get_ip_addr();
if ($ip === WPSS_SERVER_ADDR) {
return;
}
/* Skip website IP address */
if (strpos($ip, '.') !== FALSE) {
$ip_arr = explode('.', $ip);
unset($ip_arr[3]);
$ip_c = implode('.', $ip_arr) . '.';
if (strpos(WPSS_SERVER_ADDR, $ip_c) === 0) {
return;
}
/* Skip anything on same C-Block as website */
}
$ecom_urls = array('/checkout/', '/store/', '/shop/', '/cart/');
foreach ($ecom_urls as $k => $u) {
if (strpos($req_uri, $u) !== FALSE) {
return;
}
}
$admin_url = WPSS_ADMIN_URL . '/';
if ($post_count >= 5 && isset($_POST['log'], $_POST['pwd'], $_POST['wp-submit'], $_POST['testcookie'], $_POST['redirect_to']) && $_POST['redirect_to'] === $admin_url) {
return;
}
if ($post_count >= 5 && isset($_POST['log'], $_POST['pwd'], $_POST['login'], $_POST['testcookie'], $_POST['redirect_to'])) {
return;
}
if ($post_count >= 5 && isset($_POST['username'], $_POST['password'], $_POST['login'], $_POST['_wpnonce'], $_POST['_wp_http_referer']) && rs_wpss_is_wc_login_page()) {
return;
}
if (WPSS_Compatibility::misc_form_bypass()) {
return;
}
/* BYPASS - HOOK */
$mfsc_bypass = apply_filters('wpss_misc_form_spam_check_bypass', FALSE);
if (!empty($mfsc_bypass)) {
return;
}
$msc_filter_status = $wpss_error_code = $log_pref = '';
$msc_jsck_error = $msc_badrobot_error = FALSE;
$form_type = 'misc form';
$pref = 'MSC-';
$errors_3p = array();
$error_txt = rs_wpss_error_txt();
$server_name = WPSS_SERVER_NAME;
$server_email_domain = rs_wpss_get_email_domain($server_name);
$msc_serial_post = serialize($_POST);
$form_auth_dat = array('comment_author' => '', 'comment_author_email' => '', 'comment_author_url' => '');
/* Check for Specific Contact Form Plugins */
if (defined('JETPACK__VERSION') && isset($_POST['action']) && $_POST['action'] === 'grunion-contact-form') {
$form_type = 'jetpack form';
$pref = 'JP-';
} elseif (defined('NF_PLUGIN_VERSION') && isset($_POST['_ninja_forms_display_submit'])) {
$form_type = 'ninja forms';
$pref = 'NF-';
} elseif ((defined('MC4WP_VERSION') || defined('MC4WP_LITE_VERSION')) && (isset($_POST['_mc4wp_form_id']) || isset($_POST['_mc4wp_form_submit']))) {
$form_type = 'mailchimp form';
$pref = 'MCF-';
}
/* JS/JQUERY CHECK */
$wpss_key_values = rs_wpss_get_key_values();
$wpss_jq_key = $wpss_key_values['wpss_jq_key'];
$wpss_jq_val = $wpss_key_values['wpss_jq_val'];
if (TRUE === WPSS_COMPAT_MODE || defined('WPSS_SOFT_COMPAT_MODE')) {
/* Fall back to FVFJS Keys instead of jQuery keys from jscripts.php */
$wpss_jq_key = $wpss_key_values['wpss_js_key'];
$wpss_jq_val = $wpss_key_values['wpss_js_val'];
}
$wpss_jsck_jquery_val = !empty($_POST[$wpss_jq_key]) ? $_POST[$wpss_jq_key] : '';
if ($wpss_jsck_jquery_val !== $wpss_jq_val) {
$wpss_error_code .= ' ' . $pref . 'JQHFT-5';
$msc_jsck_error = TRUE;
$err_cod = 'jsck_error';
$err_msg = __('Sorry, there was an error. Please be sure JavaScript and Cookies are enabled in your browser and try again.', WPSS_PLUGIN_NAME);
$errors_3p[$err_cod] = $err_msg;
}
if (!isset($_POST['wp-submit'])) {
/* Don't use on default WordPress Login, Registration, or Forgot Email pages
/* EMAIL BLACKLIST */
if ($form_type === 'mailchimp form') {
foreach ($_POST as $k => $v) {
if (!is_string($v)) {
continue;
}
$k_lc = rs_wpss_casetrans('lower', $k);
$v_lc = rs_wpss_casetrans('lower', trim(stripslashes($v)));
if (strpos($k_lc, 'email') !== FALSE) {
if (!is_email($v_lc)) {
$wpss_error_code .= ' ' . $pref . '9200E-BL';
if ($msc_jsck_error !== TRUE) {
$err_cod = 'blacklist_email_error';
$err_msg = __('Sorry, that email address is not allowed!') . ' ' . __('Please enter a valid email address.');
$errors_3p[$err_cod] = $err_msg;
}
break;
} elseif (is_email($v_lc)) {
$email_domain = rs_wpss_parse_email($v_lc, 'domain');
if ($email_domain === $server_email_domain) {
continue;
}
if (rs_wpss_email_blacklist_chk($v_lc)) {
$wpss_error_code .= ' ' . $pref . '9200E-BL';
if ($msc_jsck_error !== TRUE) {
$err_cod = 'blacklist_email_error';
$err_msg = __('Sorry, that email address is not allowed!') . ' ' . __('Please enter a valid email address.');
$errors_3p[$err_cod] = $err_msg;
}
break;
}
}
}
}
} else {
foreach ($_POST as $k => $v) {
if (!is_string($v)) {
continue;
}
$k_lc = rs_wpss_casetrans('lower', $k);
$v_lc = rs_wpss_casetrans('lower', trim(stripslashes($v)));
if (strpos($k_lc, 'email') !== FALSE && is_email($v_lc)) {
$email_domain = rs_wpss_parse_email($v_lc, 'domain');
if ($email_domain === $server_email_domain) {
continue;
}
if (rs_wpss_email_blacklist_chk($v_lc)) {
$wpss_error_code .= ' ' . $pref . '9200E-BL';
if ($msc_jsck_error !== TRUE) {
$err_cod = 'blacklist_email_error';
$err_msg = __('Sorry, that email address is not allowed!') . ' ' . __('Please enter a valid email address.');
$errors_3p[$err_cod] = $err_msg;
}
break;
}
}
}
}
if ($form_type === 'jetpack form' || $form_type === 'ninja forms') {
/* CONTACT FORM CONTENT BLACKLIST */
foreach ($_POST as $k => $v) {
if (!is_string($v)) {
continue;
}
$k_lc = rs_wpss_casetrans('lower', $k);
$v_lc = rs_wpss_casetrans('lower', trim(stripslashes($v)));
if ((strpos($k_lc, 'message') !== FALSE || strpos($k_lc, 'comment') !== FALSE) && rs_wpss_cf_content_blacklist_chk($v_lc)) {
$wpss_error_code .= ' ' . $pref . '10400C-BL';
if ($msc_jsck_error !== TRUE) {
$err_cod = 'blacklist_content_error';
$err_msg = __('Message appears to be spam.', WPSS_PLUGIN_NAME);
$errors_3p[$err_cod] = $err_msg;
}
break;
}
}
}
/* BAD ROBOT BLACKLIST */
$bad_robot_filter_data = rs_wpss_bad_robot_blacklist_chk($form_type, $msc_filter_status);
$msc_filter_status = $bad_robot_filter_data['status'];
$bad_robot_blacklisted = $bad_robot_filter_data['blacklisted'];
if (!empty($bad_robot_blacklisted)) {
$wpss_error_code .= $bad_robot_filter_data['error_code'];
$msc_badrobot_error = TRUE;
if ($msc_jsck_error !== TRUE) {
$err_cod = 'badrobot_error';
$err_msg = __('That action is currently not allowed.');
$errors_3p[$err_cod] = $err_msg;
}
}
/* BLACKLISTED USER */
if (empty($wpss_error_code) && rs_wpss_ubl_cache()) {
$wpss_error_code .= ' ' . $pref . '0-BL';
$err_cod = 'blacklisted_user_error';
$err_msg = __('That action is currently not allowed.');
/* TO DO: TRANSLATE */
$errors_3p[$err_cod] = $err_msg;
}
}
/* Done with Tests */
$wpss_error_code = trim($wpss_error_code);
if (strpos($wpss_error_code, '0-BL') !== FALSE) {
rs_wpss_append_log_data('Blacklisted user detected. Miscellaneous forms have been temporarily disabled to prevent spam. ERROR CODE: ' . $wpss_error_code, FALSE);
}
if (!empty($wpss_error_code)) {
rs_wpss_update_accept_status($form_auth_dat, 'r', 'Line: ' . __LINE__, $wpss_error_code);
/* If enabled, run security check to make sure this POST submission wasn't a security threat: vulnerability probe or hack attempt */
if (TRUE === WPSS_IP_BAN_ENABLE) {
$wpss_security = new WPSS_Security();
if ($wpss_security->check_post_sec()) {
global $wpss_sec_threat;
$wpss_sec_threat = TRUE;
}
}
if (!empty($spamshield_options['comment_logging'])) {
rs_wpss_log_data($form_auth_dat, $wpss_error_code, $form_type, $msc_serial_post);
}
if (TRUE === WPSS_IP_BAN_ENABLE) {
if (!empty($wpss_sec_threat)) {
$wpss_security->ip_ban();
}
}
} else {
rs_wpss_update_accept_status($form_auth_dat, 'a', 'Line: ' . __LINE__);
if (!empty($spamshield_options['comment_logging']) && !empty($spamshield_options['comment_logging_all'])) {
rs_wpss_log_data($form_auth_dat, $wpss_error_code, $form_type, $msc_serial_post);
}
}
/* Now output error message */
if (!empty($wpss_error_code)) {
$error_msg = '';
foreach ($errors_3p as $c => $m) {
$error_msg .= '<strong>' . $error_txt . ':</strong> ' . $m . '<br /><br />' . WPSS_EOL;
}
$args = array('response' => '403');
wp_die($error_msg, '', $args);
}
}
public static function early_post_intercept()
{
/**
* SECURITY - Checks all incoming POST requests early for malicious behavior
* Added 1.9.7.8
*/
if ('POST' !== $_SERVER['REQUEST_METHOD'] || rs_wpss_is_local_request() || is_user_logged_in()) {
return;
}
global $spamshield_options;
if (empty($spamshield_options)) {
$spamshield_options = get_option('spamshield_options');
}
if (!empty($spamshield_options['disable_misc_form_shield'])) {
return;
}
$url = rs_wpss_get_url();
$url_lc = rs_wpss_casetrans('lower', $url);
$req_uri = $_SERVER['REQUEST_URI'];
$req_uri_lc = rs_wpss_casetrans('lower', $req_uri);
$epc_filter_status = $wpss_error_code = $log_pref = '';
$epc_jsck_error = $epc_badrobot_error = FALSE;
$form_type = 'misc form';
$pref = 'EPC-';
$errors_3p = array();
$error_txt = rs_wpss_error_txt();
$server_name = WPSS_SERVER_NAME;
$server_email_domain = rs_wpss_get_email_domain($server_name);
$epc_serial_post = json_encode($_POST);
$form_auth_dat = array('comment_author' => '', 'comment_author_email' => '', 'comment_author_url' => '');
$blocked = FALSE;
$c = array('name' => '', 'value' => '1', 'expire' => time() + 60 * 60 * 24 * 365 * 1, 'path' => '/', 'domain' => rs_wpss_get_cookie_domain(), 'secure' => FALSE, 'httponly' => FALSE);
if (rs_wpss_is_xmlrpc()) {
if (empty($_POST) || !empty($_GET)) {
$blocked = TRUE;
}
rs_wpss_start_session();
$c['name'] = 'P_XMLRPC';
}
if (rs_wpss_is_doing_ajax()) {
if (empty($_POST) && empty($_GET) || empty($_REQUEST['action'])) {
$wpss_error_code .= ' ' . $pref . 'FAR1020';
$err_cod = 'fake_ajax_request_error';
$err_msg = __('That action is currently not allowed.');
$errors_3p[$err_cod] = $err_msg;
}
}
if (rs_wpss_skiddie_ua_check()) {
$wpss_error_code .= ' ' . $pref . 'UA1004';
$err_cod = 'badrobot_skiddie_error';
$err_msg = __('That action is currently not allowed.');
$errors_3p[$err_cod] = $err_msg;
}
if (rs_wpss_ubl_cache()) {
if (TRUE === WPSS_IP_BAN_ENABLE && rs_wpss_is_xmlrpc()) {
self::ip_ban();
}
$wpss_error_code .= ' ' . $pref . '0-BL';
$err_cod = 'blacklisted_user_error';
$err_msg = __('That action is currently not allowed.');
$errors_3p[$err_cod] = $err_msg;
}
if (!empty($c['name'])) {
/* Setting cookie to honeypot bad actors */
@setcookie($c['name'], $c['value'], $c['expire'], $c['path'], $c['domain'], $c['secure'], $c['httponly']);
}
if (!empty($wpss_error_code)) {
rs_wpss_update_accept_status($form_auth_dat, 'r', 'Line: ' . __LINE__, $wpss_error_code);
if (!empty($spamshield_options['comment_logging'])) {
rs_wpss_log_data($form_auth_dat, $wpss_error_code, $form_type, $epc_serial_post);
}
} else {
rs_wpss_update_accept_status($form_auth_dat, 'a', 'Line: ' . __LINE__);
}
/* Now output error message */
if (!empty($wpss_error_code)) {
$error_msg = '';
foreach ($errors_3p as $c => $m) {
$error_msg .= '<strong>' . $error_txt . ':</strong> ' . $m . '<br /><br />' . WPSS_EOL;
}
WP_SpamShield::wp_die($error_msg, TRUE);
}
}
