Ejemplo n.º 1
  * Build rewrite rules.
  * @since 4.0
  * @param mixed $input options to build rules from
  * @return array         rules to write
 public static function build_rewrite_rules($input = null)
     $server_type = ITSEC_Lib::get_server();
     //Get the server type to build the right rules
     //Get the rules from the database if input wasn't sent
     if ($input === null) {
         $input = get_site_option('itsec_tweaks');
     $rules = '';
     //initialize all rules to blank string
     //Process Protect Files Rules
     if ($input['protect_files'] === true) {
         if ($server_type === 'nginx') {
             //NGINX rules
             $rules .= "\t# " . __('Rules to block access to WordPress specific files and wp-includes', 'it-l10n-ithemes-security-pro') . PHP_EOL . "\tlocation ~ /\\.ht { deny all; }" . PHP_EOL . "\tlocation ~ wp-config.php { deny all; }" . PHP_EOL . "\tlocation ~ readme.html { deny all; }" . PHP_EOL . "\tlocation ~ readme.txt { deny all; }" . PHP_EOL . "\tlocation ~ /install.php { deny all; }" . PHP_EOL . "\tlocation ^wp-includes/(.*).php { deny all; }" . PHP_EOL . "\tlocation ^/wp-admin/includes(.*)\$ { deny all; }" . PHP_EOL;
         } else {
             //rules for all other servers
             $rules .= "# " . __('Rules to block access to WordPress specific files', 'it-l10n-ithemes-security-pro') . PHP_EOL . "<files .htaccess>" . PHP_EOL . "\tOrder allow,deny" . PHP_EOL . "\tDeny from all" . PHP_EOL . "</files>" . PHP_EOL . "<files readme.html>" . PHP_EOL . "\tOrder allow,deny" . PHP_EOL . "\tDeny from all" . PHP_EOL . "</files>" . PHP_EOL . "<files readme.txt>" . PHP_EOL . "\tOrder allow,deny" . PHP_EOL . "\tDeny from all" . PHP_EOL . "</files>" . PHP_EOL . "<files install.php>" . PHP_EOL . "\tOrder allow,deny" . PHP_EOL . "\tDeny from all" . PHP_EOL . "</files>" . PHP_EOL . "<files wp-config.php>" . PHP_EOL . "\tOrder allow,deny" . PHP_EOL . "\tDeny from all" . PHP_EOL . "</files>" . PHP_EOL;
     //Rules to disanle XMLRPC
     if ($input['disable_xmlrpc'] == 2) {
         if (strlen($rules) > 1) {
             $rules .= PHP_EOL;
         $rules .= "# " . __('Rules to disable XML-RPC', 'it-l10n-ithemes-security-pro') . PHP_EOL;
         if ($server_type === 'nginx') {
             //NGINX rules
             $rules .= "\tlocation ~ xmlrpc.php { deny all; }" . PHP_EOL;
         } else {
             //rules for all other servers
             $rules .= "<files xmlrpc.php>" . PHP_EOL . "\tOrder allow,deny" . PHP_EOL . "\tDeny from all" . PHP_EOL . "</files>" . PHP_EOL;
     //Primary Rules for Directory Browsing
     if ($input['directory_browsing'] == true) {
         if (strlen($rules) > 1) {
             $rules .= PHP_EOL;
         $rules .= "# " . __('Rules to disable directory browsing', 'it-l10n-ithemes-security-pro') . PHP_EOL;
         if ($server_type !== 'nginx') {
             //Don't use this on NGINX
             $rules .= "Options -Indexes" . PHP_EOL;
     //Apache rewrite rules (and related NGINX rules)
     if ($input['protect_files'] == true || $input['uploads_php'] == true || $input['request_methods'] == true || $input['suspicious_query_strings'] == true || $input['non_english_characters'] == true || $input['comment_spam'] == true) {
         if (strlen($rules) > 1) {
             $rules .= PHP_EOL;
         //Open Apache rewrite rules
         if ($server_type !== 'nginx') {
             $rules .= "<IfModule mod_rewrite.c>" . PHP_EOL . "\tRewriteEngine On" . PHP_EOL;
         //Rewrite Rules for Protect Files
         if ($input['protect_files'] == true && $server_type !== 'nginx') {
             $rules .= PHP_EOL . "\t# " . __('Rules to protect wp-includes', 'it-l10n-ithemes-security-pro') . PHP_EOL;
             $rules .= "\tRewriteRule ^wp-admin/includes/ - [F]" . PHP_EOL . "\tRewriteRule !^wp-includes/ - [S=3]" . PHP_EOL . "\tRewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php" . PHP_EOL . "\tRewriteRule ^wp-includes/[^/]+\\.php\$ - [F]" . PHP_EOL . "\tRewriteRule ^wp-includes/js/tinymce/langs/.+\\.php - [F]" . PHP_EOL . "\tRewriteRule ^wp-includes/theme-compat/ - [F]" . PHP_EOL;
         //Rewrite Rules for Disable PHP in Uploads
         if ($input['uploads_php'] === true) {
             $rules .= PHP_EOL . "\t# " . __('Rules to prevent php execution in uploads', 'it-l10n-ithemes-security-pro') . PHP_EOL;
             if ($server_type !== 'nginx') {
                 $rules .= "\tRewriteRule ^(.*)/uploads/(.*).php(.?) - [F]" . PHP_EOL;
             } else {
                 //rules for all other servers
                 $rules .= "\tlocation ^(.*)/uploads/(.*).php(.?){ deny all; }" . PHP_EOL;
         //Apache rewrite rules for disable http methods
         if ($input['request_methods'] == true) {
             $rules .= PHP_EOL . "\t# " . __('Rules to block unneeded HTTP methods', 'it-l10n-ithemes-security-pro') . PHP_EOL;
             if ($server_type === 'nginx') {
                 //NGINX rules
                 $rules .= "\tif (\$request_method ~* \"^(TRACE|DELETE|TRACK)\"){ return 403; }" . PHP_EOL;
             } else {
                 //rules for all other servers
                 $rules .= "\tRewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]" . PHP_EOL . "\tRewriteRule ^(.*)\$ - [F]" . PHP_EOL;
         //Process suspicious query rules
         if ($input['suspicious_query_strings'] == true) {
             $rules .= PHP_EOL . "\t# " . __('Rules to block suspicious URIs', 'it-l10n-ithemes-security-pro') . PHP_EOL;
             if ($server_type === 'nginx') {
                 //NGINX rules
                 $rules .= "\tset \$susquery 0;" . PHP_EOL . "\tif (\$args ~* \"\\.\\./\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"\\.(bash|git|hg|log|svn|swp|cvs)\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"etc/passwd\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"boot.ini\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"ftp:\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"http:\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"https:\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"(<|%3C).*script.*(>|%3E)\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"mosConfig_[a-zA-Z_]{1,21}(=|%3D)\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"base64_encode\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"(%24&x)\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"(127.0)\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"(globals|encode|localhost|loopback)\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args ~* \"(request|insert|concat|union|declare)\") { set \$susquery 1; }" . PHP_EOL . "\tif (\$args !~ \"^loggedout=true\"){ set \$susquery 0; }" . PHP_EOL . "\tif (\$args !~ \"^action=jetpack-sso\"){ set \$susquery 0; }" . PHP_EOL . "\tif (\$args !~ \"^action=rp\"){ set \$susquery 0; }" . PHP_EOL . "\tif (\$http_cookie !~ \"^.*wordpress_logged_in_.*\$\"){ set \$susquery 0; }" . PHP_EOL . "\tif (\$http_referer !~ \"^http://maps.googleapis.com(.*)\$\"){ set \$susquery 0; }" . PHP_EOL . "\tif (\$susquery = 1) { return 403; } " . PHP_EOL;
             } else {
                 //rules for all other servers
                 $rules .= "\tRewriteCond %{QUERY_STRING} \\.\\.\\/ [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} ^.*\\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} etc/passwd [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} boot\\.ini [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} ftp\\:  [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} http\\:  [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} https\\:  [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} (\\<|%3C).*script.*(\\>|%3E) [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} base64_encode.*\\(.*\\) [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} ^.*(127\\.0).* [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} !^loggedout=true" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} !^action=jetpack-sso" . PHP_EOL . "\tRewriteCond %{QUERY_STRING} !^action=rp" . PHP_EOL . "\tRewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*\$" . PHP_EOL . "\tRewriteCond %{HTTP_REFERER} !^http://maps\\.googleapis\\.com(.*)\$" . PHP_EOL . "\tRewriteRule ^(.*)\$ - [F]" . PHP_EOL;
         //Process filtering of foreign characters
         if ($input['non_english_characters'] == true) {
             $rules .= PHP_EOL . "\t# " . __('Rules to block foreign characters in URLs', 'it-l10n-ithemes-security-pro') . PHP_EOL;
             if ($server_type === 'nginx') {
                 //NGINX rules
                 $rules .= "\tif (\$args ~* \"(%0|%A|%B|%C|%D|%E|%F)\") { return 403; }" . PHP_EOL;
             } else {
                 //rules for all other servers
                 $rules .= "\tRewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]" . PHP_EOL . "\tRewriteRule ^(.*)\$ - [F]" . PHP_EOL;
         //Process Comment spam rules
         if ($input['comment_spam'] == true) {
             $rules .= PHP_EOL . "\t# " . __('Rules to help reduce spam', 'it-l10n-ithemes-security-pro') . PHP_EOL;
             if ($server_type === 'nginx') {
                 //NGINX rules
                 $rules .= "\tlocation /wp-comments-post.php {" . PHP_EOL . "\t\tvalid_referers jetpack.wordpress.com/jetpack-comment/ " . ITSEC_Lib::get_domain(get_site_url(), false) . ";" . PHP_EOL . "\t\tset \$rule_0 0;" . PHP_EOL . "\t\tif (\$request_method ~ \"POST\"){ set \$rule_0 1\$rule_0; }" . PHP_EOL . "\t\tif (\$invalid_referer) { set \$rule_0 2\$rule_0; }" . PHP_EOL . "\t\tif (\$http_user_agent ~ \"^\$\"){ set \$rule_0 3\$rule_0; }" . PHP_EOL . "\t\tif (\$rule_0 = \"3210\") { return 403; }" . PHP_EOL . "\t}";
             } else {
                 //rules for all other servers
                 $rules .= "\tRewriteCond %{REQUEST_METHOD} POST" . PHP_EOL . "\tRewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\\.php*" . PHP_EOL . "\tRewriteCond %{HTTP_REFERER} !^" . ITSEC_Lib::get_domain(get_site_url()) . ".* " . PHP_EOL . "\tRewriteCond %{HTTP_REFERER} !^http://jetpack\\.wordpress\\.com/jetpack-comment/ [OR]" . PHP_EOL . "\tRewriteCond %{HTTP_USER_AGENT} ^\$" . PHP_EOL . "\tRewriteRule ^(.*)\$ - [F]" . PHP_EOL;
         //Close Apache Rewrite rules
         if ($server_type !== 'nginx') {
             //non NGINX rules
             $rules .= "</IfModule>";
     if (strlen($rules) > 0) {
         $rules = explode(PHP_EOL, $rules);
     } else {
         $rules = false;
     //create a proper array for writing
     return array('type' => 'htaccess', 'priority' => 10, 'name' => 'Tweaks', 'rules' => $rules);
	protected function get_valid_referers( $server_type ) {
		$valid_referers = array();
		if ( 'apache' === $server_type ) {
			$domain = ITSEC_Lib::get_domain( get_site_url() );
			if ( '*' == $domain ) {
				$valid_referers[] = $domain;
			} else {
				$valid_referers[] = "*.$domain";
		} else if ( 'nginx' === $server_type ) {
			$valid_referers[] = 'server_names';
		} else {
			return array();
		$valid_referers[] = 'jetpack.wordpress.com/jetpack-comment/';
		$valid_referers = apply_filters( 'itsec_filter_valid_comment_referers', $valid_referers, $server_type );
		if ( is_string( $valid_referers ) ) {
			$valid_referers = array( $valid_referers );
		} else if ( ! is_array( $valid_referers ) ) {
			$valid_referers = array();
		foreach ( $valid_referers as $index => $referer ) {
			$valid_referers[$index] = preg_replace( '|^https?://|', '', $referer );
		return $valid_referers;
	 * Sanitize and update user options.
	 * Sanitizes and updates user options when a user saves two-factor settings
	 * on their own profile.
	 * @since 1.2.0
	 * @param int $user_id user id
	 * @return void
	public function personal_options_update( $user_id ) {

		$enabled       = 'off';
		$enabled_input = isset( $_POST['itsec_two_factor_enabled'] ) ? sanitize_text_field( $_POST['itsec_two_factor_enabled'] ) : 'off';
		$description   = isset( $_POST['itsec_two_factor_description'] ) ? sanitize_text_field( $_POST['itsec_two_factor_description'] ) : ITSEC_Lib::get_domain( get_site_url(), false, false );
		$key           = isset( $_POST['itsec_two_factor_key'] ) ? sanitize_text_field( $_POST['itsec_two_factor_key'] ) : ITSEC_Lib::get_random( 16, true );
		$use_app       = isset( $_POST['itsec_two_factor_use_app'] ) ? sanitize_text_field( $_POST['itsec_two_factor_use_app'] ) : 'off';

		$app_passes = array();

		if ( isset( $_POST['itsec_app_pass'] ) ) {

			$saved_passes = get_user_option( 'itsec_two_factor_app_pass', $user_id );

			if ( false === $saved_passes ) {

				$saved_passes = array();

			} elseif ( ! is_array( $saved_passes ) ) {

				$app_passes = array(
					__( 'unknown', 'it-l10n-ithemes-security-pro' ) => $saved_passes,


			//Prevent duplicates or changing password to all hashes
			foreach ( $_POST['itsec_app_pass'] as $app_pass ) {

				$name = sanitize_text_field( trim( $app_pass['name'] ) );

				if ( ! isset( $saved_passes[ $name ] ) ) {

					$pass = wp_hash_password( strtoupper( str_replace( ' ', '', sanitize_text_field( trim( $app_pass['pass'] ) ) ) ) );

					$app_passes[ $name ] = $pass;

				} else {

					$app_passes[ $name ] = $saved_passes[ $name ];




		$time = floor( time() / 30 ); //time to check

		if ( ( 'off' === get_user_option( 'itsec_two_factor_enabled', $user_id ) && 'on' === $enabled_input ) || ( $key !== get_user_option( 'itsec_two_factor_key', $user_id ) ) ) {

			if ( isset( $_POST['itsec_two_factor_confirm'] ) ) {

				$code = sanitize_text_field( trim( $_POST['itsec_two_factor_confirm'] ) );

			} else {

				$code = false;


			if ( false !== $code && 0 < strlen( $code ) ) {

				$good_code = false;

				$offset = isset( $this->settings['offset'] ) ? intval( $this->settings['offset'] ) : 1;

				//Check both sides of the time
				for ( $i = - $offset; $i <= $offset; $i ++ ) {

					$log_time = $time + $i;

					if ( $this->get_code( $key, $log_time ) === $code ) {

						$enabled   = $enabled_input;
						$good_code = true;



			} else {

				$good_code = false;


			if ( false === $good_code ) {
				add_action( 'user_profile_update_errors', array( $this, 'user_profile_update_errors' ), 10, 3 );

		} else {

			$enabled = $enabled_input;


		update_user_option( $user_id, 'itsec_two_factor_enabled', $enabled, true );
		update_user_option( $user_id, 'itsec_two_factor_description', $description, true );
		update_user_option( $user_id, 'itsec_two_factor_key', $key, true );

		if ( 'off' !== $use_app ) {

			if ( 1 > sizeof( $app_passes ) ) {

				$use_app = 'off';
				delete_user_option( $user_id, 'itsec_two_factor_app_pass', true );

			} else {

				update_user_option( $user_id, 'itsec_two_factor_app_pass', $app_passes, true );



		update_user_option( $user_id, 'itsec_two_factor_use_app', $use_app, true );
