_e('BulletProof Security ~ htaccess Core', 'bulletproof-security');
?>
</h2>
<div id="message" class="updated" style="border:1px solid #999999;margin-left:70px;background-color:#000;">
<?php
// HUD - Heads Up Display - Warnings and Error messages
echo bps_check_php_version_error();
echo bps_hud_check_bpsbackup();
echo bps_check_safemode();
echo @bps_w3tc_htaccess_check($plugin_var);
echo @bps_wpsc_htaccess_check($plugin_var);
bps_delete_language_files();
// default.htaccess, secure.htaccess, fwrite content for all WP site types
$bps_get_domain_root = bpsGetDomainRoot();
$bps_get_wp_root_default = bps_wp_get_root_folder();
// Replace ABSPATH = wp-content/plugins
$bps_plugin_dir = str_replace(ABSPATH, '', WP_PLUGIN_DIR);
// Replace ABSPATH = wp-content
$bps_wpcontent_dir = str_replace(ABSPATH, '', WP_CONTENT_DIR);
// Replace ABSPATH = wp-content/uploads
$wp_upload_dir = wp_upload_dir();
$bps_uploads_dir = str_replace(ABSPATH, '', $wp_upload_dir['basedir']);
$bps_topDiv = '<div id="message" class="updated" style="background-color:#ffffe0;font-size:1em;font-weight:bold;border:1px solid #999999; margin-left:70px;"><p>';
$bps_bottomDiv = '</p></div>';
// Form: Root BulletProof Mode and Default Mode - copy and rename htaccess files to root folder
if (isset($_POST['Submit-Secure-Root']) && current_user_can('manage_options')) {
check_admin_referer('bulletproof_security_root_copy');
$options = get_option('bulletproof_security_options_autolock');
$DefaultHtaccess = WP_PLUGIN_DIR . '/bulletproof-security/admin/htaccess/default.htaccess';
$RootHtaccess = ABSPATH . '.htaccess';
function bpsSetupWizardCreateDefaultHtaccess()
{
global $bps_version;
$bps_get_wp_root_default = bps_wp_get_root_folder();
if (is_multisite()) {
$hostname = bpsPro_get_clean_basedomain_wizard();
$slashed_home = trailingslashit(get_option('home'));
$base = parse_url($slashed_home, PHP_URL_PATH);
$document_root_fix = str_replace('\\', '/', realpath($_SERVER['DOCUMENT_ROOT']));
$abspath_fix = str_replace('\\', '/', ABSPATH);
$home_path = 0 === strpos($abspath_fix, $document_root_fix) ? $document_root_fix . $base : get_home_path();
$wp_siteurl_subdir = preg_replace('#^' . preg_quote($home_path, '#') . '#', '', $abspath_fix);
$rewrite_base = !empty($wp_siteurl_subdir) ? ltrim(trailingslashit($wp_siteurl_subdir), '/') : '';
$subdomain_install = is_subdomain_install();
$subdir_match = $subdomain_install ? '' : '([_0-9a-zA-Z-]+/)?';
$subdir_replacement_01 = $subdomain_install ? '' : '$1';
$subdir_replacement_12 = $subdomain_install ? '$1' : '$2';
$ms_files_rewriting = '';
if (is_multisite() && get_site_option('ms_files_rewriting')) {
$ms_files_rewriting = "\n# uploaded files\nRewriteRule ^";
$ms_files_rewriting .= $subdir_match . "files/(.+) {$rewrite_base}wp-includes/ms-files.php?file={$subdir_replacement_12} [L]" . "\n";
}
}
$BPSCustomCodeOptions = get_option('bulletproof_security_options_customcode');
$bpsSuccessMessageSec = '<font color="green"><strong>' . __('The default.htaccess Default Mode Master htaccess file was created successfully.', 'bulletproof-security') . '</strong></font><br>';
$bpsFailMessageSec = '<font color="red"><strong>' . __('Error: The default.htaccess Default Mode Master htaccess file cannot be created.', 'bulletproof-security') . '</strong></font><br><strong>' . __('If your Server configuration is DSO you must first make some one-time manual changes to your website before running the Setup Wizard. Please click this Forum Link for instructions: ', 'bulletproof-security') . ' <a href="http://forum.ait-pro.com/forums/topic/dso-setup-steps/" target="_blank" title="Link opens in a new Browser window">' . __('DSO Setup Steps', 'bulletproof-security') . '</a></strong><br>';
$bps_default_content_top = "# BULLETPROOF DEFAULT .HTACCESS \n\n# WARNING!!! THE default.htaccess FILE DOES NOT PROTECT YOUR WEBSITE AGAINST HACKERS\n# This is a standard generic htaccess file that does NOT provide any website security\n# The DEFAULT .HTACCESS file should be used for testing and troubleshooting purposes only\n\n# BEGIN BPS WordPress\n";
$bps_default_content_bottom = "<IfModule mod_rewrite.c>\nRewriteEngine On\nRewriteBase {$bps_get_wp_root_default}\nRewriteRule ^index\\.php\$ - [L]\nRewriteCond %{REQUEST_FILENAME} !-f\nRewriteCond %{REQUEST_FILENAME} !-d\nRewriteRule . " . $bps_get_wp_root_default . "index.php [L]\n</IfModule>\n\n# END BPS WordPress";
$bpsMUEndWP = "# END BPS WordPress";
// Network/Multisite all site types and versions
if (is_multisite()) {
if ($BPSCustomCodeOptions['bps_customcode_wp_rewrite_start'] != '') {
$bpsMUSDirTop = "# CUSTOM CODE WP REWRITE LOOP START\n" . htmlspecialchars_decode($BPSCustomCodeOptions['bps_customcode_wp_rewrite_start'], ENT_QUOTES) . "\n\n";
} else {
$bpsMUSDirTop = "# WP REWRITE LOOP START\nRewriteEngine On\nRewriteBase {$bps_get_wp_root_default}\nRewriteRule ^index\\.php\$ - [L]\n\n{$ms_files_rewriting}\n# add a trailing slash to /wp-admin\nRewriteRule ^{$subdir_match}wp-admin\$ {$subdir_replacement_01}wp-admin/ [R=301,L]\n\n";
}
// Network/Multisite all site types and versions
if ($BPSCustomCodeOptions['bps_customcode_wp_rewrite_end'] != '') {
$bpsMUSDirBottom = "# CUSTOM CODE WP REWRITE LOOP END\n" . htmlspecialchars_decode($BPSCustomCodeOptions['bps_customcode_wp_rewrite_end'], ENT_QUOTES) . "\n\n";
} else {
$bpsMUSDirBottom = "RewriteCond %{REQUEST_FILENAME} -f [OR]\nRewriteCond %{REQUEST_FILENAME} -d\nRewriteRule ^ - [L]\nRewriteRule ^{$subdir_match}(wp-(content|admin|includes).*) {$rewrite_base}{$subdir_replacement_12} [L]\nRewriteRule ^{$subdir_match}(.*\\.php)\$ {$rewrite_base}{$subdir_replacement_12} [L]\nRewriteRule . index.php [L]\n# WP REWRITE LOOP END\n";
}
}
$bps_auto_write_default_file = WP_PLUGIN_DIR . '/bulletproof-security/admin/htaccess/default.htaccess';
// Single/Standard WordPress site type: Create default.htaccess Master File
if (!is_multisite()) {
$stringReplace = file_get_contents($bps_auto_write_default_file);
if (file_exists($bps_auto_write_default_file)) {
$stringReplace = $bps_default_content_top . $bps_default_content_bottom;
if (file_put_contents($bps_auto_write_default_file, $stringReplace)) {
echo $bpsSuccessMessageSec;
} else {
echo $bpsFailMessageSec;
}
}
}
// Network site type: Create default.htaccess Master File
if (is_multisite() && is_super_admin()) {
$stringReplace = file_get_contents($bps_auto_write_default_file);
if (file_exists($bps_auto_write_default_file)) {
$stringReplace = $bps_default_content_top . $bpsMUSDirTop . $bpsMUSDirBottom . $bpsMUEndWP;
if (file_put_contents($bps_auto_write_default_file, $stringReplace)) {
echo $bpsSuccessMessageSec;
} else {
echo $bpsFailMessageSec;
}
}
}
}
function bps_root_htaccess_status_dashboard()
{
if (current_user_can('manage_options')) {
global $bps_version, $bps_last_version, $aitpro_bullet;
if (esc_html($_SERVER['REQUEST_METHOD']) == 'POST') {
$bps_status_display = get_option('bulletproof_security_options_status_display');
if ($bps_status_display['bps_status_display'] != 'Off') {
if (preg_match('/page=bulletproof-security/', esc_html($_SERVER['REQUEST_URI']), $matches)) {
if (esc_html($_SERVER['QUERY_STRING']) == '') {
$bps_base = basename(esc_html($_SERVER['REQUEST_URI']));
} else {
$bps_base = str_replace(admin_url(), '', esc_html($_SERVER['REQUEST_URI']));
}
echo '<div id="bps-status-display" style="float:left;margin:6px 0px -40px 8px;padding:3px 5px 3px 5px;background-color:#e8e8e8;border:1px solid gray;"><a href="' . $bps_base . '" style="text-decoration:none;font-weight:bold;">' . __('Reload BPS Status Display', 'bulletproof-security') . '</a></div>';
echo '<div style="clear:both;"></div>';
}
}
if (@$_POST['Submit-DBB-Run-Job'] == true || @$_POST['Submit-DB-Table-Prefix'] == true || @$_POST['Submit-DB-Prefix-Table-Refresh'] == true) {
$bpsPro_Spinner = get_option('bulletproof_security_options_spinner');
if ($bpsPro_Spinner['bps_spinner'] != 'Off') {
echo '<div id="bps-status-display" style="padding:2px 0px 4px 8px;width:240px;">';
echo '<div id="bps-spinner" class="bps-spinner" style="background:#fff;border:4px solid black;">';
echo '<img id="bps-img-spinner" src="' . plugins_url('/bulletproof-security/admin/images/bps-spinner.gif') . '" style="float:left;margin:0px 20px 0px 0px;" />';
echo '<div id="bps-spinner-text-btn" style="padding:20px 0px 26px 0px;font-size:14px;">Processing...<br><button style="margin:10px 0px 0px 10px;" onclick="javascript:history.go(-1)">Cancel</button></div>';
echo '</div>';
?>
<style>
<!--
.bps-spinner {
visibility:visible;
position:fixed;
top:7%;
left:45%;
width:240px;
padding:2px 0px 4px 8px;
z-index:99999;
}
-->
</style>
<?php
echo '</div>';
}
}
} elseif (esc_html($_SERVER['QUERY_STRING']) == 'page=bulletproof-security/admin/system-info/system-info.php') {
$bps_status_display = get_option('bulletproof_security_options_status_display');
if ($bps_status_display['bps_status_display'] != 'Off') {
echo '<div id="bps-status-display" style="float:left;padding:0px 0px 10px 0px;">' . __('The BPS Status Display is set to Off by default on the System Info page', 'bulletproof-security') . '</div>';
echo '<div style="clear:both;"></div>';
}
} else {
$options = get_option('bulletproof_security_options_autolock');
$BPSCustomCodeOptions = get_option('bulletproof_security_options_customcode');
$filename = ABSPATH . '.htaccess';
$permsHtaccess = @substr(sprintf('%o', fileperms($filename)), -4);
$sapi_type = @php_sapi_name();
$check_string = @file_get_contents($filename);
$section = @file_get_contents($filename, NULL, NULL, 3, 46);
$bps_get_domain_root = bpsGetDomainRoot();
$bps_get_wp_root_secure = bps_wp_get_root_folder();
$bps_plugin_dir = str_replace(ABSPATH, '', WP_PLUGIN_DIR);
$bps_root_upgrade = '';
$patterna = '/RedirectMatch\\s403\\s\\/\\\\.\\.\\*\\$/';
$pattern0 = '/ErrorDocument\\s404\\s(.*)\\/404\\.php\\s*ErrorDocument\\s410\\s(.*)410\\.php/s';
$pattern1 = '/#\\sFORBID\\sEMPTY\\sREFFERER\\sSPAMBOTS(.*)RewriteCond\\s%{HTTP_USER_AGENT}\\s\\^\\$\\sRewriteRule\\s\\.\\*\\s\\-\\s\\[F\\]/s';
// Only match 2 or more identical duplicate referer lines: 1 will not match and 2, 3, 4... will match
$pattern2 = '/AnotherWebsite\\.com\\)\\.\\*\\s*(RewriteCond\\s%\\{HTTP_REFERER\\}\\s\\^\\.\\*' . $bps_get_domain_root . '\\.\\*\\s*){2,}\\s*RewriteRule\\s\\.\\s\\-\\s\\[S=1\\]/s';
$pattern4 = '/\\.\\*\\(allow_url_include\\|allow_url_fopen\\|safe_mode\\|disable_functions\\|auto_prepend_file\\) \\[NC,OR\\]/s';
$pattern6 = '/(\\[|\\]|\\(|\\)|<|>|%3c|%3e|%5b|%5d)/s';
$pattern7 = '/RewriteCond %{QUERY_STRING} \\^\\.\\*(.*)[3](.*)[5](.*)[5](.*)[7](.*)\\)/';
$pattern8 = '/\\[NC\\]\\s*RewriteCond\\s%{HTTP_REFERER}\\s\\^\\.\\*(.*)\\.\\*\\s*(.*)\\s*(.*)\\s*(.*)\\s*(.*)\\s*(.*)\\s*RewriteRule\\s\\.\\s\\-\\s\\[S=1\\]/';
$pattern9 = '/RewriteCond\\s%{QUERY_STRING}\\s\\(sp_executesql\\)\\s\\[NC\\]\\s*(.*)\\s*(.*)END\\sBPSQSE(.*)\\s*RewriteCond\\s%{REQUEST_FILENAME}\\s!-f\\s*RewriteCond\\s%{REQUEST_FILENAME}\\s!-d\\s*RewriteRule\\s\\.(.*)\\/index\\.php\\s\\[L\\]\\s*(.*)LOOP\\sEND/';
$pattern10 = '/#\\sBEGIN\\sBPSQSE\\sBPS\\sQUERY\\sSTRING\\sEXPLOITS\\s*#\\sThe\\slibwww-perl\\sUser\\sAgent\\sis\\sforbidden/';
$pattern10a = '/RewriteCond\\s%\\{THE_REQUEST\\}\\s(.*)\\?(.*)\\sHTTP\\/\\s\\[NC,OR\\]\\s*RewriteCond\\s%\\{THE_REQUEST\\}\\s(.*)\\*(.*)\\sHTTP\\/\\s\\[NC,OR\\]/';
$pattern10b = '/RewriteCond\\s%\\{THE_REQUEST\\}\\s.*\\?\\+\\(%20\\{1,\\}.*\\s*RewriteCond\\s%\\{THE_REQUEST\\}\\s.*\\+\\(.*\\*\\|%2a.*\\s\\[NC,OR\\]/';
$pattern10c = '/RewriteCond\\s%\\{THE_REQUEST\\}\\s\\(\\\\?.*%2a\\)\\+\\(%20\\+\\|\\\\s\\+.*HTTP\\(:\\/.*\\[NC,OR\\]/';
$pattern11 = '/RewriteCond\\s%\\{QUERY_STRING\\}\\s\\[a-zA-Z0-9_\\]\\=http:\\/\\/\\s\\[OR\\]/';
$pattern12 = '/RewriteCond\\s%\\{QUERY_STRING\\}\\s\\[a-zA-Z0-9_\\]\\=\\(\\\\.\\\\.\\/\\/\\?\\)\\+\\s\\[OR\\]/';
$pattern13 = '/RewriteCond\\s%\\{QUERY_STRING\\}\\s\\(\\\\.\\\\.\\/\\|\\\\.\\\\.\\)\\s\\[OR\\]/';
$pattern14 = '/RewriteCond\\s%{QUERY_STRING}\\s\\(\\\\.\\/\\|\\\\.\\.\\/\\|\\\\.\\.\\.\\/\\)\\+\\(motd\\|etc\\|bin\\)\\s\\[NC,OR\\]/';
$BPSVpattern = '/BULLETPROOF\\s\\.[\\d](.*)[\\>]/';
$BPSVreplace = "BULLETPROOF {$bps_version} >>>>>>>";
// Setup Wizard added in BPS .51.8:
// BPS Upgrade: Save the Setup Wizard DB option automatically on BPS plugin upgrade.
// New BPS Installation: Display Setup Wizard Notice.
// Manual Setup: Save the Setup Wizard DB option if BPS is setup manually instead of using the Setup Wizard.
if (!file_exists($filename)) {
// Setup Wizard Notice:
if (!get_option('bulletproof_security_options_wizard_free')) {
$text = '<div class="update-nag" style="background-color:#ffffe0;font-size:1em;font-weight:bold;padding:2px 5px;margin-top:2px;"><font color="blue">' . __('BPS Setup Wizard Notification', 'bulletproof-security') . '</font><br><a href="admin.php?page=bulletproof-security/admin/wizard/wizard.php">' . __('Click Here', 'bulletproof-security') . '</a>' . __(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin.', 'bulletproof-security') . '</div>';
echo $text;
} else {
$text = '<div class="update-nag" style="background-color:#ffffe0;font-size:1em;font-weight:bold;padding:2px 5px;margin-top:2px;"><font color="red">' . __('BPS Alert! An htaccess file was NOT found in your WordPress root folder', 'bulletproof-security') . '</font><br>' . __('If you have deleted the root htaccess file for troubleshooting purposes you can disregard this Alert.', 'bulletproof-security') . '<br>' . __('After you are done troubleshooting ', 'bulletproof-security') . '</font><a href="admin.php?page=bulletproof-security/admin/wizard/wizard.php">' . __('Click Here', 'bulletproof-security') . '</a>' . __(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin again.', 'bulletproof-security') . '<br>' . __('Important Note: If you deleted the root htaccess file due to bad/invalid Root Custom Code causing a problem then ', 'bulletproof-security') . '<a href="admin.php?page=bulletproof-security/admin/core/options.php#bps-tabs-7">' . __('Click Here', 'bulletproof-security') . '</a>' . __(' to go to the BPS Custom Code page, delete the bad/invalid Root Custom Code and click the Save Root Custom Code button before running the Setup Wizard again.', 'bulletproof-security') . '</div>';
echo $text;
}
} else {
if (file_exists($filename)) {
switch ($bps_version) {
case $bps_last_version:
// for testing
if (strpos($check_string, "BULLETPROOF {$bps_last_version}") && strpos($check_string, "BPSQSE")) {
print $section;
}
break;
case !strpos($check_string, "BULLETPROOF") && !strpos($check_string, "DEFAULT"):
// Setup Wizard Notice
if (!get_option('bulletproof_security_options_wizard_free')) {
$text = '<div class="update-nag" style="background-color:#ffffe0;font-size:1em;font-weight:bold;padding:2px 5px;margin-top:2px;"><font color="blue">' . __('BPS Setup Wizard Notification', 'bulletproof-security') . '</font><br><a href="admin.php?page=bulletproof-security/admin/wizard/wizard.php">' . __('Click Here', 'bulletproof-security') . '</a>' . __(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin.', 'bulletproof-security') . '</div>';
echo $text;
} else {
$text = '<div class="update-nag" style="background-color:#ffffe0;font-size:1em;font-weight:bold;padding:2px 5px;margin-top:2px;"><font color="red">' . __('BPS Alert! Your site may not be protected by BulletProof Security', 'bulletproof-security') . '</font><br>' . __('The BPS version: BULLETPROOF .xx.x >>>>>>> SECURE .HTACCESS line of code was not found at the top of your Root htaccess file.', 'bulletproof-security') . '<br>' . __('The BPS version line of code MUST be at the very top of your Root htaccess file.', 'bulletproof-security') . '<br><a href="admin.php?page=bulletproof-security/admin/wizard/wizard.php">' . __('Click Here', 'bulletproof-security') . '</a>' . __(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin again.', 'bulletproof-security') . '<br>' . __('Important Note: If you manually added other htaccess code above the BPS version line of code in your root htaccess file, you can copy that code to BPS Root Custom Code so that your code is saved in the correct place in the BPS root htaccess file. ', 'bulletproof-security') . '<br><a href="admin.php?page=bulletproof-security/admin/core/options.php#bps-tabs-7">' . __('Click Here', 'bulletproof-security') . '</a>' . __(' to go to the BPS Custom Code page, add your Root custom htaccess code in an appropriate Root Custom Code text box and click the Save Root Custom Code button before running the Setup Wizard again.', 'bulletproof-security') . '</div>';
echo $text;
}
break;
case !strpos($check_string, "BULLETPROOF {$bps_version}") && strpos($check_string, "BPSQSE"):
// delete the old Maintenance Mode DB option - added in BPS .49.9
if (get_option('bulletproof_security_options_maint')) {
delete_option('bulletproof_security_options_maint');
}
// Recreate the User Agent filters in the 403.php file on BPS upgrade
bpsPro_autoupdate_useragent_filters();
// Delete all the old plugin api junk content in this transient
delete_transient('bulletproof-security_info');
// Update/Add/Save any New DB options/features on upgrade
bpsPro_new_feature_autoupdate();
// Save the Setup Wizard DB option only if it does not already exist
$bps_setup_wizard = 'bulletproof_security_options_wizard_free';
$BPS_Wizard = array('bps_wizard_free' => 'upgrade');
if (!get_option($bps_setup_wizard)) {
foreach ($BPS_Wizard as $key => $value) {
update_option('bulletproof_security_options_wizard_free', $BPS_Wizard);
}
}
if (@substr($sapi_type, 0, 6) != 'apache' || @$permsHtaccess != '0666' || @$permsHtaccess != '0777') {
// Windows IIS, XAMPP, etc
@chmod($filename, 0644);
}
$stringReplace = @file_get_contents($filename);
$stringReplace = preg_replace($BPSVpattern, $BPSVreplace, $stringReplace);
$stringReplace = str_replace("RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]", "RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]", $stringReplace);
if (preg_match($patterna, $stringReplace, $matches)) {
$stringReplace = preg_replace('/#\\sDENY\\sACCESS\\sTO\\sPROTECTED\\sSERVER\\sFILES(.*)RedirectMatch\\s403\\s\\/\\\\.\\.\\*\\$/s', "# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS\n# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs\nRedirectMatch 403 \\.(htaccess|htpasswd|errordocs|logs)\$", $stringReplace);
}
if ($BPSCustomCodeOptions['bps_customcode_error_logging'] == '' && !preg_match($pattern0, $stringReplace, $matches)) {
$stringReplace = preg_replace('/ErrorDocument\\s404\\s(.*)\\/404\\.php/s', "ErrorDocument 404 {$bps_get_wp_root_secure}" . "404.php\nErrorDocument 410 {$bps_get_wp_root_secure}" . "{$bps_plugin_dir}/bulletproof-security/410.php", $stringReplace);
}
if (preg_match($pattern1, $stringReplace, $matches)) {
$stringReplace = preg_replace('/#\\sFORBID\\sEMPTY\\sREFFERER\\sSPAMBOTS(.*)RewriteCond\\s%{HTTP_USER_AGENT}\\s\\^\\$\\sRewriteRule\\s\\.\\*\\s\\-\\s\\[F\\]/s', '', $stringReplace);
}
if (preg_match($pattern2, $stringReplace, $matches)) {
$stringReplace = preg_replace('/AnotherWebsite\\.com\\)\\.\\*\\s*(RewriteCond\\s%\\{HTTP_REFERER\\}\\s\\^\\.\\*' . $bps_get_domain_root . '\\.\\*\\s*){2,}\\s*RewriteRule\\s\\.\\s\\-\\s\\[S=1\\]/s', "AnotherWebsite.com).*\nRewriteCond %{HTTP_REFERER} ^.*{$bps_get_domain_root}.*\nRewriteRule . - [S=1]", $stringReplace);
}
if (!preg_match($pattern10, $stringReplace, $matches)) {
$stringReplace = preg_replace('/#\\sBPSQSE\\sBPS\\sQUERY\\sSTRING\\sEXPLOITS\\s*#\\sThe\\slibwww-perl\\sUser\\sAgent\\sis\\sforbidden/', "# BEGIN BPSQSE BPS QUERY STRING EXPLOITS\n# The libwww-perl User Agent is forbidden", $stringReplace);
}
if (preg_match($pattern10a, $stringReplace, $matches)) {
$stringReplace = preg_replace($pattern10a, "RewriteCond %{THE_REQUEST} (\\?|\\*|%2a)+(%20+|\\\\\\s+|%20+\\\\\\s+|\\\\\\s+%20+|\\\\\\s+%20+\\\\\\s+)HTTP(:/|/) [NC,OR]", $stringReplace);
}
if (preg_match($pattern10b, $stringReplace, $matches)) {
$stringReplace = preg_replace($pattern10b, "RewriteCond %{THE_REQUEST} (\\?|\\*|%2a)+(%20+|\\\\\\s+|%20+\\\\\\s+|\\\\\\s+%20+|\\\\\\s+%20+\\\\\\s+)HTTP(:/|/) [NC,OR]", $stringReplace);
}
if (preg_match($pattern10c, $stringReplace, $matches)) {
$stringReplace = preg_replace($pattern10c, "RewriteCond %{THE_REQUEST} (\\?|\\*|%2a)+(%20+|\\\\\\s+|%20+\\\\\\s+|\\\\\\s+%20+|\\\\\\s+%20+\\\\\\s+)HTTP(:/|/) [NC,OR]", $stringReplace);
}
if (preg_match($pattern11, $stringReplace, $matches)) {
$stringReplace = preg_replace('/RewriteCond\\s%\\{QUERY_STRING\\}\\s\\[a-zA-Z0-9_\\]\\=http:\\/\\/\\s\\[OR\\]/s', "RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]", $stringReplace);
}
if (preg_match($pattern12, $stringReplace, $matches)) {
$stringReplace = preg_replace('/RewriteCond\\s%\\{QUERY_STRING\\}\\s\\[a-zA-Z0-9_\\]\\=\\(\\\\.\\\\.\\/\\/\\?\\)\\+\\s\\[OR\\]/s', "RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\\.\\.//?)+ [NC,OR]", $stringReplace);
}
if (preg_match($pattern13, $stringReplace, $matches)) {
$stringReplace = preg_replace('/RewriteCond\\s%\\{QUERY_STRING\\}\\s\\(\\\\.\\\\.\\/\\|\\\\.\\\\.\\)\\s\\[OR\\]/s', "RewriteCond %{QUERY_STRING} (\\.\\./|%2e%2e%2f|%2e%2e/|\\.\\.%2f|%2e\\.%2f|%2e\\./|\\.%2e%2f|\\.%2e/) [NC,OR]", $stringReplace);
}
if (preg_match($pattern6, $stringReplace, $matches)) {
$stringReplace = str_replace("RewriteCond %{QUERY_STRING} ^.*(\\[|\\]|\\(|\\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]", "RewriteCond %{QUERY_STRING} ^.*(\\(|\\)|<|>|%3c|%3e).* [NC,OR]", $stringReplace);
$stringReplace = str_replace("RewriteCond %{QUERY_STRING} ^.*(|||\r|| |<|>|[|]|).* [NC,OR]", "RewriteCond %{QUERY_STRING} ^.*(|||\r|| |<|>|).* [NC,OR]", $stringReplace);
}
if (preg_match($pattern7, $stringReplace, $matches)) {
$stringReplace = preg_replace('/RewriteCond %{QUERY_STRING} \\^\\.\\*(.*)[5](.*)[5](.*)\\)/', 'RewriteCond %{QUERY_STRING} ^.*(\\x00|\\x04|\\x08|\\x0d|\\x1b|\\x20|\\x3c|\\x3e|\\x7f)', $stringReplace);
}
if (preg_match($pattern14, $stringReplace, $matches)) {
$stringReplace = preg_replace('/RewriteCond\\s%{QUERY_STRING}\\s\\(\\\\.\\/\\|\\\\.\\.\\/\\|\\\\.\\.\\.\\/\\)\\+\\(motd\\|etc\\|bin\\)\\s\\[NC,OR\\]/s', "RewriteCond %{QUERY_STRING} (\\.{1,}/)+(motd|etc|bin) [NC,OR]", $stringReplace);
}
if (!preg_match($pattern4, $stringReplace, $matches)) {
$stringReplace = str_replace("RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]", "RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]\nRewriteCond %{QUERY_STRING} \\-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]", $stringReplace);
}
if (!is_multisite() && !preg_match($pattern9, $stringReplace, $matches)) {
$stringReplace = preg_replace('/RewriteCond\\s%{QUERY_STRING}\\s\\(sp_executesql\\)\\s\\[NC\\]\\s*(.*)\\s*RewriteCond\\s%{REQUEST_FILENAME}\\s!-f\\s*RewriteCond\\s%{REQUEST_FILENAME}\\s!-d\\s*RewriteRule\\s\\.(.*)\\/index\\.php\\s\\[L\\]/', "RewriteCond %{QUERY_STRING} (sp_executesql) [NC]\nRewriteRule ^(.*)\$ - [F,L]\n# END BPSQSE BPS QUERY STRING EXPLOITS\nRewriteCond %{REQUEST_FILENAME} !-f\nRewriteCond %{REQUEST_FILENAME} !-d\nRewriteRule . " . $bps_get_wp_root_secure . "index.php [L]\n# WP REWRITE LOOP END", $stringReplace);
}
// Clean up - replace 3 and 4 multiple newlines with 1 newline
if (preg_match('/(\\n\\n\\n|\\n\\n\\n\\n)/', $stringReplace, $matches)) {
$stringReplace = preg_replace("/(\n\n\n|\n\n\n\n)/", "\n", $stringReplace);
}
// remove duplicate referer lines
if (preg_match($pattern8, $stringReplace, $matches)) {
$stringReplace = preg_replace("/\\[NC\\]\\s*RewriteCond\\s%{HTTP_REFERER}\\s\\^\\.\\*(.*)\\.\\*\\s*(.*)\\s*(.*)\\s*(.*)\\s*(.*)\\s*(.*)\\s*RewriteRule\\s\\.\\s\\-\\s\\[S=1\\]/", "[NC]\nRewriteCond %{HTTP_REFERER} ^.*{$bps_get_domain_root}.*\nRewriteRule . - [S=1]", $stringReplace);
}
file_put_contents($filename, $stringReplace);
if ($options['bps_root_htaccess_autolock'] == 'On') {
@chmod($filename, 0404);
}
if (getBPSInstallTime() == getBPSRootHtaccessLasModTime_minutes() || getBPSInstallTime_plusone() == getBPSRootHtaccessLasModTime_minutes()) {
$bps_root_upgrade = 'upgrade';
$pos = strpos($check_string, 'IMPORTANT!!! DO NOT DELETE!!! - B E G I N Wordpress');
if ($pos === false) {
$updateText = '<div class="update-nag" style="float:left;background-color:#ffffe0;font-size:1em;font-weight:bold;padding:2px 5px;margin-top:2px;"><font color="blue">' . __("The BPS Automatic htaccess File Update Completed Successfully!", 'bulletproof-security') . '</font></div>';
print $updateText;
}
}
// end up upgrade processing
break;
case strpos($check_string, "BULLETPROOF {$bps_version}") && strpos($check_string, "BPSQSE"):
$bps_status_display = get_option('bulletproof_security_options_status_display');
if ($bps_status_display['bps_status_display'] != 'Off') {
if (preg_match('/page=bulletproof-security/', esc_html($_SERVER['REQUEST_URI']), $matches)) {
$RBM = $aitpro_bullet . '<a href="admin.php?page=bulletproof-security/admin/core/options.php" title="Root Folder BulletProof Mode" style="text-decoration:none;">' . __('RBM', 'bulletproof-security') . '</a>: <font color="green"><strong>' . __('On', 'bulletproof-security') . '</strong></font>';
$RBM_str = str_replace("BULLETPROOF {$bps_version} >>>>>>> SECURE .HTACCESS", "BPS {$bps_version} {$RBM}", $section);
echo '<div id="bps-status-display" style="background-color:#eeeeee;font-weight:bold;float:left;margin:0px 0px 0px 5px;">' . $RBM_str . '</div>';
}
}
break;
default:
if ($bps_root_upgrade != 'upgrade') {
$text = '<div class="update-nag" style="background-color:#ffffe0;font-size:1em;font-weight:bold;padding:2px 5px;margin-top:2px;"><font color="red">' . __('BPS Alert! Your site does not appear to be protected by BulletProof Security', 'bulletproof-security') . '</font><br>' . __('Go to the ', 'bulletproof-security') . '<a href="admin.php?page=bulletproof-security/admin/core/options.php">' . __('Security Modes page', 'bulletproof-security') . '</a>' . __(' and click the Create secure.htaccess File AutoMagic button and Activate Root Folder BulletProof Mode.', 'bulletproof-security') . '<br>' . __('If your site is in Default Mode then it is NOT protected by BulletProof Security. Check the BPS ', 'bulletproof-security') . '<a href="admin.php?page=bulletproof-security/admin/core/options.php#bps-tabs-2">' . __('Security Status page', 'bulletproof-security') . '</a>' . __(' to view your BPS Security Status information.', 'bulletproof-security') . '</div>';
echo $text;
}
}
}
}
}
}
}
echo $text;
} else {
$text = '<strong>' . __('MySQL Extension: ', 'bulletproof-security') . '</strong>' . __('NOT Installed|Enabled', 'bulletproof-security') . '<br>';
echo $text;
}
if (function_exists('mysqli_connect')) {
$text = '<strong>' . __('MySQLi Extension: ', 'bulletproof-security') . '</strong>' . __('Installed|Enabled', 'bulletproof-security') . '<br>';
echo $text;
} else {
$text = '<strong>' . __('MySQLi Extension: ', 'bulletproof-security') . '</strong>' . __('NOT Installed|Enabled', 'bulletproof-security') . '<br>';
echo $text;
}
echo '<br>';
}
echo __('WordPress Installation Folder', 'bulletproof-security') . ': <strong>';
echo bps_wp_get_root_folder() . '</strong><br>';
echo __('Plugins Folder', 'bulletproof-security') . ': <strong>';
echo str_replace(ABSPATH, '', WP_PLUGIN_DIR) . '</strong><br>';
echo __('WordPress Installation Type', 'bulletproof-security') . ': ';
echo bps_wp_get_root_folder_display_type() . '<br>';
echo __('Standard|GWIOD Site Type', 'bulletproof-security') . ': ';
echo bps_gwiod_site_type_check() . '<br>';
echo __('Network|Multisite', 'bulletproof-security') . ': ';
echo bps_multisite_check() . '<br>';
echo __('BuddyPress', 'bulletproof-security') . ': ';
echo bps_buddypress_site_type_check() . '<br>';
echo __('bbPress', 'bulletproof-security') . ': ';
echo bps_bbpress_site_type_check() . '<br>';
echo __('WP Permalink Structure', 'bulletproof-security') . ': <strong>';
$permalink_structure = get_option('permalink_structure');
echo $permalink_structure . '</strong><br>';
if ($BPSCustomCodeOptions['bps_customcode_wp_rewrite_start'] != '') {
$bpsMUSDirTop = "# CUSTOM CODE WP REWRITE LOOP START\n" . htmlspecialchars_decode($BPSCustomCodeOptions['bps_customcode_wp_rewrite_start'], ENT_QUOTES) . "\n\n";
} else {
$bpsMUSDirTop = "# WP REWRITE LOOP START\nRewriteEngine On\nRewriteBase {$bps_get_wp_root_default}\nRewriteRule ^index\\.php\$ - [L]\n\n{$ms_files_rewriting}\n# add a trailing slash to /wp-admin\nRewriteRule ^{$subdir_match}wp-admin\$ {$subdir_replacement_01}wp-admin/ [R=301,L]\n\n";
}
// Network/Multisite all site types and versions
if ($BPSCustomCodeOptions['bps_customcode_wp_rewrite_end'] != '') {
$bpsMUSDirBottom = "# CUSTOM CODE WP REWRITE LOOP END\n" . htmlspecialchars_decode($BPSCustomCodeOptions['bps_customcode_wp_rewrite_end'], ENT_QUOTES) . "\n\n";
} else {
$bpsMUSDirBottom = "RewriteCond %{REQUEST_FILENAME} -f [OR]\nRewriteCond %{REQUEST_FILENAME} -d\nRewriteRule ^ - [L]\nRewriteRule ^{$subdir_match}(wp-(content|admin|includes).*) {$rewrite_base}{$subdir_replacement_12} [L]\nRewriteRule ^{$subdir_match}(.*\\.php)\$ {$rewrite_base}{$subdir_replacement_12} [L]\nRewriteRule . index.php [L]\n# WP REWRITE LOOP END\n";
}
}
/**
# secure.htaccess fwrite content for all WP site types
**/
$bps_get_wp_root_secure = bps_wp_get_root_folder();
$bps_auto_write_secure_file = WP_PLUGIN_DIR . '/bulletproof-security/admin/htaccess/secure.htaccess';
$bpsSuccessMessageSec = '<font color="green"><strong>' . __('Success! Your BulletProof Security Root Master htaccess file was created successfully!', 'bulletproof-security') . '</strong></font><br><font color="black"><strong>' . __('You can now Activate BulletProof Mode for your Root folder. Select the Root Folder BulletProof Mode radio button and click the Activate button to activate Root Folder BulletProof Mode.', 'bulletproof-security') . '</strong></font>';
$bpsFailMessageSec = '<font color="red"><strong>' . __('The file ', 'bulletproof-security') . $bps_auto_write_secure_file . __(' is not writable or does not exist.', 'bulletproof-security') . '</strong></font><br><strong>' . __('Check that the file is named secure.htaccess and that the file exists in the /bulletproof-security/admin/htaccess master folder. If this is not the problem click', 'bulletproof-security') . ' <a href="http://forum.ait-pro.com/read-me-first/" target="_blank">' . __('HERE', 'bulletproof-security') . '</a>' . __(' to go the the BulletProof Security Forum.', 'bulletproof-security') . '</strong><br>';
$bps_secure_content_top = "# BULLETPROOF {$bps_version} >>>>>>> SECURE .HTACCESS \n\n";
if ($BPSCustomCodeOptions['bps_customcode_one'] != '') {
$bps_secure_phpini_cache = "# CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE\n" . htmlspecialchars_decode($BPSCustomCodeOptions['bps_customcode_one'], ENT_QUOTES) . "\n\n";
} else {
$bps_secure_phpini_cache = "# PHP/PHP.INI HANDLER/CACHE CODE\n# Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.\n# Most Hosts do not have/use/require php/php.ini Handler htaccess code\n\n";
}
if (@$BPSCustomCodeOptions['bps_customcode_server_signature'] != '') {
$bps_server_signature = "# CUSTOM CODE TURN OFF YOUR SERVER SIGNATURE\n" . htmlspecialchars_decode($BPSCustomCodeOptions['bps_customcode_server_signature'], ENT_QUOTES) . "\n\n";
} else {
$bps_server_signature = "# TURN OFF YOUR SERVER SIGNATURE\n# Suppresses the footer line server version number and ServerName of the serving virtual host\nServerSignature Off\n\n";
}
if ($BPSCustomCodeOptions['bps_customcode_directory_index'] != '') {
function root_htaccess_status_dashboard()
{
global $bps_version;
$options = get_option('bulletproof_security_options_autolock');
$filename = ABSPATH . '.htaccess';
$permsHtaccess = @substr(sprintf(".%o.", fileperms($filename)), -4);
$sapi_type = php_sapi_name();
$check_string = @file_get_contents($filename);
$section = @file_get_contents($filename, NULL, NULL, 3, 46);
$bps_denyall_htaccess = WP_PLUGIN_DIR . '/bulletproof-security/admin/htaccess/deny-all.htaccess';
$bps_denyall_htaccess_renamed = WP_PLUGIN_DIR . '/bulletproof-security/admin/htaccess/.htaccess';
$bps_get_domain_root = bpsGetDomainRoot();
$bps_get_wp_root_secure = bps_wp_get_root_folder();
$pattern0 = '/#\\sBPS\\sPRO\\sERROR\\sLOGGING(.*)ErrorDocument\\s404\\s(.*)\\/404\\.php/s';
$pattern1 = '/#\\sFORBID\\sEMPTY\\sREFFERER\\sSPAMBOTS(.*)RewriteCond\\s%{HTTP_USER_AGENT}\\s\\^\\$\\sRewriteRule\\s\\.\\*\\s\\-\\s\\[F\\]/s';
$pattern2 = '/TIMTHUMB FORBID RFI and MISC FILE SKIP\\/BYPASS RULE/s';
$pattern3 = '/\\[NC\\]\\s*RewriteCond %{HTTP_REFERER} \\^\\.\\*(.*)\\.\\*\\s*(.*)\\s*RewriteRule \\. \\- \\[S\\=1\\]/s';
$pattern4 = '/\\.\\*\\(allow_url_include\\|allow_url_fopen\\|safe_mode\\|disable_functions\\|auto_prepend_file\\) \\[NC,OR\\]/s';
$pattern5 = '/FORBID COMMENT SPAMMERS ACCESS TO YOUR wp-comments-post.php FILE/s';
$pattern6 = '/(\\[|\\]|\\(|\\)|<|>|%3c|%3e|%5b|%5d)/s';
$pattern7 = '/RewriteCond %{QUERY_STRING} \\^\\.\\*(.*)[3](.*)[5](.*)[5](.*)[7](.*)\\)/';
$ExcludedHosts = array('webmasters.com', 'rzone.de', 'softcomca.com');
if (!file_exists($filename)) {
$text = '<div class="update-nag"><font color="red"><strong>' . __('BPS Alert! An htaccess file was NOT found in your root folder. Check the BPS', 'bulletproof-security') . ' <a href="admin.php?page=bulletproof-security/admin/options.php#bps-tabs-2">' . __('Security Status page', 'bulletproof-security') . '</a> ' . __('for more specific information.', 'bulletproof-security') . '</strong></font></div>';
echo $text;
} else {
if (file_exists($filename)) {
switch ($bps_version) {
case ".47.9":
// for testing
if (strpos($check_string, "BULLETPROOF .47.9") && strpos($check_string, "BPSQSE")) {
print $section . '...Testing...';
break;
}
case ".48":
if (!strpos($check_string, "BULLETPROOF .48") && strpos($check_string, "BPSQSE")) {
chmod($filename, 0644);
$stringReplace = @file_get_contents($filename);
$stringReplace = str_replace("BULLETPROOF .46.9", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("BULLETPROOF .47.1", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("BULLETPROOF .47.2", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("BULLETPROOF .47.3", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("BULLETPROOF .47.4", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("BULLETPROOF .47.5", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("BULLETPROOF .47.6", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("BULLETPROOF .47.7", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("BULLETPROOF .47.8", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("BULLETPROOF .47.9", "BULLETPROOF .48", $stringReplace);
$stringReplace = str_replace("RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]", "RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]", $stringReplace);
if (preg_match($pattern0, $stringReplace, $matches)) {
$stringReplace = preg_replace('/#\\sBPS\\sPRO\\sERROR\\sLOGGING(.*)ErrorDocument\\s404\\s(.*)\\/404\\.php/s', "# BPS ERROR LOGGING AND TRACKING\n# BPS has premade 403 Forbidden, 400 Bad Request and 404 Not Found files that are used\n# to track and log 403, 400 and 404 errors that occur on your website. When a hacker attempts to\n# hack your website the hackers IP address, Host name, Request Method, Referering link, the file name or\n# requested resource, the user agent of the hacker and the query string used in the hack attempt are logged.\n# All BPS log files are htaccess protected so that only you can view them.\n# The 400.php, 403.php and 404.php files are located in /wp-content/plugins/bulletproof-security/\n# The 400 and 403 Error logging files are already set up and will automatically start logging errors\n# after you install BPS and have activated BulletProof Mode for your Root folder.\n# If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file\n# to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.\n# You can open the BPS 404.php file using the WP Plugins Editor.\n# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php template file.\n\nErrorDocument 400 {$bps_get_wp_root_secure}" . "wp-content/plugins/bulletproof-security/400.php\nErrorDocument 403 {$bps_get_wp_root_secure}" . "wp-content/plugins/bulletproof-security/403.php\nErrorDocument 404 {$bps_get_wp_root_secure}" . "404.php", $stringReplace);
}
if (preg_match($pattern1, $stringReplace, $matches)) {
$stringReplace = preg_replace('/#\\sFORBID\\sEMPTY\\sREFFERER\\sSPAMBOTS(.*)RewriteCond\\s%{HTTP_USER_AGENT}\\s\\^\\$\\sRewriteRule\\s\\.\\*\\s\\-\\s\\[F\\]/s', '', $stringReplace);
}
if (!preg_match($pattern2, $stringReplace, $matches)) {
$stringReplace = str_replace("# TimThumb Forbid RFI By Host Name But Allow Internal Requests", "# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE\n# Only Allow Internal File Requests From Your Website\n# To Allow Additional Websites Access to a File Use [OR] as shown below.\n# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]\n# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*", $stringReplace);
}
if (!preg_match($pattern3, $stringReplace, $matches)) {
$stringReplace = str_replace("RewriteRule . - [S=1]", "RewriteCond %{HTTP_REFERER} ^.*{$bps_get_domain_root}.*\nRewriteRule . - [S=1]", $stringReplace);
}
if (preg_match($pattern3, $stringReplace, $matches)) {
$stringReplace = preg_replace('/\\[NC\\]\\s*RewriteCond %{HTTP_REFERER} \\^\\.\\*(.*)\\.\\*\\s*(.*)\\s*RewriteRule \\. \\- \\[S\\=1\\]/s', "[NC]\nRewriteCond %{HTTP_REFERER} ^.*{$bps_get_domain_root}.*\nRewriteRule . - [S=1]", $stringReplace);
}
if (preg_match($pattern6, $stringReplace, $matches)) {
$stringReplace = str_replace("RewriteCond %{QUERY_STRING} ^.*(\\[|\\]|\\(|\\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]", "RewriteCond %{QUERY_STRING} ^.*(\\(|\\)|<|>|%3c|%3e).* [NC,OR]", $stringReplace);
$stringReplace = str_replace("RewriteCond %{QUERY_STRING} ^.*(|||\r|| |<|>|[|]|).* [NC,OR]", "RewriteCond %{QUERY_STRING} ^.*(|||\r|| |<|>|).* [NC,OR]", $stringReplace);
}
if (preg_match($pattern7, $stringReplace, $matches)) {
$stringReplace = preg_replace('/RewriteCond %{QUERY_STRING} \\^\\.\\*(.*)[5](.*)[5](.*)\\)/', 'RewriteCond %{QUERY_STRING} ^.*(\\x00|\\x04|\\x08|\\x0d|\\x1b|\\x20|\\x3c|\\x3e|\\x7f)', $stringReplace);
}
if (!preg_match($pattern4, $stringReplace, $matches)) {
$stringReplace = str_replace("RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]", "RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]\nRewriteCond %{QUERY_STRING} \\-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]", $stringReplace);
}
if (!preg_match($pattern5, $stringReplace, $matches)) {
$stringReplace = str_replace("# BLOCK MORE BAD BOTS RIPPERS AND OFFLINE BROWSERS", "# FORBID COMMENT SPAMMERS ACCESS TO YOUR wp-comments-post.php FILE\n# This is a better approach to blocking Comment Spammers so that you do not\n# accidentally block good traffic to your website. You can add additional\n# Comment Spammer IP addresses on a case by case basis below.\n# Searchable Database of known Comment Spammers http://www.stopforumspam.com/\n\n<FilesMatch " . '"' . "^(wp-comments-post\\.php)" . '"' . ">\nOrder Allow,Deny\nDeny from 46.119.35.\nDeny from 46.119.45.\nDeny from 91.236.74.\nDeny from 93.182.147.\nDeny from 93.182.187.\nDeny from 94.27.72.\nDeny from 94.27.75.\nDeny from 94.27.76.\nDeny from 193.105.210.\nDeny from 195.43.128.\nDeny from 198.144.105.\nDeny from 199.15.234.\nAllow from all\n</FilesMatch>\n\n# BLOCK MORE BAD BOTS RIPPERS AND OFFLINE BROWSERS", $stringReplace);
}
// Clean up - replace 3 and 4 multiple newlines with 1 newline
if (preg_match('/(\\n\\n\\n|\\n\\n\\n\\n)/', $stringReplace, $matches)) {
$stringReplace = preg_replace("/(\n\n\n|\n\n\n\n)/", "\n", $stringReplace);
}
file_put_contents($filename, $stringReplace);
if (@$permsHtaccess == '644.' && !in_array(bps_DNS_NS(), $ExcludedHosts) && $options['bps_root_htaccess_autolock'] != 'Off') {
if (substr($sapi_type, 0, 3) == 'cgi' || substr($sapi_type, 0, 9) == 'litespeed' || substr($sapi_type, 0, 7) == 'caudium' || substr($sapi_type, 0, 8) == 'webjames' || substr($sapi_type, 0, 3) == 'tux' || substr($sapi_type, 0, 5) == 'roxen' || substr($sapi_type, 0, 6) == 'thttpd' || substr($sapi_type, 0, 6) == 'phttpd' || substr($sapi_type, 0, 10) == 'continuity' || substr($sapi_type, 0, 6) == 'pi3web' || substr($sapi_type, 0, 6) == 'milter') {
chmod($filename, 0404);
}
}
print "................BPS Automatic htaccess File Update in Progress. Refresh Your Browser To Clear The BPS Alert.";
copy($bps_denyall_htaccess, $bps_denyall_htaccess_renamed);
}
if (strpos($check_string, "BULLETPROOF .48") && strpos($check_string, "BPSQSE")) {
//print($section);
break;
}
default:
$text = '<div class="update-nag"><font color="red"><strong>' . __('BPS Alert! Your site does not appear to be protected by BulletProof Security', 'bulletproof-security') . '</strong></font><br><strong>' . __('If you are upgrading BPS - BPS will now automatically update your htaccess files and add any new security filters automatically.', 'bulletproof-security') . '</strong><br><strong>' . __('Refresh your Browser to clear this Alert', 'bulletproof-security') . '</strong><br>' . __('Any custom htaccess code or modifications that you have made will not be altered/changed. Activating BulletProof Modes again after upgrading BPS is no longer necessary.', 'bulletproof-security') . '<br>' . __('In order for BPS to automatically update htaccess files you will need to stay current with BPS plugin updates and install the latest BPS plugin updates when they are available.', 'bulletproof-security') . '<br>' . __('If refreshing your Browser does not clear this alert then you will need to create new Master htaccess files with the AutoMagic buttons and Activate All BulletProof Modes.', 'bulletproof-security') . '<br>' . __('If your site is in Maintenance Mode your site is protected by BPS and this Alert will remain to remind you to put your site back in BulletProof Mode again.', 'bulletproof-security') . '<br>' . __('If your site is in Default Mode then it is not protected by BulletProof Security. Check the BPS', 'bulletproof-security') . ' <strong><a href="admin.php?page=bulletproof-security/admin/options.php#bps-tabs-2">' . __('Security Status page', 'bulletproof-security') . '</a></strong> ' . __('to view your BPS Security Status information.', 'bulletproof-security') . '</div>';
echo $text;
}
}
}
}
