Example #1
0
    public function render($form)
    {
        ?>
	<div class="hide-if-no-js">
		<p><?php 
        printf(__('This malware scan is powered by <a href="%s">Sucuri SiteCheck</a>. It checks for known malware, blacklisting status, website errors and out-of-date software. Although the Sucuri team does its best to provide thorough results, 100%% accuracy is not realistic and is not guaranteed.', 'better-wp-security'), esc_url('https://ithemes.com/sitecheck'));
        ?>
</p>
		<p><?php 
        printf(__('Results of previous malware scans can be found on the <a href="%s">logs page</a>.', 'better-wp-security'), ITSEC_Core::get_logs_page_url('malware'));
        ?>
</p>
		<div class='itsec-malware-scan-results-wrapper'></div>
		<?php 
        $form->add_button('start', array('value' => __('Scan Homepage for Malware', 'better-wp-security'), 'class' => 'button-primary'));
        ?>
	</div>
	<div class="hide-if-js">
		<p><?php 
        _e('The malware scanner requires Javascript in order to function. If Javascript is disabled in your browser, please enable it. If Javascript is not disabled, a script from another plugin, the theme, or a broken WordPress file is preventing the malware scanner\'s script from executing properly. Please try disabling other plugins to see if that resolves the issue.', 'better-wp-security');
        ?>
</p>
	</div>
<?php 
    }
Example #2
0
 public static function is_current_time_active($start, $end, $include_details = false)
 {
     $current_time = ITSEC_Core::get_current_time();
     $now = $current_time - strtotime(date('Y-m-d', $current_time));
     $active = false;
     if ($start <= $end) {
         if ($start <= $now && $now <= $end) {
             $active = true;
         }
     } else {
         if ($start <= $now || $now <= $end) {
             $active = true;
         }
     }
     if (!$include_details) {
         return $active;
     }
     $remaining = $end - $now;
     $next = $start - $now;
     $length = $end - $start;
     if ($active && $remaining < 0) {
         $remaining += DAY_IN_SECONDS;
     } else {
         if (!$active && $remaining >= 0) {
             $remaining -= DAY_IN_SECONDS;
         }
     }
     if ($next < 0) {
         $next += DAY_IN_SECONDS;
     }
     if ($length < 0) {
         $length += DAY_IN_SECONDS;
     }
     return compact('active', 'remaining', 'next', 'length');
 }
Example #3
0
 public function generate_new_salts()
 {
     if (!ITSEC_Modules::get_setting('global', 'write_files')) {
         return new WP_Error('itsec-wordpress-salts-utilities-write-files-disabled', __('The "Write to Files" setting is disabled in Global Settings. In order to use this feature, you must enable the "Write to Files" setting.', 'better-wp-security'));
     }
     require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-config-file.php';
     require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-file.php';
     $config_file_path = ITSEC_Lib_Config_File::get_wp_config_file_path();
     $config = ITSEC_Lib_File::read($config_file_path);
     if (is_wp_error($config)) {
         return new WP_Error('itsec-wordpress-salts-utilities-cannot-read-wp-config.php', sprintf(__('Unable to read the <code>wp-config.php</code> file in order to update the salts. You will need to manually update the file. Error details as follows: %1$s (%2$s)', 'better-wp-security'), $config->get_error_message(), $config->get_error_code()));
     }
     $defines = array('AUTH_KEY', 'SECURE_AUTH_KEY', 'LOGGED_IN_KEY', 'NONCE_KEY', 'AUTH_SALT', 'SECURE_AUTH_SALT', 'LOGGED_IN_SALT', 'NONCE_SALT');
     foreach ($defines as $define) {
         if (empty($salts)) {
             $salts = self::get_new_salts();
         }
         $salt = array_pop($salts);
         if (empty($salt)) {
             $salt = wp_generate_password(64, true, true);
         }
         $salt = str_replace('$', '\\$', $salt);
         $regex = "/(define\\s*\\(\\s*(['\"]){$define}\\2\\s*,\\s*)(['\"]).+?\\3(\\s*\\)\\s*;)/";
         $config = preg_replace($regex, "\${1}'{$salt}'\${4}", $config);
     }
     $write_result = ITSEC_Lib_File::write($config_file_path, $config);
     if (is_wp_error($write_result)) {
         return new WP_Error('itsec-wordpress-salts-utilities-cannot-save-wp-config.php', sprintf(__('Unable to update the <code>wp-config.php</code> file in order to update the salts. You will need to manually update the file. Error details as follows: %1$s (%2$s)', 'better-wp-security'), $config->get_error_message(), $config->get_error_code()));
     }
     return true;
 }
 public function block_long_urls()
 {
     if (strlen($_SERVER['REQUEST_URI']) <= 255) {
         return;
     }
     if (is_admin()) {
         return;
     }
     if (defined('WP_CLI') && WP_CLI) {
         return;
     }
     if (ITSEC_Core::is_iwp_call()) {
         return;
     }
     if (strpos($_SERVER['REQUEST_URI'], 'infinity=scrolling&action=infinite_scroll')) {
         return;
     }
     // TODO: These checks should not be part of the "Filter Long URL Strings" feature.
     if (strpos($_SERVER['REQUEST_URI'], 'eval(') || strpos($_SERVER['REQUEST_URI'], 'CONCAT') || strpos($_SERVER['REQUEST_URI'], 'UNION+SELECT') || strpos($_SERVER['REQUEST_URI'], 'base64')) {
         @header('HTTP/1.1 414 Request-URI Too Long');
         @header('Status: 414 Request-URI Too Long');
         @header('Cache-Control: no-cache, must-revalidate');
         @header('Expires: Thu, 22 Jun 1978 00:28:00 GMT');
         @header('Connection: Close');
         @exit;
     }
 }
Example #5
0
 protected function validate_settings()
 {
     if (!$this->can_save()) {
         return;
     }
     $previous_settings = ITSEC_Modules::get_settings($this->get_id());
     $diff = array_diff_assoc($this->settings, $previous_settings);
     if (!empty($diff)) {
         ITSEC_Response::regenerate_server_config();
     }
     if ($this->settings['write_permissions']) {
         // Always set permissions to 0444 when saving the settings.
         // This ensures that the file permissions are fixed each time the settings are saved.
         $new_permissions = 0444;
     } else {
         if ($this->settings['write_permissions'] !== $previous_settings['write_permissions']) {
             // Only revert the settings to the defaults when disabling the setting.
             // This avoids changing the file permissions when the setting has yet to be enabled and disabled.
             $new_permissions = 0664;
         }
     }
     if (isset($new_permissions)) {
         // Only change the permissions when needed.
         require_once ITSEC_Core::get_core_dir() . 'lib/class-itsec-lib-config-file.php';
         require_once ITSEC_Core::get_core_dir() . 'lib/class-itsec-lib-file.php';
         $server_config_file = ITSEC_Lib_Config_File::get_server_config_file_path();
         $wp_config_file = ITSEC_Lib_Config_File::get_wp_config_file_path();
         ITSEC_Lib_File::chmod($server_config_file, $new_permissions);
         ITSEC_Lib_File::chmod($wp_config_file, $new_permissions);
         ITSEC_Response::reload_module('file-permissions');
     }
 }
 public function run($arguments)
 {
     $itsec_sync = ITSEC_Core::get_itsec_sync();
     $modules = $itsec_sync->get_modules();
     $module_results = array();
     //return $modules;
     foreach ($modules as $name => $module) {
         if (isset($module['verbs']) && isset($module['path']) && isset($module['everything'])) {
             $everything = array();
             if (is_array($module['everything'])) {
                 foreach ($module['everything'] as $item) {
                     if (isset($module['verbs'][$item])) {
                         $everything[] = $item;
                     }
                 }
             } elseif (isset($module['verbs'][$module['everything']])) {
                 $everything[] = $module['everything'];
             }
             foreach ($everything as $verb) {
                 $class = $module['verbs'][$verb];
                 if (!class_exists($class)) {
                     require trailingslashit($module['path']) . 'class-ithemes-sync-verb-' . $verb . '.php';
                 }
                 $obj = new $class();
                 $module_results[$name][$verb] = $obj->run(array());
             }
         }
     }
     return array_merge(array('api' => '1'), $module_results);
 }
Example #7
0
 protected function validate_settings()
 {
     if (!$this->can_save()) {
         return;
     }
     if (!$this->settings['regenerate']) {
         unset($this->settings['regenerate']);
         if (defined('DOING_AJAX') && DOING_AJAX && !empty($_POST['module']) && $this->get_id() === $_POST['module']) {
             // Request to modify just this module.
             $this->set_can_save(false);
             if (ITSEC_Modules::get_setting('global', 'write_files')) {
                 $this->add_error(new WP_Error('itsec-wordpress-salts-skipping-regeneration-empty-checkbox', __('You must check the Change WordPress Salts checkbox in order to change the WordPress salts.', 'better-wp-security')));
             } else {
                 $this->add_error(new WP_Error('itsec-wordpress-salts-skipping-regeneration-write-files-disabled', __('The "Write to Files" setting is disabled in Global Settings. In order to use this feature, you must enable the "Write to Files" setting.', 'better-wp-security')));
             }
         }
         return;
     }
     unset($this->settings['regenerate']);
     require_once dirname(__FILE__) . '/utilities.php';
     $result = ITSEC_WordPress_Salts_Utilities::generate_new_salts();
     if (is_wp_error($result)) {
         $this->add_error($result);
         $this->set_can_save(false);
     } else {
         $this->add_message(__('The WordPress salts were successfully regenerated.', 'better-wp-security'));
         $this->settings['last_generated'] = ITSEC_Core::get_current_time_gmt();
         ITSEC_Response::force_logout();
     }
 }
Example #8
0
 private function send_new_login_url($url)
 {
     if (ITSEC_Core::doing_data_upgrade()) {
         // Do not send emails when upgrading data. This prevents spamming users with notifications just because the
         // data was ported from an old version to a new version.
         return;
     }
     $message = '<p>' . __('Dear Site Admin,', 'better-wp-security') . "</p>\n";
     /* translators: 1: Site name, 2: Site address, 3: New login address */
     $message .= '<p>' . sprintf(__('The login address for %1$s (<code>%2$s</code>) has changed. The new login address is <code>%3$s</code>. You will be unable to use the old login address.', 'better-wp-security'), get_bloginfo('name'), esc_url(get_site_url()), esc_url($url)) . "</p>\n";
     if (defined('ITSEC_DEBUG') && ITSEC_DEBUG === true) {
         $message .= '<p>Debug info (source page): ' . esc_url($_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) . "</p>\n";
     }
     $message = "<html>\n{$message}</html>\n";
     //Setup the remainder of the email
     $recipients = ITSEC_Modules::get_setting('global', 'notification_email');
     $subject = sprintf(__('[%1$s] WordPress Login Address Changed', 'better-wp-security'), get_site_url());
     $subject = apply_filters('itsec_lockout_email_subject', $subject);
     $headers = 'From: ' . get_bloginfo('name') . ' <' . get_option('admin_email') . '>' . "\r\n";
     //Use HTML Content type
     add_filter('wp_mail_content_type', array($this, 'get_html_content_type'));
     //Send emails to all recipients
     foreach ($recipients as $recipient) {
         $recipient = trim($recipient);
         if (is_email($recipient)) {
             wp_mail($recipient, $subject, $message, $headers);
         }
     }
     //Remove HTML Content type
     remove_filter('wp_mail_content_type', array($this, 'get_html_content_type'));
 }
Example #9
0
 protected function sanitize_settings()
 {
     $this->sanitize_setting('bool', 'default', __('Default Blacklist', 'better-wp-security'));
     $this->sanitize_setting('bool', 'enable_ban_lists', __('Ban Lists', 'better-wp-security'));
     $this->sanitize_setting('newline-separated-ips', 'host_list', __('Ban Hosts', 'better-wp-security'));
     if (is_array($this->settings['host_list'])) {
         require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
         $whitelisted_hosts = array();
         $current_ip = ITSEC_Lib::get_ip();
         foreach ($this->settings['host_list'] as $host) {
             if (is_user_logged_in() && ITSEC_Lib_IP_Tools::intersect($current_ip, ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($host))) {
                 $this->set_can_save(false);
                 /* translators: 1: input name, 2: invalid host */
                 $this->add_error(sprintf(__('The following host in %1$s matches your current IP and cannot be banned: %2$s', 'better-wp-security'), __('Ban Hosts', 'better-wp-security'), $host));
                 continue;
             }
             if (ITSEC_Lib::is_ip_whitelisted($host)) {
                 $whitelisted_hosts[] = $host;
             }
         }
         if (!empty($whitelisted_hosts)) {
             $this->set_can_save(false);
             /* translators: 1: input name, 2: invalid host list */
             $this->add_error(wp_sprintf(_n('The following IP in %1$s is whitelisted and cannot be banned: %2$l', 'The following IPs in %1$s are whitelisted and cannot be banned: %2$l', count($whitelisted_hosts), 'better-wp-security'), __('Ban Hosts', 'better-wp-security'), $whitelisted_hosts));
         }
     }
     $this->sanitize_setting(array($this, 'sanitize_agent_list_entry'), 'agent_list', __('Ban User Agents', 'better-wp-security'));
 }
 /**
  * Sanitize and validate input
  *
  * Sanitizes and validates module options saved on the settings page or via multisite.
  *
  * @since 4.0.0
  *
  * @param  Array $input array of input fields
  *
  * @return Array         Sanitized array
  */
 public function sanitize_module_input($input)
 {
     global $itsec_globals;
     $input['enabled'] = isset($input['enabled']) && intval($input['enabled'] == 1) ? true : false;
     $input['all_sites'] = isset($input['all_sites']) && intval($input['all_sites'] == 1) ? true : false;
     $input['interval'] = isset($input['interval']) ? absint($input['interval']) : 3;
     $input['method'] = isset($input['method']) ? intval($input['method']) : 0;
     $input['location'] = isset($input['location']) ? sanitize_text_field($input['location']) : $itsec_globals['ithemes_backup_dir'];
     $input['last_run'] = isset($this->settings['last_run']) ? $this->settings['last_run'] : 0;
     $input['retain'] = isset($input['retain']) ? absint($input['retain']) : 0;
     if (isset($input['location']) && $input['location'] != $itsec_globals['ithemes_backup_dir']) {
         $good_path = ITSEC_Lib::validate_path($input['location']);
     } else {
         $good_path = true;
     }
     if (true !== $good_path) {
         $input['location'] = $itsec_globals['ithemes_backup_dir'];
         $type = 'error';
         $message = __('The file path entered for the backup file location does not appear to be valid. it has been reset to: ' . $itsec_globals['ithemes_backup_dir'], 'it-l10n-ithemes-security-pro');
         add_settings_error('itsec', esc_attr('settings_updated'), $message, $type);
     }
     $input['exclude'] = isset($input['exclude']) ? $input['exclude'] : array();
     $input['zip'] = isset($input['zip']) && intval($input['zip'] == 1) ? true : false;
     if (is_multisite()) {
         if (isset($type)) {
             $error_handler = new WP_Error();
             $error_handler->add($type, $message);
             $this->core->show_network_admin_notice($error_handler);
         } else {
             $this->core->show_network_admin_notice(false);
         }
         $this->settings = $input;
     }
     return $input;
 }
Example #11
0
 private static function add_network_brute_force_signup()
 {
     if (!in_array('network-brute-force', self::$available_modules)) {
         return;
     }
     $settings = ITSEC_Modules::get_settings('network-brute-force');
     if (!empty($settings['api_key']) && !empty($settings['api_secret'])) {
         self::enforce_activation('network-brute-force', __('Network Brute Force Protection', 'better-wp-security'));
         return;
     }
     require_once ITSEC_Core::get_core_dir() . '/lib/form.php';
     $form = new ITSEC_Form();
     $form->add_input_group('security-check');
     ob_start();
     self::open_container('incomplete', 'itsec-security-check-network-brute-force-container');
     echo '<p>' . __('With Network Brute Force Protection, your site is protected against attackers found by other sites running iThemes Security. If your site identifies a new attacker, it automatically notifies the network so that other sites are protected as well. To join this site to the network and enable the protection, click the button below.', 'better-wp-security') . '</p>';
     ob_start();
     $form->add_text('email', array('class' => 'regular-text', 'value' => get_option('admin_email')));
     $email_input = ob_get_clean();
     /* translators: 1: email text input */
     echo '<p><label for="itsec-security-check-email">' . sprintf(__('Email Address: %1$s', 'better-wp-security'), $email_input) . '</p>';
     ob_start();
     $form->add_select('updates_optin', array('true' => __('Yes', 'better-wp-security'), 'false' => __('No', 'better-wp-security')));
     $optin_input = ob_get_clean();
     /* translators: 1: opt-in input */
     echo '<p><label for="itsec-security-check-updates_optin">' . sprintf(__('Receive email updates about WordPress Security from iThemes: %1$s', 'better-wp-security'), $optin_input) . '</p>';
     ob_start();
     $form->add_button('enable_network_brute_force', array('class' => 'button-primary', 'value' => __('Activate Network Brute Force Protection', 'better-wp-security')));
     echo '<p>' . ob_get_clean() . '</p>';
     echo '<div id="itsec-security-check-network-brute-force-errors"></div>';
     echo '</div>';
     self::$calls_to_action[] = ob_get_clean();
 }
 public function init()
 {
     if (ITSEC_Core::is_iwp_call()) {
         return;
     }
     if (current_user_can('manage_options')) {
         return;
     }
     $settings = ITSEC_Modules::get_settings('multisite-tweaks');
     if ($settings['theme_updates']) {
         remove_action('load-update-core.php', 'wp_update_themes');
         add_filter('pre_site_transient_update_themes', '__return_null');
         wp_clear_scheduled_hook('wp_update_themes');
     }
     if ($settings['plugin_updates']) {
         remove_action('load-update-core.php', 'wp_update_plugins');
         add_filter('pre_site_transient_update_plugins', '__return_null');
         wp_clear_scheduled_hook('wp_update_plugins');
     }
     if ($settings['core_updates']) {
         remove_action('admin_notices', 'update_nag', 3);
         add_filter('pre_site_transient_update_core', '__return_null');
         wp_clear_scheduled_hook('wp_version_check');
     }
 }
Example #13
0
 /**
  * Changes Admin User
  *
  * Changes the username and id of the 1st user
  *
  * @param string $username the username to change if changing at the same time
  * @param bool   $id       whether to change the id as well
  *
  * @return bool success or failure
  *
  **/
 private function change_admin_user($username = null, $id = false)
 {
     global $wpdb;
     $itsec_files = ITSEC_Core::get_itsec_files();
     if ($itsec_files->get_file_lock('admin_user')) {
         //make sure it isn't already running
         //sanitize the username
         $new_user = sanitize_text_field($username);
         //Get the full user object
         $user_object = get_user_by('id', '1');
         if (!is_null($username) && validate_username($new_user) && false === username_exists($new_user)) {
             //there is a valid username to change
             if ($id === true) {
                 //we're changing the id too so we'll set the username
                 $user_login = $new_user;
             } else {
                 // we're only changing the username
                 //query main user table
                 $wpdb->query("UPDATE `" . $wpdb->users . "` SET user_login = '******' WHERE user_login='******';");
                 if (is_multisite()) {
                     //process sitemeta if we're in a multi-site situation
                     $oldAdmins = $wpdb->get_var("SELECT meta_value FROM `" . $wpdb->sitemeta . "` WHERE meta_key = 'site_admins'");
                     $newAdmins = str_replace('5:"admin"', strlen($new_user) . ':"' . esc_sql($new_user) . '"', $oldAdmins);
                     $wpdb->query("UPDATE `" . $wpdb->sitemeta . "` SET meta_value = '" . esc_sql($newAdmins) . "' WHERE meta_key = 'site_admins'");
                 }
                 $itsec_files->release_file_lock('admin_user');
                 return true;
             }
         } elseif ($username !== null) {
             //username didn't validate
             $itsec_files->release_file_lock('admin_user');
             return false;
         } else {
             //only changing the id
             $user_login = $user_object->user_login;
         }
         if ($id === true) {
             //change the user id
             $wpdb->query("DELETE FROM `" . $wpdb->users . "` WHERE ID = 1;");
             $wpdb->insert($wpdb->users, array('user_login' => $user_login, 'user_pass' => $user_object->user_pass, 'user_nicename' => $user_object->user_nicename, 'user_email' => $user_object->user_email, 'user_url' => $user_object->user_url, 'user_registered' => $user_object->user_registered, 'user_activation_key' => $user_object->user_activation_key, 'user_status' => $user_object->user_status, 'display_name' => $user_object->display_name));
             if (is_multisite() && $username !== null && validate_username($new_user)) {
                 //process sitemeta if we're in a multi-site situation
                 $oldAdmins = $wpdb->get_var("SELECT meta_value FROM `" . $wpdb->sitemeta . "` WHERE meta_key = 'site_admins'");
                 $newAdmins = str_replace('5:"admin"', strlen($new_user) . ':"' . esc_sql($new_user) . '"', $oldAdmins);
                 $wpdb->query("UPDATE `" . $wpdb->sitemeta . "` SET meta_value = '" . esc_sql($newAdmins) . "' WHERE meta_key = 'site_admins'");
             }
             $new_user = $wpdb->insert_id;
             $wpdb->query("UPDATE `" . $wpdb->posts . "` SET post_author = '" . $new_user . "' WHERE post_author = 1;");
             $wpdb->query("UPDATE `" . $wpdb->usermeta . "` SET user_id = '" . $new_user . "' WHERE user_id = 1;");
             $wpdb->query("UPDATE `" . $wpdb->comments . "` SET user_id = '" . $new_user . "' WHERE user_id = 1;");
             $wpdb->query("UPDATE `" . $wpdb->links . "` SET link_owner = '" . $new_user . "' WHERE link_owner = 1;");
             $itsec_files->release_file_lock('admin_user');
             return true;
         }
     }
     return false;
 }
Example #14
0
    protected function render_settings($form)
    {
        ?>
	<div class="itsec-warning-message"><?php 
        printf(__('<span>Warning:</span> The changes made by this tool could cause compatibility issues with some plugins, themes, or customizations. Ensure that you <a href="%s">create a database backup</a> before using this tool.', 'better-wp-security'), esc_url(ITSEC_Core::get_backup_creation_page_url()));
        ?>
</div>
	
	<table class="form-table itsec-settings-section">
		<?php 
        if (username_exists('admin')) {
            ?>
			<tr>
				<th scope="row"><label for="itsec-admin-user-new_username"><?php 
            _e('New Admin Username', 'better-wp-security');
            ?>
</label></th>
				<td>
					<?php 
            $form->add_text('new_username', array('class' => 'code'));
            ?>
					<br />
					<p class="description"><?php 
            _e('Enter a new username to replace "admin." Please note that if you are logged in as admin you will have to log in again.', 'better-wp-security');
            ?>
</p>
				</td>
			</tr>
		<?php 
        }
        ?>
		<?php 
        if (ITSEC_Lib::user_id_exists(1)) {
            ?>
			<tr>
				<th scope="row"><label for="itsec-admin-user-change_id"><?php 
            _e('Change User ID 1', 'better-wp-security');
            ?>
</label></th>
				<td>
					<?php 
            $form->add_checkbox('change_id');
            ?>
					<label for="itsec-admin-user-change_id"><?php 
            _e('Change the ID of the user with ID 1.', 'better-wp-security');
            ?>
</label>
				</td>
			</tr>
		<?php 
        }
        ?>
	</table>
<?php 
    }
Example #15
0
 protected function render_description($form)
 {
     require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-config-file.php';
     $config = ITSEC_Lib_Config_File::get_wp_config();
     if (empty($config)) {
         _e('There is nothing that needs to be written to your <code>wp-config.php</code> file.', 'better-wp-security');
     } else {
         echo '<p>' . __("The following rules need to be written to your <code>wp-config.php</code> file. Please make sure to keep the comments in place.") . '</p>';
         echo '<div class="itsec_rewrite_rules"><pre>' . esc_html($config) . '</pre></div>';
     }
 }
Example #16
0
 protected function handle_settings_changes($old_settings)
 {
     if ($this->settings['digest_email'] && !$old_settings['digest_email']) {
         $digest_queue = array('last_sent' => ITSEC_Core::get_current_time_gmt(), 'messages' => array());
         update_site_option('itsec_message_queue', $digest_queue);
     }
     if ($this->settings['write_files'] && !$old_settings['write_files']) {
         ITSEC_Response::regenerate_server_config();
         ITSEC_Response::regenerate_wp_config();
     }
 }
Example #17
0
 public function enqueue_scripts_and_styles()
 {
     $settings = ITSEC_Modules::get_settings($this->id);
     $logs_page_url = ITSEC_Core::get_logs_page_url('file_change');
     $vars = array('button_text' => isset($settings['split']) && true === $settings['split'] ? __('Scan Next File Chunk', 'better-wp-security') : __('Scan Files Now', 'better-wp-security'), 'scanning_button_text' => __('Scanning...', 'better-wp-security'), 'no_changes' => __('No changes were detected.', 'better-wp-security'), 'found_changes' => sprintf(__('Changes were detected. Please check the <a href="%s" target="_blank">logs page</a> for details.', 'better-wp-security'), esc_url($logs_page_url)), 'unknown_error' => __('An unknown error occured. Please try again later', 'better-wp-security'), 'already_running' => sprintf(__('A scan is already in progress. Please check the <a href="%s" target="_blank">logs page</a> at a later time for the results of the scan.', 'better-wp-security'), esc_url($logs_page_url)), 'ABSPATH' => ITSEC_Lib::get_home_path(), 'nonce' => wp_create_nonce('itsec_do_file_check'));
     wp_enqueue_script('itsec-file-change-settings-script', plugins_url('js/settings-page.js', __FILE__), array('jquery'), $this->script_version, true);
     wp_localize_script('itsec-file-change-settings-script', 'itsec_file_change_settings', $vars);
     $vars = array('nonce' => wp_create_nonce('itsec_jquery_filetree'));
     wp_enqueue_script('itsec-file-change-admin-filetree-script', plugins_url('js/filetree/jqueryFileTree.js', __FILE__), array('jquery'), $this->script_version, true);
     wp_localize_script('itsec-file-change-admin-filetree-script', 'itsec_jquery_filetree', $vars);
     wp_enqueue_style('itsec-file-change-admin-filetree-style', plugins_url('js/filetree/jqueryFileTree.css', __FILE__), array(), $this->script_version);
     wp_enqueue_style('itsec-file-change-admin-style', plugins_url('css/settings.css', __FILE__), array(), $this->script_version);
 }
Example #18
0
 /**
  * Processes and sends daily digest message
  *
  * @since 4.5
  *
  * @return void
  */
 public function init()
 {
     global $itsec_globals, $itsec_lockout;
     if (is_404() || (!defined('ITSEC_NOTIFY_USE_CRON') || false === ITSEC_NOTIFY_USE_CRON) && get_site_transient('itsec_notification_running') !== false) {
         return;
     }
     if (!defined('ITSEC_NOTIFY_USE_CRON') || false === ITSEC_NOTIFY_USE_CRON) {
         set_site_transient('itsec_notification_running', true, 3600);
     }
     $messages = false;
     $has_lockouts = true;
     //assume a lockout has occured by default
     if (isset($this->queue['messages']) && sizeof($this->queue['messages']) > 0) {
         $messages = $this->queue['messages'];
     }
     $host_count = sizeof($itsec_lockout->get_lockouts('host', true));
     $user_count = sizeof($itsec_lockout->get_lockouts('user', true));
     if ($host_count == 0 && $user_count == 0) {
         $has_lockouts = false;
         $lockout_message = __('There have been no lockouts since the last email check.', 'better-wp-security');
     } elseif ($host_count === 0 && $user_count > 1) {
         $lockout_message = sprintf('%s %s %s', __('There have been', 'better-wp-security'), $user_count, __('users or usernames locked out for attempting to log in with incorrect credentials.', 'better-wp-security'));
     } elseif ($host_count === 0 && $user_count == 1) {
         $lockout_message = sprintf('%s %s %s', __('There has been', 'better-wp-security'), $user_count, __('user or username locked out for attempting to log in with incorrect credentials.', 'better-wp-security'));
     } elseif ($host_count == 1 && $user_count === 0) {
         $lockout_message = sprintf('%s %s %s', __('There has been', 'better-wp-security'), $host_count, __('host locked out.', 'better-wp-security'));
     } elseif ($host_count > 1 && $user_count === 0) {
         $lockout_message = sprintf('%s %s %s', __('There have been', 'better-wp-security'), $host_count, __('hosts locked out.', 'better-wp-security'));
     } else {
         $lockout_message = sprintf('%s %s %s %s %s %s %s', __('There have been', 'better-wp-security'), $user_count + $host_count, __('lockout(s) including', 'better-wp-security'), $user_count, __('user(s) and', 'better-wp-security'), $host_count, __('host(s) locked out of your site.', 'better-wp-security'));
     }
     if ($has_lockouts !== false || $messages !== false) {
         $module_message = '';
         if (is_array($messages)) {
             foreach ($messages as $message) {
                 if (is_string($message)) {
                     $module_message .= '<p>' . $message . '</p>';
                 }
             }
         }
         $body = sprintf('<p>%s,</p><p>%s <a href="%s">%s</a></p><p><strong>%s: </strong>%s</p>%s<p>%s %s</p><p>%s <a href="%s">%s</a>.</p>', __('Dear Site Admin', 'better-wp-security'), __('The following is a summary of security related activity on your site. For details please visit', 'better-wp-security'), wp_login_url(ITSEC_Core::get_logs_page_url()), __('the security logs', 'better-wp-security'), __('Lockouts', 'better-wp-security'), $lockout_message, $module_message, __('This email was generated automatically by'), $itsec_globals['plugin_name'], __('To change your email preferences please visit', 'better-wp-security'), wp_login_url(ITSEC_Core::get_settings_page_url()), __('the plugin settings', 'better-wp-security'));
         //Setup the remainder of the email
         $subject = '[' . get_option('siteurl') . '] ' . __('Daily Security Digest', 'better-wp-security');
         $subject = apply_filters('itsec_lockout_email_subject', $subject);
         $headers = 'From: ' . get_bloginfo('name') . ' <' . get_option('admin_email') . '>' . "\r\n";
         $this->send_mail($subject, $body, $headers);
     }
     $this->queue = array('last_sent' => $itsec_globals['current_time_gmt'], 'messages' => array());
     update_site_option('itsec_message_queue', $this->queue);
 }
 /**
  * Sanitize and validate input
  *
  * Sanitizes and validates module options saved on the settings page or via multisite.
  *
  * @since 1.2.0
  *
  * @param  Array $input array of input fields
  *
  * @return Array         Sanitized array
  */
 public function sanitize_module_input($input)
 {
     //process strong passwords settings
     $input['enabled'] = isset($input['enabled']) && 1 === intval($input['enabled']) ? true : false;
     if (isset($input['roll']) && ctype_alpha(wp_strip_all_tags($input['roll']))) {
         $input['roll'] = wp_strip_all_tags($input['roll']);
     }
     $input['offset'] = isset($input['offset']) ? intval($input['offset']) : 1;
     if (is_multisite()) {
         $this->core->show_network_admin_notice(false);
         $this->settings = $input;
     }
     return $input;
 }
 /**
  * Sanitize and validate input
  *
  * Sanitizes and validates module options saved on the settings page or via multisite.
  *
  * @since 4.0.0
  *
  * @param  Array $input array of input fields
  *
  * @return Array         Sanitized array
  */
 public function sanitize_module_input($input)
 {
     global $itsec_globals;
     //File Change Detection Fields
     $input['enabled'] = isset($input['enabled']) && intval($input['enabled'] == 1) ? true : false;
     $input['split'] = isset($input['split']) && intval($input['split'] == 1) ? true : false;
     $input['method'] = isset($input['method']) && intval($input['method'] == 1) ? true : false;
     $input['email'] = isset($input['email']) && intval($input['email'] == 1) ? true : false;
     $input['notify_admin'] = isset($input['notify_admin']) && intval($input['notify_admin'] == 1) ? true : false;
     $input['last_chunk'] = isset($input['last_chunk']) ? $input['last_chunk'] : false;
     if (!is_array($input['file_list'])) {
         $file_list = explode(PHP_EOL, $input['file_list']);
     } else {
         $file_list = $input['file_list'];
     }
     $good_files = array();
     foreach ($file_list as $file) {
         $good_files[] = sanitize_text_field(trim($file));
     }
     $input['file_list'] = $good_files;
     if (!is_array($input['types'])) {
         $file_types = explode(PHP_EOL, $input['types']);
     } else {
         $file_types = $input['types'];
     }
     $good_types = array();
     foreach ($file_types as $file_type) {
         $file_type = trim($file_type);
         if (0 < strlen($file_type) && '.' != $file_type) {
             $good_type = sanitize_text_field('.' . str_replace('.', '', $file_type));
             $good_types[] = sanitize_text_field(trim($good_type));
         }
     }
     $input['types'] = $good_types;
     if (isset($input['split']) && true === $input['split']) {
         $interval = 12282;
     } else {
         $interval = 86340;
     }
     if (defined('ITSEC_DOING_FILE_CHECK') && true === ITSEC_DOING_FILE_CHECK) {
         $input['last_run'] = $itsec_globals['current_time'];
     } else {
         $input['last_run'] = isset($this->settings['last_run']) && $this->settings['last_run'] > $itsec_globals['current_time'] - $interval ? $this->settings['last_run'] : $itsec_globals['current_time'] - $interval + 120;
     }
     if (is_multisite()) {
         $this->core->show_network_admin_notice(false);
         $this->settings = $input;
     }
     return $input;
 }
Example #21
0
 public function show_file_change_warning()
 {
     $args = array('file_change_dismiss_warning' => '1', 'nonce' => $this->dismiss_nonce);
     $dismiss_url = add_query_arg($args, ITSEC_Core::get_settings_page_url());
     $logs_url = ITSEC_Core::get_logs_page_url();
     $message = __('iThemes Security noticed file changes in your WordPress site. Please review the logs to make sure your system has not been compromised.', 'better-wp-security');
     echo "<div id='itsec-file-change-warning-dialog' class='error'>\n";
     echo "<p>{$message}</p>\n";
     echo "<p>";
     echo "<a class='button-primary' href='" . esc_url($logs_url) . "'>" . __('View Logs', 'better-wp-security') . "</a> ";
     echo "<a id='itsec-file-change-dismiss-warning' class='button-secondary' href='" . esc_url($dismiss_url) . "'>" . __('Dismiss Warning', 'better-wp-security') . "</a>";
     echo "</p>\n";
     echo "</div>\n";
 }
 /**
  * Define host column
  *
  * @param array $item array of row data
  *
  * @return string formatted output
  *
  **/
 function column_host($item)
 {
     require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
     $r = array();
     if (!is_array($item['host'])) {
         $item['host'] = array($item['host']);
     }
     foreach ($item['host'] as $host) {
         if (ITSEC_Lib_IP_Tools::validate($host)) {
             $r[] = '<a href="http://www.traceip.net/?query=' . urlencode($host) . '" target="_blank">' . esc_html($host) . '</a>';
         }
     }
     $return = implode('<br />', $r);
     return $return;
 }
 public function add_footer()
 {
     $footer = '';
     if (!ITSEC_Core::is_pro()) {
         $callout = $this->get_template('pro-callout.html');
         $replacements = array('two_factor' => esc_html__('Want two-factor authentication, scheduled malware scanning, ticketed support and more?', 'better-wp-security'), 'get_pro' => esc_html__('Get iThemes Security Pro', 'better-wp-security'), 'why_pro' => sprintf(wp_kses(__('Why go Pro? <a href="%s">Check out the Free/Pro comparison chart.</a>', 'better-wp-security'), array('a' => array('href' => array()))), esc_url('https://ithemes.com/security/why-go-pro/')));
         $footer .= $this->replace_all($callout, $replacements);
     } else {
         $this->add_divider();
     }
     $footer .= $this->get_template('footer.html');
     $replacements = array('security_resources' => esc_html__('Security Resources', 'better-wp-security'), 'articles' => esc_html__('Articles', 'better-wp-security'), 'articles_content' => sprintf(wp_kses(__('Read the latest in WordPress Security news, tips, and updates on <a href="%s">iThemes Blog</a>.', 'better-wp-security'), array('a' => array('href' => array()))), esc_url('https://ithemes.com/category/wordpress-security/')), 'tutorials' => esc_html__('Tutorials', 'better-wp-security'), 'tutorials_content' => sprintf(wp_kses(__('Make the most of iThemes Security features with our <a href="%s">free iThemes Security tutorials</a>.', 'better-wp-security'), array('a' => array('href' => array()))), esc_url('https://ithemes.com/tutorial/category/ithemes-security/')), 'help_and_support' => esc_html__('Help & Support', 'better-wp-security'), 'documentation' => esc_html__('Documentation', 'better-wp-security'), 'documentation_content' => sprintf(wp_kses(__('Read iThemes Security documentation and Frequently Asked Questions on <a href="%s">the Codex</a>.', 'better-wp-security'), array('a' => array('href' => array()))), esc_url('http://ithemes.com/codex/page/IThemes_Security')), 'support' => esc_html__('Support', 'better-wp-security'), 'pro' => esc_html__('Pro', 'better-wp-security'), 'support_content' => sprintf(wp_kses(__('Pro customers can contact <a href="%s">iThemes Helpdesk</a> for help. Our support team answers questions Monday – Friday, 8am – 5pm (CST).', 'better-wp-security'), array('a' => array('href' => array()))), esc_url('https://members.ithemes.com/panel/helpdesk.php')), 'security_settings_link' => esc_url(ITSEC_Core::get_settings_page_url()), 'unsubscribe_link_text' => esc_html__('This email was generated by the iThemes Security plugin.', 'better-wp-security') . '<br>' . esc_html__('To unsubscribe from these updates, visit the Settings page in the iThemes Security plugin menu.', 'better-wp-security'), 'security_guide' => esc_html__('Free WordPress Security Guide', 'better-wp-security'), 'security_guide_content' => sprintf(wp_kses(__('Learn simple WordPress security tips — including 3 kinds of security your site needs and 4 best security practices for keeping your WordPress site safe with our <a href="%s">free guide</a>.', 'better-wp-security'), array('a' => array('href' => array()))), esc_url('https://ithemes.com/publishing/wordpress-security/')));
     $footer = $this->replace_all($footer, $replacements);
     $this->content .= $footer;
 }
Example #24
0
 public function add_admin_pages()
 {
     $capability = ITSEC_Core::get_required_cap();
     $page_refs = array();
     add_menu_page(__('Settings', 'better-wp-security'), __('Security', 'better-wp-security'), $capability, 'itsec', array($this, 'show_page'));
     $page_refs[] = add_submenu_page('itsec', __('iThemes Security Settings', 'better-wp-security'), __('Settings', 'better-wp-security'), $capability, 'itsec', array($this, 'show_page'));
     $page_refs[] = add_submenu_page('itsec', '', __('Security Check', 'better-wp-security'), $capability, 'itsec-security-check', array($this, 'show_page'));
     $page_refs[] = add_submenu_page('itsec', __('iThemes Security Logs', 'better-wp-security'), __('Logs', 'better-wp-security'), $capability, 'itsec-logs', array($this, 'show_page'));
     if (!ITSEC_Core::is_pro()) {
         $page_refs[] = add_submenu_page('itsec', '', '<span style="color:#2EA2CC">' . __('Go Pro', 'better-wp-security') . '</span>', $capability, 'itsec-go-pro', array($this, 'show_page'));
     }
     foreach ($page_refs as $page_ref) {
         add_action("load-{$page_ref}", array($this, 'load'));
     }
 }
Example #25
0
 protected function validate_settings()
 {
     $current_time = ITSEC_Core::get_current_time();
     if (defined('ITSEC_DOING_FILE_CHECK') && true === ITSEC_DOING_FILE_CHECK) {
         $this->settings['last_run'] = $current_time;
     } else {
         if ($this->settings['split']) {
             $interval = 12282;
         } else {
             $interval = 86340;
         }
         if ($this->settings['last_run'] <= $current_time - $interval) {
             $this->settings['last_run'] = $current_time - $interval + 120;
         }
     }
 }
 /**
  * Sanitize and validate input
  *
  * @since 4.6.0
  */
 public function process_salts()
 {
     global $itsec_globals;
     require_once trailingslashit($GLOBALS['itsec_globals']['plugin_dir']) . 'core/lib/class-itsec-lib-config-file.php';
     require_once trailingslashit($GLOBALS['itsec_globals']['plugin_dir']) . 'core/lib/class-itsec-lib-file.php';
     $config_file_path = ITSEC_Lib_Config_File::get_wp_config_file_path();
     $config = ITSEC_Lib_File::read($config_file_path);
     $error = '';
     if (is_wp_error($config)) {
         $error = sprintf(__('Unable to read the <code>wp-config.php</code> file in order to update the salts. Error details as follows: %1$s (%2$s)', 'better-wp-security'), $config->get_error_message(), $config->get_error_code());
     } else {
         $defines = array('AUTH_KEY', 'SECURE_AUTH_KEY', 'LOGGED_IN_KEY', 'NONCE_KEY', 'AUTH_SALT', 'SECURE_AUTH_SALT', 'LOGGED_IN_SALT', 'NONCE_SALT');
         foreach ($defines as $define) {
             $new_salt = $this->get_salt();
             $new_salt = str_replace('$', '\\$', $new_salt);
             $regex = "/(define\\s*\\(\\s*(['\"]){$define}\\2\\s*,\\s*)(['\"]).+?\\3(\\s*\\)\\s*;)/";
             $config = preg_replace($regex, "\${1}'{$new_salt}'\${4}", $config);
         }
         $write_result = ITSEC_Lib_File::write($config_file_path, $config);
         if (is_wp_error($write_result)) {
             $error = sprintf(__('Unable to update the <code>wp-config.php</code> file in order to update the salts. Error details as follows: %1$s (%2$s)', 'better-wp-security'), $config->get_error_message(), $config->get_error_code());
         }
     }
     if (!empty($error)) {
         add_settings_error('itsec', esc_attr('settings_updated'), $error, 'error');
         add_site_option('itsec_manual_update', true);
     }
     $this->settings = true;
     //this tells the form field that all went well.
     if (is_multisite()) {
         if (!empty($error)) {
             $error_handler = new WP_Error();
             $error_handler->add('error', $error);
             $this->core->show_network_admin_notice($error_handler);
         } else {
             $this->core->show_network_admin_notice(false);
         }
         $this->settings = true;
     }
     if ($this->settings === true) {
         update_site_option('itsec_salts', $itsec_globals['current_time_gmt']);
         wp_clear_auth_cookie();
         $redirect_to = !empty($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : ITSEC_Lib::get_home_root() . 'wp-login.php?loggedout=true';
         wp_safe_redirect($redirect_to);
     }
 }
Example #27
0
    protected function render_description($form)
    {
        ?>
	<p><?php 
        _e('By default, WordPress assigns the prefix <code>wp_</code> to all tables in the database where your content, users, and objects exist. For potential attackers, this means it is easier to write scripts that can target WordPress databases as all the important table names for 95% of sites are already known. Changing the <code>wp_</code> prefix makes it more difficult for tools that are trying to take advantage of vulnerabilities in other places to affect the database of your site. <strong>Before using this tool, we strongly recommend creating a backup of your database.</strong>', 'better-wp-security');
        ?>
</p>
	<p><?php 
        _e('Note: The use of this tool requires quite a bit of system memory which may be more than some hosts can handle. If you back your database up you can\'t do any permanent damage but without a proper backup you risk breaking your site and having to perform a rather difficult fix.', 'better-wp-security');
        ?>
</p>
	<div class="itsec-warning-message"><?php 
        printf(__('<span>WARNING: </span><a href="%1$s">Backup your database</a> before using this tool.', 'better-wp-security'), ITSEC_Core::get_backup_creation_page_url());
        ?>
</div>
<?php 
    }
	/**
	 * Render the settings metabox
	 *
	 * Displays the contents of the module's settings metabox on the "Pro"
	 * page with all module options.
	 *
	 * @since 1.2.0
	 *
	 * @return void
	 */
	public function metabox_two_factor_settings() {

		global $itsec_globals;

		echo '<p>' . sprintf( __( "To allow users to log in with two-factor authentication, enable one or more two-factor providers. Once at least one two-factor provider is enabled, users can configure two-factor authentication from their <a href='%s'>profile</a>.", 'it-l10n-ithemes-security-pro' ), get_edit_profile_url() ) . '</p>';
		echo '<p>' . __( 'If possible, all providers should be enabled. A provider should only be disabled if it will not work properly with your site. For instance, the email provider should not be enabled if your site cannot send emails.', 'it-l10n-ithemes-security-pro' ) . '</p>';

		$this->_core->do_settings_section( 'security_page_toplevel_page_itsec_pro', 'two-factor-providers', false );

		echo '<p>' . PHP_EOL;

		settings_fields( 'security_page_toplevel_page_itsec_pro' );

		echo '<input class="button-primary" name="submit" type="submit" value="' . __( 'Save All Changes', 'it-l10n-ithemes-security-pro' ) . '" />' . PHP_EOL;

		echo '</p>' . PHP_EOL;

	}
 /**
  * Define host column
  *
  * @param array $item array of row data
  *
  * @return string formatted output
  *
  **/
 function column_host($item)
 {
     if (!class_exists('ITSEC_Lib_IP_Tools')) {
         $itsec_core = ITSEC_Core::get_instance();
         require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
     }
     $r = array();
     if (!is_array($item['host'])) {
         $item['host'] = array($item['host']);
     }
     foreach ($item['host'] as $host) {
         if (ITSEC_Lib_IP_Tools::validate($host)) {
             $r[] = '<a href="http://www.traceip.net/?query=' . urlencode($host) . '" target="_blank">' . esc_html($host) . '</a>';
         }
     }
     $return = implode('<br />', $r);
     return $return;
 }
 /**
  * Sanitize and validate input
  *
  * @since 4.6.0
  */
 public function process_salts()
 {
     global $itsec_files, $itsec_globals;
     //suppress error messages due to timing
     error_reporting(0);
     @ini_set('display_errors', 0);
     $rules = $this->build_salts_rules();
     $itsec_files->set_wpconfig($rules);
     $configs = $itsec_files->save_wpconfig();
     if (is_array($configs)) {
         if ($configs['success'] === false) {
             $type = 'error';
             $message = $configs['text'];
             add_settings_error('itsec', esc_attr('settings_updated'), $message, $type);
         }
         if (!$configs) {
             $type = 'error';
             $message = __('Unable change the WordPress Salts. Operation cancelled.', 'it-l10n-better-wp-security');
             add_settings_error('itsec', esc_attr('settings_updated'), $message, $type);
         }
     } else {
         add_site_option('itsec_manual_update', true);
     }
     $this->settings = true;
     //this tells the form field that all went well.
     if (is_multisite()) {
         if (isset($type)) {
             $error_handler = new WP_Error();
             $error_handler->add($type, $message);
             $this->core->show_network_admin_notice($error_handler);
         } else {
             $this->core->show_network_admin_notice(false);
         }
         $this->settings = true;
     }
     if ($this->settings === true) {
         update_site_option('itsec_salts', $itsec_globals['current_time_gmt']);
         wp_clear_auth_cookie();
         $redirect_to = !empty($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : ITSEC_Lib::get_home_root() . 'wp-login.php?loggedout=true';
         wp_safe_redirect($redirect_to);
     }
 }