/**
* Execute module deactivation
*
* @return void
*/
public function execute_deactivate()
{
global $itsec_files;
delete_site_transient('itsec_random_version');
//Reset recommended file permissions
@chmod(ITSEC_Lib::get_htaccess(), 0644);
@chmod(ITSEC_Lib::get_config(), 0644);
}
/**
* Execute module deactivation
*
* @return void
*/
public function execute_deactivate()
{
global $itsec_files;
delete_site_transient('itsec_random_version');
$config_rules[] = itsec_tweaks_Admin::build_wpconfig_rules(null, true);
$itsec_files->set_wpconfig($config_rules);
//Reset recommended file permissions
@chmod(ITSEC_Lib::get_htaccess(), 0644);
@chmod(ITSEC_Lib::get_config(), 0644);
}
/**
* Execute module upgrade
*
* @return void
*/
public function execute_upgrade($itsec_old_version)
{
if ($itsec_old_version < 4000) {
global $itsec_bwps_options;
$current_options = get_site_option('itsec_hide_backend');
if (false !== $current_options) {
$current_options['enabled'] = isset($itsec_bwps_options['hb_enabled']) && $itsec_bwps_options['hb_enabled'] == 1 ? true : false;
$current_options['register'] = isset($itsec_bwps_options['hb_register']) ? sanitize_text_field($itsec_bwps_options['hb_register']) : 'wp-register.php';
if ($current_options['enabled'] === true) {
$current_options['show-tooltip'] = true;
set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600);
} else {
$current_options['show-tooltip'] = false;
}
$forbidden_slugs = array('admin', 'login', 'wp-login.php', 'dashboard', 'wp-admin', '');
if (isset($itsec_bwps_options['hb_login']) && !in_array(trim($itsec_bwps_options['hb_login']), $forbidden_slugs)) {
$current_options['slug'] = $itsec_bwps_options['hb_login'];
set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600);
} else {
$current_options['enabled'] = false;
set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600);
}
update_site_option('itsec_hide_backend', $current_options);
ITSEC_Response::regenerate_server_config();
}
}
if ($itsec_old_version < 4027) {
$current_options = get_site_option('itsec_hide_backend');
if (isset($current_options['enabled']) && $current_options['enabled'] === true) {
$config_file = ITSEC_Lib::get_htaccess();
//Make sure we can write to the file
$perms = substr(sprintf('%o', @fileperms($config_file)), -4);
@chmod($config_file, 0664);
add_action('admin_init', array($this, 'flush_rewrite_rules'));
//reset file permissions if we changed them
if ($perms == '0444') {
@chmod($config_file, 0444);
}
ITSEC_Response::regenerate_server_config();
}
}
if ($itsec_old_version < 4041) {
$current_options = get_site_option('itsec_hide_backend');
// If there are no current options, go with the new defaults by not saving anything
if (is_array($current_options)) {
// remove 'show-tooltip' which is old and not used in the new module
unset($current_options['show-tooltip']);
ITSEC_Modules::set_settings('hide-backend', $current_options);
}
}
}
/**
* Deactivate execution
*
* @since 4.0
*
* @return void
* */
private function deactivate_execute()
{
global $itsec_files, $wpdb;
wp_clear_scheduled_hook('itsec_purge_lockouts');
$this->do_modules();
$itsec_files->do_deactivate();
delete_site_option('itsec_flush_old_rewrites');
delete_site_option('itsec_manual_update');
delete_site_option('itsec_rewrites_changed');
delete_site_option('itsec_config_changed');
delete_site_option('itsec_had_other_version');
delete_site_option('itsec_no_file_lock_release');
delete_site_option('itsec_clear_login');
delete_site_option('itsec_temp_whitelist_ip');
delete_site_option('itsec_api_nag');
delete_site_transient('ITSEC_SHOW_WRITE_FILES_TOOLTIP');
delete_site_transient('itsec_upload_dir');
delete_site_transient('itsec_notification_running');
wp_clear_scheduled_hook('itsec_digest_email');
$htaccess = ITSEC_Lib::get_htaccess();
//Make sure we can write to the file
$perms = substr(sprintf('%o', @fileperms($htaccess)), -4);
if ($perms == '0444') {
@chmod($htaccess, 0664);
}
flush_rewrite_rules();
//reset file permissions if we changed them
if ($perms == '0444') {
@chmod($htaccess, 0444);
}
ITSEC_Lib::clear_caches();
}
/**
* Execute module deactivation
*
* @return void
*/
public function execute_deactivate()
{
//Reset recommended file permissions
@chmod(ITSEC_Lib::get_htaccess(), 0644);
@chmod(ITSEC_Lib::get_config(), 0644);
}
<?php
global $wpdb, $itsec_globals;
$config_file = ITSEC_Lib::get_config();
$htaccess = ITSEC_Lib::get_htaccess();
?>
<ul class="itsec-support">
<li>
<h4><?php
_e('User Information', 'it-l10n-better-wp-security');
?>
</h4>
<ul>
<li><?php
_e('Public IP Address', 'it-l10n-better-wp-security');
?>
: <strong><a target="_blank"
title="<?php
_e('Get more information on this address', 'it-l10n-better-wp-security');
?>
"
href="http://whois.domaintools.com/<?php
echo ITSEC_Lib::get_ip();
?>
"><?php
echo ITSEC_Lib::get_ip();
?>
</a></strong>
</li>
<li><?php
$this_test['status'] = 'WARNING';
} else {
$this_test['status'] = 'OK';
}
array_push($tests, $this_test);
//END FOLDERS
//BEGIN FILES
$this_test = array('title' => 'wp-config.php', 'suggestion' => '= 444', 'value' => substr(sprintf('%o', fileperms(ITSEC_Lib::get_config())), -4));
if (!fileperms(ITSEC_Lib::get_config()) || 444 != substr(sprintf('%o', fileperms(ITSEC_Lib::get_config())), -4)) {
$this_test['status'] = 'WARNING';
} else {
$this_test['status'] = 'OK';
}
array_push($tests, $this_test);
$this_test = array('title' => '.htaccess', 'suggestion' => '= 444', 'value' => substr(sprintf('%o', fileperms(ITSEC_Lib::get_htaccess())), -4));
if (!fileperms(ITSEC_Lib::get_htaccess()) || 444 != substr(sprintf('%o', fileperms(ITSEC_Lib::get_htaccess())), -4)) {
$this_test['status'] = 'WARNING';
} else {
$this_test['status'] = 'OK';
}
array_push($tests, $this_test);
//END FILES
?>
<table class="widefat">
<thead>
<tr class="thead">
<th><?php
_e('Relative Path', 'better-wp-security');
?>
</th>
/**
* Execute module upgrade
*
* @return void
*/
public function execute_upgrade()
{
global $itsec_old_version;
if ($itsec_old_version < 4000) {
global $itsec_bwps_options;
$current_options = get_site_option('itsec_hide_backend');
if ($current_options === false) {
$current_options = $this->defaults;
}
$current_options['enabled'] = isset($itsec_bwps_options['hb_enabled']) && $itsec_bwps_options['hb_enabled'] == 1 ? true : false;
$current_options['register'] = isset($itsec_bwps_options['hb_register']) ? sanitize_text_field($itsec_bwps_options['hb_register']) : 'wp-register.php';
if ($current_options['enabled'] === true) {
$current_options['show-tooltip'] = true;
set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600);
} else {
$current_options['show-tooltip'] = false;
}
$forbidden_slugs = array('admin', 'login', 'wp-login.php', 'dashboard', 'wp-admin', '');
if (isset($itsec_bwps_options['hb_login']) && !in_array(trim($itsec_bwps_options['hb_login']), $forbidden_slugs)) {
$current_options['slug'] = $itsec_bwps_options['hb_login'];
set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600);
} else {
$current_options['enabled'] = false;
set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600);
}
update_site_option('itsec_hide_backend', $current_options);
add_site_option('itsec_rewrites_changed', true);
}
if ($itsec_old_version < 4027) {
$current_options = get_site_option('itsec_hide_backend');
if (isset($current_options['enabled']) && $current_options['enabled'] === true) {
$config_file = ITSEC_Lib::get_htaccess();
//Make sure we can write to the file
$perms = substr(sprintf('%o', @fileperms($config_file)), -4);
@chmod($config_file, 0664);
add_action('admin_init', array($this, 'flush_rewrite_rules'));
//reset file permissions if we changed them
if ($perms == '0444') {
@chmod($config_file, 0444);
}
add_site_option('itsec_rewrites_changed', true);
}
}
}
public static function filter_nginx_server_config_modification($modification)
{
require_once $GLOBALS['itsec_globals']['plugin_dir'] . 'core/lib/class-itsec-lib-utility.php';
$input = ITSEC_Modules::get_settings('system-tweaks');
$wp_includes = WPINC;
if ($input['protect_files']) {
$config_file = ITSEC_Lib::get_htaccess();
if (0 === strpos($config_file, ABSPATH)) {
$config_file = '/' . substr($config_file, strlen(ABSPATH));
} else {
$config_file = '/nginx.conf';
}
$modification .= "\n";
$modification .= "\t# " . __('Protect System Files - Security > Settings > System Tweaks > System Files', 'better-wp-security') . "\n";
$modification .= "\tlocation = /wp-admin/install\\.php { deny all; }\n";
$modification .= "\tlocation = {$config_file} { deny all; }\n";
$modification .= "\tlocation ~ /\\.htaccess\$ { deny all; }\n";
$modification .= "\tlocation ~ /readme\\.html\$ { deny all; }\n";
$modification .= "\tlocation ~ /readme\\.txt\$ { deny all; }\n";
$modification .= "\tlocation ~ /wp-config.php\$ { deny all; }\n";
$modification .= "\tlocation ~ ^/wp-admin/includes/ { deny all; }\n";
if (!is_multisite() || !get_site_option('ms_files_rewriting')) {
// nginx can only reliably block PHP files in wp-includes if requests to wp-includes/ms-files.php are
// not required. This is because there is no skip directive as Apache has.
$modification .= "\tlocation ~ ^/{$wp_includes}/[^/]+\\.php\$ { deny all; }\n";
}
$modification .= "\tlocation ~ ^/{$wp_includes}/js/tinymce/langs/.+\\.php\$ { deny all; }\n";
$modification .= "\tlocation ~ ^/{$wp_includes}/theme-compat/ { deny all; }\n";
}
// Rewrite Rules for Disable PHP in Uploads
if ($input['uploads_php']) {
$dir = ITSEC_Lib_Utility::get_relative_upload_url_path();
if (!empty($dir)) {
$dir = preg_quote($dir);
$modification .= "\n";
$modification .= "\t# " . __('Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads', 'better-wp-security') . "\n";
$modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n";
}
}
// Rewrite Rules for Disable PHP in Plugins
if ($input['plugins_php']) {
$dir = ITSEC_Lib_Utility::get_relative_url_path(WP_PLUGIN_URL);
if (!empty($dir)) {
$dir = preg_quote($dir);
$modification .= "\n";
$modification .= "\t# " . __('Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins', 'better-wp-security') . "\n";
$modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n";
}
}
// Rewrite Rules for Disable PHP in Themes
if ($input['themes_php']) {
$dir = ITSEC_Lib_Utility::get_relative_url_path(get_theme_root_uri());
if (!empty($dir)) {
$dir = preg_quote($dir);
$modification .= "\n";
$modification .= "\t# " . __('Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes', 'better-wp-security') . "\n";
$modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n";
}
}
// Apache rewrite rules for disable http methods
if ($input['request_methods']) {
$modification .= "\n";
$modification .= "\t# " . __('Filter Request Methods - Security > Settings > System Tweaks > Request Methods', 'better-wp-security') . "\n";
$modification .= "\tif ( \$request_method ~* ^(TRACE|DELETE|TRACK)\$ ) { return 403; }\n";
}
// Process suspicious query rules
if ($input['suspicious_query_strings']) {
$modification .= "\n";
$modification .= "\t# " . __('Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings', 'better-wp-security') . "\n";
$modification .= "\tset \$susquery 0;\n";
$modification .= "\tif ( \$args ~* \"\\.\\./\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"\\.(bash|git|hg|log|svn|swp|cvs)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"etc/passwd\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"boot\\.ini\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"ftp:\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"https?:\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"(<|%3C)script(>|%3E)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"mosConfig_[a-zA-Z_]{1,21}(=|%3D)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"base64_decode\\(\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"%24&x\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"127\\.0\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"(globals|encode|localhost|loopback)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"(request|insert|concat|union|declare)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"%[01][0-9A-F]\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~ \"^loggedout=true\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$args ~ \"^action=jetpack-sso\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$args ~ \"^action=rp\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$http_cookie ~ \"wordpress_logged_in_\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$http_referer ~* \"^https?://maps\\.googleapis\\.com/\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$susquery = 1 ) { return 403; }\n";
}
// Process filtering of foreign characters
if ($input['non_english_characters']) {
$modification .= "\n";
$modification .= "\t# " . __('Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters', 'better-wp-security') . "\n";
$modification .= "\tif (\$args ~* \"%[A-F][0-9A-F]\") { return 403; }\n";
}
return $modification;
}
/**
* Writes given rules to htaccess or related file
*
* @since 4.0
*
* @access private
*
* @return bool true on success, false on failure
*/
private function write_rewrites()
{
$rules_to_write = $this->build_rewrites();
//String of rules to insert into
if ($rules_to_write === false) {
//if there is nothing to write make sure we clean up the file
return $this->delete_rewrites();
}
$rule_open = array('# BEGIN iThemes Security', '# BEGIN Better WP Security');
$rule_close = array('# END iThemes Security', '# END Better WP Security');
$htaccess_file = ITSEC_Lib::get_htaccess();
//make sure the file exists and create it if it doesn't
if (!file_exists($htaccess_file)) {
@touch($htaccess_file);
}
$htaccess_contents = @file_get_contents($htaccess_file);
//get the contents of the htaccess or nginx file
$htaccess_contents = preg_replace("/(\\r\\n|\\n|\\r)/", PHP_EOL, $htaccess_contents);
if ($htaccess_contents === false) {
//we couldn't get the file contents
return false;
} else {
//write out what we need to.
$lines = explode(PHP_EOL, $htaccess_contents);
//create an array to make this easier
$state = false;
foreach ($lines as $line_number => $line) {
//for each line in the file
if (in_array($line, $rule_open) !== false) {
//if we're at the beginning of the section
$state = true;
}
if ($state == true) {
//as long as we're not in the section keep writing
unset($lines[$line_number]);
}
if (in_array($line, $rule_close) !== false) {
//see if we're at the end of the section
$state = false;
}
}
if (sizeof($rules_to_write) > 0) {
//make sure we have something to write
$htaccess_contents = $rule_open[0] . PHP_EOL . implode(PHP_EOL, $rules_to_write) . PHP_EOL . $rule_close[0] . PHP_EOL . implode(PHP_EOL, $lines);
}
//Actually write the new content to wp-config.
if ($htaccess_contents !== false) {
//Make sure we can write to the file
$perms = substr(sprintf('%o', @fileperms($htaccess_file)), -4);
@chmod($htaccess_file, 0664);
if (!@file_put_contents($htaccess_file, $htaccess_contents, LOCK_EX)) {
//reset file permissions if we changed them
if ($perms == '0444' || $this->write_files === true) {
@chmod($htaccess_file, 0444);
}
return false;
}
//reset file permissions if we changed them
if ($perms == '0444' || $this->write_files === true) {
@chmod($htaccess_file, 0444);
}
}
}
return true;
}
