function save_settings()
{
global $itsec_globals;
if (!class_exists('ITSEC_Lib')) {
require trailingslashit($itsec_globals['plugin_dir']) . '/core/class-itsec-lib.php';
}
MainWP_Helper::update_option('mainwp_ithemes_ext_enabled', 'Y', 'yes');
$settings = maybe_unserialize(base64_decode($_POST['settings']));
$updated = false;
$rewrites_changed = false;
if (isset($settings['itsec_global'])) {
// $old_settings = get_site_option( 'itsec_global' );
// // keep current value
// $settings['itsec_global']['log_location'] = $old_settings['log_location'];
if (update_site_option('itsec_global', $settings['itsec_global'])) {
if (isset($settings['itsec_global']['write_files']) && true === $settings['itsec_global']['write_files']) {
add_site_option('itsec_rewrites_changed', true);
$rewrites_changed = true;
}
$updated = true;
}
}
if (isset($settings['itsec_away_mode'])) {
if (update_site_option('itsec_away_mode', $settings['itsec_away_mode'])) {
$updated = true;
}
}
if (isset($settings['itsec_backup'])) {
$backup = get_site_option('itsec_backup');
if (false !== $backup && isset($backup['last_run'])) {
$settings['itsec_backup']['last_run'] = $backup['last_run'];
} else {
unset($settings['itsec_backup']['last_run']);
}
if (update_site_option('itsec_backup', $settings['itsec_backup'])) {
$updated = true;
}
}
if (isset($settings['itsec_ban_users'])) {
$old_settings = get_site_option('itsec_ban_users');
if (update_site_option('itsec_ban_users', $settings['itsec_ban_users'])) {
$input = $settings['itsec_ban_users'];
if ($input['host_list'] !== $old_settings['host_list'] || $input['enabled'] !== $old_settings['enabled'] || $input['default'] !== $old_settings['default'] || $input['agent_list'] !== $old_settings['agent_list']) {
if (!$rewrites_changed) {
add_site_option('itsec_rewrites_changed', true);
}
}
$updated = true;
}
}
if (isset($settings['itsec_brute_force'])) {
if (update_site_option('itsec_brute_force', $settings['itsec_brute_force'])) {
$updated = true;
}
}
if (isset($settings['itsec_file_change'])) {
$file_change = get_site_option('itsec_file_change');
if (false !== $file_change && isset($file_change['last_run'])) {
$settings['itsec_file_change']['last_run'] = $file_change['last_run'];
} else {
unset($settings['itsec_file_change']['last_run']);
}
if (false !== $file_change && isset($file_change['last_chunk'])) {
$settings['itsec_file_change']['last_chunk'] = $file_change['last_chunk'];
} else {
unset($settings['itsec_file_change']['last_chunk']);
}
if (update_site_option('itsec_file_change', $settings['itsec_file_change'])) {
$updated = true;
}
}
if (isset($settings['itsec_four_oh_four'])) {
if (update_site_option('itsec_four_oh_four', $settings['itsec_four_oh_four'])) {
$updated = true;
}
}
if (isset($settings['itsec_hide_backend'])) {
$old_settings = get_site_option('itsec_hide_backend');
if (update_site_option('itsec_hide_backend', $settings['itsec_hide_backend'])) {
$input = $settings['itsec_hide_backend'];
if ($input['slug'] !== $old_settings['slug'] || $input['register'] !== $old_settings['register'] || $input['enabled'] !== $old_settings['enabled']) {
if (!$rewrites_changed) {
add_site_option('itsec_rewrites_changed', true);
}
}
if ($input['slug'] !== $old_settings['slug'] && true === $input['enabled']) {
add_site_option('itsec_hide_backend_new_slug', $input['slug']);
}
$updated = true;
}
}
if (isset($settings['itsec_ipcheck'])) {
if (update_site_option('itsec_ipcheck', $settings['itsec_ipcheck'])) {
$updated = true;
}
}
if (isset($settings['itsec_malware'])) {
if (update_site_option('itsec_malware', $settings['itsec_malware'])) {
$updated = true;
}
}
if (isset($settings['itsec_ssl'])) {
if (update_site_option('itsec_ssl', $settings['itsec_ssl'])) {
$updated = true;
}
}
if (isset($settings['itsec_strong_passwords'])) {
if (update_site_option('itsec_strong_passwords', $settings['itsec_strong_passwords'])) {
$updated = true;
}
}
if (isset($settings['itsec_tweaks'])) {
$old_settings = get_site_option('itsec_tweaks');
$is_safe = ITSEC_Lib::safe_jquery_version() === true;
$raw_version = get_site_option('itsec_jquery_version');
if (true !== $is_safe && false !== $raw_version) {
$enable_set_safe_jquery = true;
}
if (!$enable_set_safe_jquery) {
$settings['itsec_tweaks']['safe_jquery'] = 0;
}
if (update_site_option('itsec_tweaks', $settings['itsec_tweaks'])) {
if ($input['protect_files'] !== $old_settings['protect_files'] || $input['directory_browsing'] !== $old_settings['directory_browsing'] || $input['request_methods'] !== $old_settings['request_methods'] || $input['suspicious_query_strings'] !== $old_settings['suspicious_query_strings'] || $input['non_english_characters'] !== $old_settings['non_english_characters'] || $input['comment_spam'] !== $old_settings['comment_spam'] || $input['disable_xmlrpc'] !== $old_settings['disable_xmlrpc'] || $input['uploads_php'] !== $old_settings['uploads_php']) {
if (!$rewrites_changed) {
add_site_option('itsec_rewrites_changed', true);
}
}
$updated = true;
}
}
$site_status = array('username_admin_exists' => username_exists('admin') ? 1 : 0, 'user_id1_exists' => ITSEC_Lib::user_id_exists(1) ? 1 : 0, 'backup' => $this->backup_status(), 'permalink_structure' => get_option('permalink_structure'), 'is_multisite' => is_multisite() ? 1 : 0, 'users_can_register' => get_site_option('users_can_register') ? 1 : 0, 'force_ssl_login' => defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN === true ? 1 : 0, 'force_ssl_admin' => defined('FORCE_SSL_ADMIN') && FORCE_SSL_ADMIN === true ? 1 : 0, 'server_nginx' => ITSEC_Lib::get_server() === 'nginx' ? 1 : 0, 'lockouts_host' => $this->get_lockouts('host', true), 'lockouts_user' => $this->get_lockouts('user', true), 'lockouts_username' => $this->get_lockouts('username', true));
$out = array();
if ($updated) {
$out['result'] = 'success';
} else {
$out['result'] = 'noupdate';
}
$out['site_status'] = $site_status;
return $out;
}
/**
* Sets the status in the plugin dashboard
*
* @since 4.0
*
* @return array array of statuses
*/
public function dashboard_status( $statuses ) {
if ( isset( $this->settings['protect_files'] ) && $this->settings['protect_files'] === true ) {
$status_array = 'safe-medium';
$status = array(
'text' => __( 'You are protecting common WordPress files from access.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_protect_files',
);
} else {
$status_array = 'medium';
$status = array(
'text' => __( 'You are not protecting common WordPress files from access. Click here to protect WordPress files.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_protect_files',
);
}
array_push( $statuses[ $status_array ], $status );
if ( ITSEC_Lib::get_server() != 'nginx' ) {
if ( isset( $this->settings['directory_browsing'] ) && $this->settings['directory_browsing'] === true && ITSEC_Lib::get_server() != 'nginx' ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'You have successfully disabled directory browsing on your site.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_directory_browsing',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'You have not disabled directory browsing on your site. Click here to prevent a user from seeing every file present in your WordPress site.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_directory_browsing',
);
}
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['request_methods'] ) && $this->settings['request_methods'] === true ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'You are blocking HTTP request methods you do not need.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_request_methods',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'You are not blocking HTTP request methods you do not need. Click here to block extra HTTP request methods that WordPress should not normally need.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_request_methods',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['suspicious_query_strings'] ) && $this->settings['suspicious_query_strings'] === true ) {
$status_array = 'safe-medium';
$status = array(
'text' => __( 'Your WordPress site is blocking suspicious looking information in the URL.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_suspicious_query_strings',
);
} else {
$status_array = 'medium';
$status = array(
'text' => __( 'Your WordPress site is not blocking suspicious looking information in the URL. Click here to block users from trying to execute code that they should not be able to execute.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_suspicious_query_strings',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['non_english_characters'] ) && $this->settings['non_english_characters'] === true ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'Your WordPress site is blocking non-english characters in the URL.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_non_english_characters',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'Your WordPress site is not blocking non-english characters in the URL. Click here to fix this.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_non_english_characters',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['long_url_strings'] ) && $this->settings['long_url_strings'] === true ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'Your installation does not accept long URLs.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_long_url_strings',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'Your installation accepts long (over 255 character) URLS. This can lead to vulnerabilities. Click here to fix this.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_long_url_strings',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['write_permissions'] ) && $this->settings['write_permissions'] === true ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'Your wp-config.php and .htaccess files are not writeable.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_write_permissions',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'Your wp-config.php and .htaccess files are writeable. This can lead to vulnerabilities. Click here to fix this.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_write_permissions',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['wlwmanifest_header'] ) && $this->settings['wlwmanifest_header'] === true ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'Your WordPress installation is not publishing the Windows Live Writer header.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_wlwmanifest_header',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'Your WordPress installation is publishing the Windows Live Writer header. Click here to fix this.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_wlwmanifest_header',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['edituri_header'] ) && $this->settings['edituri_header'] === true ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'Your WordPress installation is not publishing the Really Simple Discovery (RSD) header.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_edituri_header',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'Your WordPress installation is publishing the Really Simple Discovery (RSD) header. Click here to fix this.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_edituri_header',
);
}
array_push( $statuses[ $status_array ], $status );
if ( is_multisite() ) {
if ( isset( $this->settings['theme_updates'] ) && $this->settings['theme_updates'] === true ) {
$status_array = 'safe-medium';
$status = array(
'text' => __( 'Your WordPress installation is not telling users who cannot update themes about theme updates.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_theme_updates',
);
} else {
$status_array = 'medium';
$status = array(
'text' => __( 'Your WordPress installation is telling users who cannot update themes about theme updates. Click here to fix this.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_theme_updates',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['plugin_updates'] ) && $this->settings['plugin_updates'] === true ) {
$status_array = 'safe-medium';
$status = array(
'text' => __( 'Your WordPress installation is not telling users who cannot update plugins about plugin updates.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_plugin_updates',
);
} else {
$status_array = 'medium';
$status = array(
'text' => __( 'Your WordPress installation is telling users who cannot update plugins about plugin updates. Click here to fix this.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_plugin_updates',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['core_updates'] ) && $this->settings['core_updates'] === true ) {
$status_array = 'safe-medium';
$status = array(
'text' => __( 'Your WordPress installation is not telling users who cannot update WordPress core about WordPress core updates.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_core_updates',
);
} else {
$status_array = 'medium';
$status = array(
'text' => __( 'Your WordPress installation is telling users who cannot update WordPress core about WordPress core updates. Click here to fix this.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_core_updates',
);
}
array_push( $statuses[ $status_array ], $status );
}
if ( isset( $this->settings['comment_spam'] ) && $this->settings['comment_spam'] === true ) {
$status_array = 'safe-medium';
$status = array(
'text' => __( 'Your WordPress installation is not allowing users without a user agent to post comments.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_comment_spam',
);
} else {
$status_array = 'medium';
$status = array(
'text' => __( 'Your WordPress installation is allowing users without a user agent to post comments. Fix this to reduce comment spam.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_comment_spam',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['file_editor'] ) && $this->settings['file_editor'] === true ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'Users cannot edit plugin and themes files directly from within the WordPress Dashboard.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_file_editor',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'Users can edit plugin and themes files directly from within the WordPress Dashboard. Click here to fix this.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_file_editor',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['disable_xmlrpc'] ) && $this->settings['disable_xmlrpc'] === 2 ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'XML-RPC is not available on your WordPress installation.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_disable_xmlrpc',
);
} elseif ( isset( $this->settings['disable_xmlrpc'] ) && $this->settings['disable_xmlrpc'] === 1 ) {
$status_array = 'low';
$status = array(
'text' => __( 'XML-RPC is protecting you from the trackback and pingback attack but is still available on your site.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_disable_xmlrpc',
);
} else {
$status_array = 'medium';
$status = array(
'text' => __( 'XML-RPC is available on your WordPress installation. Attackers can use this feature to attack your site. Click here to disable access to XML-RPC.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_disable_xmlrpc',
);
}
array_push( $statuses[ $status_array ], $status );
if ( ! isset( $this->settings['allow_xmlrpc_multiauth'] ) || true === $this->settings['allow_xmlrpc_multiauth'] ) {
$status_array = 'high';
$status = array(
'text' => __( 'XML-RPC requests can try multiple authentication attempts per request. Attackers can use this to speed up their brute force attacks.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_allow_xmlrpc_multiauth',
);
} else {
$status_array = 'safe-high';
$status = array(
'text' => __( 'XML-RPC requests with multiple authentication attempts are blocked.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_allow_xmlrpc_multiauth',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['uploads_php'] ) && $this->settings['uploads_php'] === true ) {
$status_array = 'safe-medium';
$status = array(
'text' => __( 'Users cannot execute PHP from the uploads folder.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_uploads_php',
);
} else {
$status_array = 'medium';
$status = array(
'text' => __( 'Users can execute PHP from the uploads folder.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_uploads_php',
);
}
array_push( $statuses[ $status_array ], $status );
$safe_jquery = ITSEC_Lib::safe_jquery_version();
if ( $safe_jquery === true ) {
$status_array = 'safe-high';
$status = array(
'text' => __( 'The front page of your site is using a safe version of jQuery.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_wordpress_safe_jquery',
);
} elseif ( $safe_jquery === false ) {
$status_array = 'high';
$status = array(
'text' => __( 'The front page of your site is not using a safe version of jQuery or the version of jQuery cannot be determined.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_wordpress_safe_jquery',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'Your version of jQuery has not been determined. Load your homepage while logged in to determine the version of jQuery you are using', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_wordpress_safe_jquery',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['force_unique_nicename'] ) && $this->settings['force_unique_nicename'] === true ) {
$status_array = 'safe-high';
$status = array(
'text' => __( "User's nicknames are different from their display name.", 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_force_unique_nicename',
);
} else {
$status_array = 'high';
$status = array(
'text' => __( "User nicknames may be the same as their login name. This means their login user name may be publicly available throughout the site.", 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_force_unique_nicename',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['login_errors'] ) && $this->settings['login_errors'] === true ) {
$status_array = 'safe-low';
$status = array(
'text' => __( 'Your login page is not giving out unnecessary information upon failed login.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_login_errors',
);
} else {
$status_array = 'low';
$status = array(
'text' => __( 'Your login page is giving out unnecessary information upon failed login.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_login_errors',
);
}
array_push( $statuses[ $status_array ], $status );
if ( isset( $this->settings['disable_unused_author_pages'] ) && $this->settings['disable_unused_author_pages'] === true ) {
$status_array = 'safe-medium';
$status = array(
'text' => __( 'User profiles for users without content are not publicly available.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_disable_unused_author_pages',
);
} else {
$status_array = 'medium';
$status = array(
'text' => __( 'User profiles for users without content are publicly available. This can make it relatively easy to gain the username of important users.', 'it-l10n-ithemes-security-pro' ),
'link' => '#itsec_tweaks_server_disable_unused_author_pages',
);
}
array_push( $statuses[ $status_array ], $status );
return $statuses;
}
/**
* echos Replace jQuery Field
*
* @since 4.0
*
* @return void
*/
public function tweaks_wordpress_safe_jquery()
{
if (isset($this->settings['safe_jquery']) && $this->settings['safe_jquery'] === true) {
$safe_jquery = 1;
} else {
$safe_jquery = 0;
}
$raw_version = get_site_option('itsec_jquery_version');
$is_safe = ITSEC_Lib::safe_jquery_version() === true;
if ($raw_version !== false) {
$version = sprintf(__('Your current jQuery version is %1$s'), $raw_version);
} else {
$version = sprintf(__('Your current jQuery version is undetermined. Please <a href="%1$s" target="_blank">check your homepage</a> to see if you even need this feature'), site_url());
}
if ($is_safe === true) {
$color = 'green';
} else {
$color = 'red';
}
if ($is_safe !== true && $raw_version !== false) {
echo '<input type="checkbox" id="itsec_tweaks_wordpress_safe_jquery" name="itsec_tweaks[safe_jquery]" value="1" ' . checked(1, $safe_jquery, false) . '/>';
}
echo '<label for="itsec_tweaks_wordpress_safe_jquery">' . __('Enqueue a safe version of jQuery', 'better-wp-security') . '</label>';
echo '<p class="description">' . __('Remove the existing jQuery version used and replace it with a safe version (the version that comes default with WordPress).', 'better-wp-security') . '</p>';
echo '<p class="description" style="color: ' . $color . '">' . $version . '.</p>';
printf('<p class="description">%s <a href="%s" target="_blank">%s</a> %s</p>', __('Note that this only checks the homepage of your site and only for users who are logged in. This is done intentionally to save resources. If you think this is in error ', 'better-wp-security'), site_url(), __('click here to check again.', 'better-wp-security'), __('This will open your homepage in a new window allowing the plugin to determine the version of jQuery actually being used. You can then come back here and reload this page to see your version.', 'better-wp-security'));
}
