function do_other_admin_side_init_tasks()
{
global $aio_wp_security;
//***New Feature improvement for Cookie Based Brute Force Protection***//
//The old "test cookie" used to be too easy to guess because someone could just read the code and get the value.
//So now we will drop a more secure test cookie using a 10 digit random string
if ($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == '1') {
// This code is for users who had this feature saved using an older release. This will drop the new more secure test cookie to the browser and will write it to the .htaccess file too
$test_cookie = $aio_wp_security->configs->get_value('aiowps_cookie_brute_test');
if (empty($test_cookie)) {
$random_suffix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
$test_cookie_name = 'aiowps_cookie_test_' . $random_suffix;
$aio_wp_security->configs->set_value('aiowps_cookie_brute_test', $test_cookie_name);
$aio_wp_security->configs->save_config();
//save the value
AIOWPSecurity_Utility::set_cookie_value($test_cookie_name, "1");
//Write this new cookie to the .htaccess file
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($res == -1) {
$aio_wp_security->debug_logger->log_debug("Error writing new test cookie with random suffix to .htaccess file!", 4);
}
}
}
//For cookie test form submission case
if (isset($_GET['page']) && $_GET['page'] == AIOWPSEC_BRUTE_FORCE_MENU_SLUG && isset($_GET['tab']) && $_GET['tab'] == 'tab2') {
global $aio_wp_security;
if (isset($_POST['aiowps_do_cookie_test_for_bfla'])) {
$random_suffix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
$test_cookie_name = 'aiowps_cookie_test_' . $random_suffix;
$aio_wp_security->configs->set_value('aiowps_cookie_brute_test', $test_cookie_name);
$aio_wp_security->configs->save_config();
//save the value
AIOWPSecurity_Utility::set_cookie_value($test_cookie_name, "1");
$cur_url = "admin.php?page=" . AIOWPSEC_BRUTE_FORCE_MENU_SLUG . "&tab=tab2";
$redirect_url = AIOWPSecurity_Utility::add_query_data_to_url($cur_url, 'aiowps_cookie_test', "1");
AIOWPSecurity_Utility::redirect_to_url($redirect_url);
}
if (isset($_POST['aiowps_enable_brute_force_attack_prevention'])) {
$brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
if (empty($brute_force_feature_secret_word)) {
$brute_force_feature_secret_word = "aiowps_secret";
}
AIOWPSecurity_Utility::set_cookie_value($brute_force_feature_secret_word, "1");
}
if (isset($_REQUEST['aiowps_cookie_test'])) {
$test_cookie = $aio_wp_security->configs->get_value('aiowps_cookie_brute_test');
$cookie_val = AIOWPSecurity_Utility::get_cookie_value($test_cookie);
if (empty($cookie_val)) {
$aio_wp_security->configs->set_value('aiowps_cookie_test_success', '');
} else {
$aio_wp_security->configs->set_value('aiowps_cookie_test_success', '1');
}
$aio_wp_security->configs->save_config();
//save the value
}
}
if (isset($_POST['aiowps_save_wp_config'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-save-wp-config-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on wp_config file save!", 4);
die("Nonce check failed on wp_config file save!");
}
$wp_config_path = AIOWPSecurity_Utility_File::get_wp_config_file_path();
$result = AIOWPSecurity_Utility_File::backup_and_rename_wp_config($wp_config_path);
//Backup the wp_config.php file
AIOWPSecurity_Utility_File::download_a_file_option1($wp_config_path, "wp-config-backup.txt");
}
//Handle export settings
if (isset($_POST['aiowps_export_settings'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-export-settings-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on export AIOWPS settings!", 4);
die("Nonce check failed on export AIOWPS settings!");
}
$config_data = get_option('aio_wp_security_configs');
$output = json_encode($config_data);
AIOWPSecurity_Utility_File::download_content_to_a_file($output);
}
}
function blacklist_ip_address($entries)
{
global $wpdb, $aio_wp_security;
$bl_ip_addresses = $aio_wp_security->configs->get_value('aiowps_banned_ip_addresses');
//get the currently saved blacklisted IPs
$ip_list_array = AIOWPSecurity_Utility_IP::create_ip_list_array_from_string_with_newline($bl_ip_addresses);
if (is_array($entries)) {
//Get the selected IP addresses
$id_list = "(" . implode(",", $entries) . ")";
//Create comma separate list for DB operation
$events_table = AIOWPSEC_TBL_EVENTS;
$query = "SELECT ip_or_host FROM {$events_table} WHERE ID IN " . $id_list;
$results = $wpdb->get_col($query);
if (empty($results)) {
AIOWPSecurity_Admin_Menu::show_msg_error_st(__('Could not process the request because the IP addresses for the selected entries could not be found!', 'WPS'));
return false;
} else {
foreach ($results as $entry) {
$ip_list_array[] = $entry;
}
}
} elseif ($entries != NULL) {
//Blacklist single record
$ip_list_array[] = $entries;
}
$payload = AIOWPSecurity_Utility_IP::validate_ip_list($ip_list_array, 'blacklist');
if ($payload[0] == 1) {
//success case
$result = 1;
$list = $payload[1];
$banned_ip_data = implode(PHP_EOL, $list);
$aio_wp_security->configs->set_value('aiowps_enable_blacklisting', '1');
//Force blacklist feature to be enabled
$aio_wp_security->configs->set_value('aiowps_banned_ip_addresses', $banned_ip_data);
$aio_wp_security->configs->save_config();
//Save the configuration
$write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
//now let's write to the .htaccess file
if ($write_result == -1) {
AIOWPSecurity_Admin_Menu::show_msg_error_st(__('The plugin was unable to write to the .htaccess file. Please edit file manually.', 'aiowpsecurity'));
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Blacklist_Menu - The plugin was unable to write to the .htaccess file.");
} else {
AIOWPSecurity_Admin_Menu::show_msg_updated_st(__('The selected IP addresses have been added to the blacklist and will be permanently blocked!', 'WPS'));
}
} else {
$result = -1;
$error_msg = $payload[1][0];
AIOWPSecurity_Admin_Menu::show_msg_error_st($error_msg);
}
}
function render_tab1()
{
global $aio_wp_security;
global $aiowps_feature_mgr;
$result = 1;
if (isset($_POST['aiowps_save_blacklist_settings'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-blacklist-settings-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed for save blacklist settings!", 4);
die(__('Nonce check failed for save blacklist settings!', 'all-in-one-wp-security-and-firewall'));
}
if (isset($_POST["aiowps_enable_blacklisting"]) && empty($_POST['aiowps_banned_ip_addresses']) && empty($_POST['aiowps_banned_user_agents'])) {
$this->show_msg_error('You must submit at least one IP address or one User Agent value or both!', 'all-in-one-wp-security-and-firewall');
} else {
if (!empty($_POST['aiowps_banned_ip_addresses'])) {
$ip_addresses = $_POST['aiowps_banned_ip_addresses'];
$ip_list_array = AIOWPSecurity_Utility_IP::create_ip_list_array_from_string_with_newline($ip_addresses);
$payload = AIOWPSecurity_Utility_IP::validate_ip_list($ip_list_array, 'blacklist');
if ($payload[0] == 1) {
//success case
$result = 1;
$list = $payload[1];
$banned_ip_data = implode(PHP_EOL, $list);
$aio_wp_security->configs->set_value('aiowps_banned_ip_addresses', $banned_ip_data);
$_POST['aiowps_banned_ip_addresses'] = '';
//Clear the post variable for the banned address list
} else {
$result = -1;
$error_msg = $payload[1][0];
$this->show_msg_error($error_msg);
}
} else {
$aio_wp_security->configs->set_value('aiowps_banned_ip_addresses', '');
//Clear the IP address config value
}
if (!empty($_POST['aiowps_banned_user_agents'])) {
$result = $result * $this->validate_user_agent_list();
} else {
//clear the user agent list
$aio_wp_security->configs->set_value('aiowps_banned_user_agents', '');
}
if ($result == 1) {
$aio_wp_security->configs->set_value('aiowps_enable_blacklisting', isset($_POST["aiowps_enable_blacklisting"]) ? '1' : '');
$aio_wp_security->configs->save_config();
//Save the configuration
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
$this->show_msg_settings_updated();
$write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
//now let's write to the .htaccess file
if (!$write_result) {
$this->show_msg_error(__('The plugin was unable to write to the .htaccess file. Please edit file manually.', 'all-in-one-wp-security-and-firewall'));
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Blacklist_Menu - The plugin was unable to write to the .htaccess file.");
}
}
}
}
?>
<h2><?php
_e('Ban IPs or User Agents', 'all-in-one-wp-security-and-firewall');
?>
</h2>
<div class="aio_blue_box">
<?php
echo '<p>' . __('The All In One WP Security Blacklist feature gives you the option of banning certain host IP addresses or ranges and also user agents.', 'all-in-one-wp-security-and-firewall') . '
<br />' . __('This feature will deny total site access for users which have IP addresses or user agents matching those which you have configured in the settings below.', 'all-in-one-wp-security-and-firewall') . '
<br />' . __('The plugin achieves this by making appropriate modifications to your .htaccess file.', 'all-in-one-wp-security-and-firewall') . '
<br />' . __('By blocking people via the .htaccess file your are using the most secure first line of defence which denies all access to blacklisted visitors as soon as they hit your hosting server.', 'all-in-one-wp-security-and-firewall') . '
</p>';
?>
</div>
<div class="aio_grey_box">
<?php
$addon_link = '<strong><a href="http://www.site-scanners.com/country-blocking-addon/" target="_blank">Country Blocking Addon</a></strong>';
$info_msg = sprintf(__('You may also be interested in our %s.', 'all-in-one-wp-security-and-firewall'), $addon_link);
$info_msg2 = __('This addon allows you to automatically block IP addresses based on their country of origin.', 'all-in-one-wp-security-and-firewall');
echo '<p>' . $info_msg . '<br />' . $info_msg2 . '</p>';
?>
</div>
<div class="postbox">
<h3 class="hndle"><label for="title"><?php
_e('IP Hosts and User Agent Blacklist Settings', 'all-in-one-wp-security-and-firewall');
?>
</label></h3>
<div class="inside">
<?php
//Display security info badge
global $aiowps_feature_mgr;
$aiowps_feature_mgr->output_feature_details_badge("blacklist-manager-ip-user-agent-blacklisting");
?>
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-blacklist-settings-nonce');
?>
<div class="aio_orange_box">
<p>
<?php
$read_link = '<a href="https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin#advanced_features_note" target="_blank">must read this message</a>';
echo sprintf(__('This feature can lock you out of admin if it doesn\'t work correctly on your site. You %s before activating this feature.', 'all-in-one-wp-security-and-firewall'), $read_link);
?>
</p>
</div>
<table class="form-table">
<tr valign="top">
<th scope="row"><?php
_e('Enable IP or User Agent Blacklisting', 'all-in-one-wp-security-and-firewall');
?>
:</th>
<td>
<input name="aiowps_enable_blacklisting" type="checkbox"<?php
if ($aio_wp_security->configs->get_value('aiowps_enable_blacklisting') == '1') {
echo ' checked="checked"';
}
?>
value="1"/>
<span class="description"><?php
_e('Check this if you want to enable the banning (or blacklisting) of selected IP addresses and/or user agents specified in the settings below', 'all-in-one-wp-security-and-firewall');
?>
</span>
</td>
</tr>
<tr valign="top">
<th scope="row"><?php
_e('Enter IP Addresses:', 'all-in-one-wp-security-and-firewall');
?>
</th>
<td>
<textarea name="aiowps_banned_ip_addresses" rows="5" cols="50"><?php
echo $result == -1 ? htmlspecialchars($_POST['aiowps_banned_ip_addresses']) : htmlspecialchars($aio_wp_security->configs->get_value('aiowps_banned_ip_addresses'));
?>
</textarea>
<br />
<span class="description"><?php
_e('Enter one or more IP addresses or IP ranges.', 'all-in-one-wp-security-and-firewall');
?>
</span>
<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php
_e('More Info', 'all-in-one-wp-security-and-firewall');
?>
</span></span>
<div class="aiowps_more_info_body">
<?php
echo '<p class="description">' . __('Each IP address must be on a new line.', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('To specify an IP range use a wildcard "*" character. Acceptable ways to use wildcards is shown in the examples below:', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Example 1: 195.47.89.*', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Example 2: 195.47.*.*', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Example 3: 195.*.*.*', 'all-in-one-wp-security-and-firewall') . '</p>';
?>
</div>
</td>
</tr>
<tr valign="top">
<th scope="row"><?php
_e('Enter User Agents:', 'all-in-one-wp-security-and-firewall');
?>
</th>
<td>
<textarea name="aiowps_banned_user_agents" rows="5" cols="50"><?php
echo $result == -1 ? $_POST['aiowps_banned_user_agents'] : $aio_wp_security->configs->get_value('aiowps_banned_user_agents');
?>
</textarea>
<br />
<span class="description">
<?php
_e('Enter one or more user agent strings.', 'all-in-one-wp-security-and-firewall');
?>
</span>
<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php
_e('More Info', 'all-in-one-wp-security-and-firewall');
?>
</span></span>
<div class="aiowps_more_info_body">
<?php
echo '<p class="description">' . __('Each user agent string must be on a new line.', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Example 1 - A single user agent string to block:', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">SquigglebotBot</p>';
echo '<p class="description">' . __('Example 2 - A list of more than 1 user agent strings to block', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">baiduspider<br />SquigglebotBot<br />SurveyBot<br />VoidEYE<br />webcrawl.net<br />YottaShopping_Bot</p>';
?>
</div>
</td>
</tr>
</table>
<input type="submit" name="aiowps_save_blacklist_settings" value="<?php
_e('Save Settings', 'all-in-one-wp-security-and-firewall');
?>
" class="button-primary" />
</form>
</div></div>
<?php
}
static function prevent_image_hotlinks()
{
global $aio_wp_security;
$rules = '';
if ($aio_wp_security->configs->get_value('aiowps_prevent_hotlinking') == '1') {
$url_string = AIOWPSecurity_Utility_Htaccess::return_regularized_url(AIOWPSEC_WP_URL);
if ($url_string == FALSE) {
$url_string = AIOWPSEC_WP_URL;
}
$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_image_hotlinks_marker_start . PHP_EOL;
//Add feature marker start
$rules .= '<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$' . PHP_EOL;
$rules .= ' RewriteCond %{REQUEST_FILENAME} -f' . PHP_EOL;
$rules .= ' RewriteCond %{REQUEST_FILENAME} \\.(gif|jpe?g?|png)$ [NC]' . PHP_EOL;
$rules .= ' RewriteCond %{HTTP_REFERER} !^' . $url_string . ' [NC]' . PHP_EOL;
$rules .= ' RewriteRule \\.(gif|jpe?g?|png)$ - [F,NC,L]
</IfModule>' . PHP_EOL;
$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_image_hotlinks_marker_end . PHP_EOL;
//Add feature marker end
}
return $rules;
}
function render_tab7()
{
global $aio_wp_security;
if (isset($_POST['aiowps_save_custom_rules_settings'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-save-custom-rules-settings-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed for save custom rules settings!", 4);
die("Nonce check failed for save custom rules settings!");
}
//Save settings
if (isset($_POST["aiowps_enable_custom_rules"]) && empty($_POST['aiowps_custom_rules'])) {
$this->show_msg_error('You must enter some .htaccess directives code in the text box below', 'all-in-one-wp-security-and-firewall');
} else {
if (!empty($_POST['aiowps_custom_rules'])) {
// Undo magic quotes that are automatically added to `$_GET`,
// `$_POST`, `$_COOKIE`, and `$_SERVER` by WordPress as
// they corrupt any custom rule with backslash in it...
$custom_rules = stripslashes($_POST['aiowps_custom_rules']);
} else {
$aio_wp_security->configs->set_value('aiowps_custom_rules', '');
//Clear the custom rules config value
}
$aio_wp_security->configs->set_value('aiowps_custom_rules', $custom_rules);
$aio_wp_security->configs->set_value('aiowps_enable_custom_rules', isset($_POST["aiowps_enable_custom_rules"]) ? '1' : '');
$aio_wp_security->configs->save_config();
//Save the configuration
$this->show_msg_settings_updated();
$write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
//now let's write to the .htaccess file
if (!$write_result) {
$this->show_msg_error(__('The plugin was unable to write to the .htaccess file. Please edit file manually.', 'all-in-one-wp-security-and-firewall'));
$aio_wp_security->debug_logger->log_debug("Custom Rules feature - The plugin was unable to write to the .htaccess file.");
}
}
}
?>
<h2><?php
_e('Custom .htaccess Rules Settings', 'all-in-one-wp-security-and-firewall');
?>
</h2>
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-save-custom-rules-settings-nonce');
?>
<div class="aio_blue_box">
<?php
$info_msg = '';
$info_msg .= '<p>' . __('This feature can be used to apply your own custom .htaccess rules and directives.', 'all-in-one-wp-security-and-firewall') . '</p>';
$info_msg .= '<p>' . __('It is useful for when you want to tweak our existing firewall rules or when you want to add your own.', 'all-in-one-wp-security-and-firewall') . '</p>';
$info_msg .= '<p>' . __('NOTE: This feature can only used if your site is hosted in an apache or similar web server.', 'all-in-one-wp-security-and-firewall') . '</p>';
echo $info_msg;
?>
</div>
<div class="aio_yellow_box">
<?php
$info_msg_2 = '<p>' . __('<strong>Warning</strong>: Only use this feature if you know what you are doing.', 'all-in-one-wp-security-and-firewall') . '</p>';
$info_msg_2 .= '<p>' . __('Incorrect .htaccess rules or directives can break or prevent access to your site.', 'all-in-one-wp-security-and-firewall') . '</p>';
$info_msg_2 .= '<p>' . __('It is your responsibility to ensure that you are entering the correct code!', 'all-in-one-wp-security-and-firewall') . '</p>';
$info_msg_2 .= '<p>' . __('If you break your site you will need to access your server via FTP or something similar and then edit your .htaccess file and delete the changes you made.', 'all-in-one-wp-security-and-firewall') . '</p>';
echo $info_msg_2;
?>
</div>
<div class="postbox">
<h3 class="hndle"><label for="title"><?php
_e('Custom .htaccess Rules', 'all-in-one-wp-security-and-firewall');
?>
</label></h3>
<div class="inside">
<table class="form-table">
<tr valign="top">
<th scope="row"><?php
_e('Enable Custom .htaccess Rules', 'all-in-one-wp-security-and-firewall');
?>
:</th>
<td>
<input name="aiowps_enable_custom_rules" type="checkbox"<?php
if ($aio_wp_security->configs->get_value('aiowps_enable_custom_rules') == '1') {
echo ' checked="checked"';
}
?>
value="1"/>
<span class="description"><?php
_e('Check this if you want to enable custom rules entered in the text box below', 'all-in-one-wp-security-and-firewall');
?>
</span>
</td>
</tr>
<tr valign="top">
<th scope="row"><?php
_e('Enter Custom .htaccess Rules:', 'all-in-one-wp-security-and-firewall');
?>
</th>
<td>
<textarea name="aiowps_custom_rules" rows="35" cols="50"><?php
echo htmlspecialchars($aio_wp_security->configs->get_value('aiowps_custom_rules'));
?>
</textarea>
<br />
<span class="description"><?php
_e('Enter your custom .htaccess rules/directives.', 'all-in-one-wp-security-and-firewall');
?>
</span>
</td>
</tr>
</table>
</div></div>
<input type="submit" name="aiowps_save_custom_rules_settings" value="<?php
_e('Save Custom Rules', 'all-in-one-wp-security-and-firewall');
?>
" class="button-primary" />
</form>
<?php
}
function render_tab4()
{
global $aio_wp_security;
global $aiowps_feature_mgr;
$result = 1;
$your_ip_address = AIOWPSecurity_Utility_IP::get_user_ip_address();
if (isset($_POST['aiowps_save_whitelist_settings'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-whitelist-settings-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed for save whitelist settings!", 4);
die(__('Nonce check failed for save whitelist settings!', 'all-in-one-wp-security-and-firewall'));
}
if (isset($_POST["aiowps_enable_whitelisting"]) && empty($_POST['aiowps_allowed_ip_addresses'])) {
$this->show_msg_error('You must submit at least one IP address!', 'all-in-one-wp-security-and-firewall');
} else {
if (!empty($_POST['aiowps_allowed_ip_addresses'])) {
$ip_addresses = $_POST['aiowps_allowed_ip_addresses'];
$ip_list_array = AIOWPSecurity_Utility_IP::create_ip_list_array_from_string_with_newline($ip_addresses);
$payload = AIOWPSecurity_Utility_IP::validate_ip_list($ip_list_array, 'whitelist');
if ($payload[0] == 1) {
//success case
$result = 1;
$list = $payload[1];
$whitelist_ip_data = implode(PHP_EOL, $list);
$aio_wp_security->configs->set_value('aiowps_allowed_ip_addresses', $whitelist_ip_data);
$_POST['aiowps_allowed_ip_addresses'] = '';
//Clear the post variable for the banned address list
} else {
$result = -1;
$error_msg = htmlspecialchars($payload[1][0]);
$this->show_msg_error($error_msg);
}
} else {
$aio_wp_security->configs->set_value('aiowps_allowed_ip_addresses', '');
//Clear the IP address config value
}
if ($result == 1) {
$aio_wp_security->configs->set_value('aiowps_enable_whitelisting', isset($_POST["aiowps_enable_whitelisting"]) ? '1' : '');
$aio_wp_security->configs->save_config();
//Save the configuration
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
$this->show_msg_settings_updated();
$write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
//now let's write to the .htaccess file
if (!$write_result) {
$this->show_msg_error(__('The plugin was unable to write to the .htaccess file. Please edit file manually.', 'all-in-one-wp-security-and-firewall'));
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_whitelist_Menu - The plugin was unable to write to the .htaccess file.");
}
}
}
}
?>
<h2><?php
_e('Login Whitelist', 'all-in-one-wp-security-and-firewall');
?>
</h2>
<div class="aio_blue_box">
<?php
echo '<p>' . __('The All In One WP Security Whitelist feature gives you the option of only allowing certain IP addresses or ranges to have access to your WordPress login page.', 'all-in-one-wp-security-and-firewall') . '
<br />' . __('This feature will deny login access for all IP addresses which are not in your whitelist as configured in the settings below.', 'all-in-one-wp-security-and-firewall') . '
<br />' . __('The plugin achieves this by writing the appropriate directives to your .htaccess file.', 'all-in-one-wp-security-and-firewall') . '
<br />' . __('By allowing/blocking IP addresses via the .htaccess file your are using the most secure first line of defence because login access will only be granted to whitelisted IP addresses and other addresses will be blocked as soon as they try to access your login page.', 'all-in-one-wp-security-and-firewall') . '
</p>';
?>
</div>
<div class="aio_yellow_box">
<?php
$brute_force_login_feature_link = '<a href="admin.php?page=' . AIOWPSEC_BRUTE_FORCE_MENU_SLUG . '&tab=tab2" target="_blank">Cookie-Based Brute Force Login Prevention</a>';
$rename_login_feature_link = '<a href="admin.php?page=' . AIOWPSEC_BRUTE_FORCE_MENU_SLUG . '&tab=tab1" target="_blank">Rename Login Page</a>';
echo '<p>' . sprintf(__('Attention: If in addition to enabling the white list feature, you also have one of the %s or %s features enabled, <strong>you will still need to use your secret word or special slug in the URL when trying to access your WordPress login page</strong>.', 'all-in-one-wp-security-and-firewall'), $brute_force_login_feature_link, $rename_login_feature_link) . '</p>
<p>' . __('These features are NOT functionally related. Having both of them enabled on your site means you are creating 2 layers of security.', 'all-in-one-wp-security-and-firewall') . '</p>';
?>
</div>
<div class="postbox">
<h3 class="hndle"><label for="title"><?php
_e('Login IP Whitelist Settings', 'all-in-one-wp-security-and-firewall');
?>
</label></h3>
<div class="inside">
<?php
//Display security info badge
global $aiowps_feature_mgr;
$aiowps_feature_mgr->output_feature_details_badge("whitelist-manager-ip-login-whitelisting");
?>
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-whitelist-settings-nonce');
?>
<table class="form-table">
<tr valign="top">
<th scope="row"><?php
_e('Enable IP Whitelisting', 'all-in-one-wp-security-and-firewall');
?>
:</th>
<td>
<input name="aiowps_enable_whitelisting" type="checkbox"<?php
if ($aio_wp_security->configs->get_value('aiowps_enable_whitelisting') == '1') {
echo ' checked="checked"';
}
?>
value="1"/>
<span class="description"><?php
_e('Check this if you want to enable the whitelisting of selected IP addresses specified in the settings below', 'all-in-one-wp-security-and-firewall');
?>
</span>
</td>
</tr>
<tr valign="top">
<th scope="row"><?php
_e('Your Current IP Address', 'all-in-one-wp-security-and-firewall');
?>
:</th>
<td>
<input size="20" name="aiowps_user_ip" type="text" value="<?php
echo $your_ip_address;
?>
" readonly="readonly"/>
<span class="description"><?php
_e('You can copy and paste this address in the text box below if you want to include it in your login whitelist.', 'all-in-one-wp-security-and-firewall');
?>
</span>
</td>
</tr>
<tr valign="top">
<th scope="row"><?php
_e('Enter Whitelisted IP Addresses:', 'all-in-one-wp-security-and-firewall');
?>
</th>
<td>
<textarea name="aiowps_allowed_ip_addresses" rows="5" cols="50"><?php
echo $result == -1 ? htmlspecialchars($_POST['aiowps_allowed_ip_addresses']) : htmlspecialchars($aio_wp_security->configs->get_value('aiowps_allowed_ip_addresses'));
?>
</textarea>
<br />
<span class="description"><?php
_e('Enter one or more IP addresses or IP ranges you wish to include in your whitelist. Only the addresses specified here will have access to the WordPress login page.', 'all-in-one-wp-security-and-firewall');
?>
</span>
<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php
_e('More Info', 'all-in-one-wp-security-and-firewall');
?>
</span></span>
<div class="aiowps_more_info_body">
<?php
echo '<p class="description"><strong>' . __('Each IP address must be on a new line.', 'all-in-one-wp-security-and-firewall') . '</strong></p>';
echo '<p class="description">' . __('To specify an IPv4 range use a wildcard "*" character. Acceptable ways to use wildcards is shown in the examples below:', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Example 1: 195.47.89.*', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Example 2: 195.47.*.*', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Example 3: 195.*.*.*', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Or you can enter an IPv6 address (NOTE: ranges/wildcards are currently not supported for ipv6)', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Example 4: 4102:0:3ea6:79fd:b:46f8:230f:bb05', 'all-in-one-wp-security-and-firewall') . '</p>';
echo '<p class="description">' . __('Example 5: 2205:0:1ca2:810d::', 'all-in-one-wp-security-and-firewall') . '</p>';
?>
</div>
</td>
</tr>
</table>
<input type="submit" name="aiowps_save_whitelist_settings" value="<?php
_e('Save Settings', 'all-in-one-wp-security-and-firewall');
?>
" class="button-primary" />
</form>
</div></div>
<?php
}
static function reactivation_tasks()
{
global $aio_wp_security;
$temp_cfgs = get_option('aiowps_temp_configs');
if ($temp_cfgs !== FALSE) {
//Case where previously installed plugin was reactivated
//Let's copy the original configs back to the options table
$updated = update_option('aio_wp_security_configs', $temp_cfgs);
if ($updated === FALSE) {
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Installer::run_installer() - Update of option settings failed upon plugin activation!", 4);
}
$aio_wp_security->configs->configs = $temp_cfgs;
//copy the original configs to memory
//Now let's write any rules to the .htaccess file if necessary
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($res == -1) {
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Deactivation::run_deactivation_tasks() - Could not write to the .htaccess file. Please check the file permissions.", 4);
return false;
}
delete_option('aiowps_temp_configs');
return true;
} else {
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Deactivation::run_deactivation_tasks() - Original config settings not found!", 4);
return false;
}
}
function block_spammer_ip_records($entries)
{
global $wpdb, $aio_wp_security;
$raw_banned_ip_list = $aio_wp_security->configs->get_value('aiowps_banned_ip_addresses');
$currently_banned_ips = explode(PHP_EOL, $aio_wp_security->configs->get_value('aiowps_banned_ip_addresses'));
if (is_array($entries)) {
//Bulk selection using checkboxes were used
foreach ($entries as $ip_add) {
if (!empty($currently_banned_ips) && !(sizeof($currently_banned_ips) == 1 && trim($currently_banned_ips[0]) == '')) {
//Check if the IP address is already in the blacklist. If not add it to the list.
if (!in_array($ip_add, $currently_banned_ips)) {
$raw_banned_ip_list .= PHP_EOL . $ip_add;
}
} else {
//if blacklist is currently empty just add all IP addresses to the list regardless
$raw_banned_ip_list .= PHP_EOL . $ip_add;
}
}
} else {
if ($entries != NULL) {
//individual entry where "block" link was clicked
//Check if the IP address is already in the blacklist. If not add it to the list.
if (!in_array($entries, $currently_banned_ips)) {
$raw_banned_ip_list .= PHP_EOL . $entries;
}
}
}
//Let's save the selected IP addresses to the blacklist config
$aio_wp_security->configs->set_value('aiowps_banned_ip_addresses', $raw_banned_ip_list);
//Save the blocked IP address config variable with the newly added addresses
$aio_wp_security->configs->save_config();
AIOWPSecurity_Admin_Menu::show_msg_updated_st(__('The selected IP addresses were saved in the blacklist configuration settings.', 'aiowpsecurity'));
//Let's check if the Enable Blacklisting flag has been set - If so, we will write the new data to the .htaccess file.
if ($aio_wp_security->configs->get_value('aiowps_enable_blacklisting') == '1') {
$write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($write_result == -1) {
AIOWPSecurity_Admin_Menu::show_msg_error_st(__('The plugin was unable to write to the .htaccess file. Please edit file manually.', 'aiowpsecurity'));
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Blacklist_Menu - The plugin was unable to write to the .htaccess file.");
} else {
AIOWPSecurity_Admin_Menu::show_msg_updated_st(__('The .htaccess file was successfully modified to include the selected IP addresses.', 'aiowpsecurity'));
}
} else {
$blacklist_settings_link = '<a href="admin.php?page=' . AIOWPSEC_BLACKLIST_MENU_SLUG . '">Ban Users</a>';
$info_msg = '<p>' . __('NOTE: The .htaccess file was not modified because you have disabled the "Enable IP or User Agent Blacklisting" check box.', 'aiowpsecurity') . '<br />' . sprintf(__('To block these IP addresses you will need to enable the above flag in the %s menu', 'aiowpsecurity'), $blacklist_settings_link) . '</p>';
AIOWPSecurity_Admin_Menu::show_msg_updated_st($info_msg);
}
}
static function turn_off_all_firewall_rules()
{
global $aio_wp_security;
$aio_wp_security->configs->set_value('aiowps_enable_blacklisting', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_enable_whitelisting', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_enable_basic_firewall', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_block_debug_log_file_access', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_disable_index_views', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_disable_trace_and_track', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_forbid_proxy_comments', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_deny_bad_query_strings', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_enable_5g_firewall', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_enable_6g_firewall', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_enable_custom_rules', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_custom_rules', '');
$aio_wp_security->configs->set_value('aiowps_prevent_default_wp_file_access', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_enable_spambot_blocking', '');
//Checkbox
//404 detection
$aio_wp_security->configs->set_value('aiowps_enable_404_logging', '');
//Checkbox
$aio_wp_security->configs->set_value('aiowps_enable_404_IP_lockout', '');
//Checkbox
//Prevent Image Hotlinks
$aio_wp_security->configs->set_value('aiowps_prevent_hotlinking', '');
//Checkbox
$aio_wp_security->configs->save_config();
//Refresh the .htaccess file based on the new settings
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($res == -1) {
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Configure_Settings::turn_off_all_firewall_rules() - Could not write to the .htaccess file. Please check the file permissions.", 4);
}
}
function render_tab3()
{
global $aio_wp_security;
global $aiowps_feature_mgr;
if (isset($_POST['aiowps_save_wp_file_access_settings'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-prevent-default-wp-file-access-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on enable basic firewall settings!", 4);
die("Nonce check failed on enable basic firewall settings!");
}
//Save settings
if (isset($_POST['aiowps_prevent_default_wp_file_access'])) {
$aio_wp_security->configs->set_value('aiowps_prevent_default_wp_file_access', '1');
} else {
$aio_wp_security->configs->set_value('aiowps_prevent_default_wp_file_access', '');
}
//Commit the config settings
$aio_wp_security->configs->save_config();
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
//Now let's write the applicable rules to the .htaccess file
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($res) {
$this->show_msg_updated(__('You have successfully saved the Prevent Access to Default WP Files configuration.', 'aiowpsecurity'));
} else {
if ($res == -1) {
$this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
}
}
}
?>
<h2><?php
_e('WordPress Files', 'aiowpsecurity');
?>
</h2>
<div class="aio_blue_box">
<?php
$info_msg = sprintf(__('This feature allows you to prevent access to files such as %s, %s and %s which are delivered with all WP installations.', 'aiowpsecurity'), 'readme.html', 'license.txt', 'wp-config-sample.php');
echo '<p>' . $info_msg . '</p>' . '<p>' . __('By preventing access to these files you are hiding some key pieces of information (such as WordPress version info) from potential hackers.', 'aiowpsecurity') . '</p>';
?>
</div>
<div class="postbox">
<h3><label for="title"><?php
_e('Prevent Access to Default WP Files', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<?php
//Display security info badge
global $aiowps_feature_mgr;
$aiowps_feature_mgr->output_feature_details_badge("block-wp-files-access");
?>
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-prevent-default-wp-file-access-nonce');
?>
<table class="form-table">
<tr valign="top">
<th scope="row"><?php
_e('Prevent Access to WP Default Install Files', 'aiowpsecurity');
?>
:</th>
<td>
<input name="aiowps_prevent_default_wp_file_access" type="checkbox"<?php
if ($aio_wp_security->configs->get_value('aiowps_prevent_default_wp_file_access') == '1') {
echo ' checked="checked"';
}
?>
value="1"/>
<span class="description"><?php
_e('Check this if you want to prevent access to readme.html, license.txt and wp-config-sample.php.', 'aiowpsecurity');
?>
</span>
</td>
</tr>
</table>
<input type="submit" name="aiowps_save_wp_file_access_settings" value="<?php
_e('Save Setting', 'aiowpsecurity');
?>
" class="button-primary" />
</form>
</div></div>
<?php
}
function render_tab5()
{
global $aio_wp_security;
global $wpdb;
$events_table_name = AIOWPSEC_TBL_EVENTS;
AIOWPSecurity_Utility::cleanup_table($events_table_name, 500);
if (isset($_POST['aiowps_import_settings'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-import-settings-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on import AIOWPS settings!", 4);
die("Nonce check failed on import AIOWPS settings!");
}
if (empty($_POST['aiowps_import_settings_file']) && empty($_POST['aiowps_import_settings_text'])) {
$this->show_msg_error(__('Please choose a file to import your settings from.', 'aiowpsecurity'));
} else {
if (empty($_POST['aiowps_import_settings_file'])) {
$import_from = "text";
} else {
$import_from = "file";
}
if ($import_from == "file") {
//Let's get the uploaded import file path
$submitted_import_file_path = trim($_POST['aiowps_import_settings_file']);
$attachment_id = AIOWPSecurity_Utility_File::get_attachment_id_from_url($submitted_import_file_path);
//we'll need this later for deleting
//Verify that file chosen has valid AIOWPS settings contents
$aiowps_settings_file_contents = $this->check_if_valid_aiowps_settings_file($submitted_import_file_path);
} else {
//Get the string right from the textarea. Still confirm it's in the expected format.
$aiowps_settings_file_contents = $this->check_if_valid_aiowps_settings_text($_POST['aiowps_import_settings_text']);
}
if ($aiowps_settings_file_contents != -1) {
//Apply the settings and delete the file (if applicable)
$settings_array = json_decode($aiowps_settings_file_contents, true);
$aiowps_settings_applied = update_option('aio_wp_security_configs', $settings_array);
if (!$aiowps_settings_applied) {
//Failed to import settings
$aio_wp_security->debug_logger->log_debug("Import AIOWPS settings from " . $import_from . " operation failed!", 4);
$this->show_msg_error(__('Import AIOWPS settings from ' . $import_from . ' operation failed!', 'aiowpsecurity'));
if ($import_from == "file") {
//Delete the uploaded settings file for security purposes
wp_delete_attachment($attachment_id, true);
if (false === wp_delete_attachment($attachment_id, true)) {
$this->show_msg_error(__('The deletion of the import file failed. Please delete this file manually via the media menu for security purposes.', 'aiowpsecurity'));
} else {
$this->show_msg_updated(__('The file you uploaded was also deleted for security purposes because it contains security settings details.', 'aiowpsecurity'));
}
}
} else {
$aio_wp_security->configs->configs = $settings_array;
//Refresh the configs global variable
//Just in case user submits partial config settings
//Run add_option_values to make sure any missing config items are at least set to default
AIOWPSecurity_Configure_Settings::add_option_values();
if ($import_from == "file") {
//Delete the uploaded settings file for security purposes
wp_delete_attachment($attachment_id, true);
if (false === wp_delete_attachment($attachment_id, true)) {
$this->show_msg_updated(__('Your AIOWPS settings were successfully imported via file input.', 'aiowpsecurity'));
$this->show_msg_error(__('The deletion of the import file failed. Please delete this file manually via the media menu for security purposes because it contains security settings details.', 'aiowpsecurity'));
} else {
$this->show_msg_updated(__('Your AIOWPS settings were successfully imported. The file you uploaded was also deleted for security purposes because it contains security settings details.', 'aiowpsecurity'));
}
} else {
$this->show_msg_updated(__('Your AIOWPS settings were successfully imported via text entry.', 'aiowpsecurity'));
}
//Now let's refresh the .htaccess file with any modified rules if applicable
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($res == -1) {
$this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
}
}
} else {
//Invalid settings file
$aio_wp_security->debug_logger->log_debug("The contents of your settings file appear invalid!", 4);
$this->show_msg_error(__('The contents of your settings file appear invalid. Please check the contents of the file you are trying to import settings from.', 'aiowpsecurity'));
if ($import_from == "file") {
//Let's also delete the uploaded settings file for security purposes
wp_delete_attachment($attachment_id, true);
if (false === wp_delete_attachment($attachment_id, true)) {
$this->show_msg_error(__('The deletion of the import file failed. Please delete this file manually via the media menu for security purposes.', 'aiowpsecurity'));
} else {
$this->show_msg_updated(__('The file you uploaded was also deleted for security purposes because it contains security settings details.', 'aiowpsecurity'));
}
}
}
}
}
?>
<h2><?php
_e('Export or Import Your AIOWPS Settings', 'aiowpsecurity');
?>
</h2>
<div class="aio_blue_box">
<?php
echo '<p>' . __('This section allows you to export or import your All In One WP Security & Firewall settings.', 'aiowpsecurity');
echo '<br />' . __('This can be handy if you wanted to save time by applying the settings from one site to another site.', 'aiowpsecurity') . '
<br />' . __('NOTE: Before importing, it is your responsibility to know what settings you are trying to import. Importing settings blindly can cause you to be locked out of your site.', 'aiowpsecurity') . '
<br />' . __('For Example: If a settings item relies on the domain URL then it may not work correctly when imported into a site with a different domain.', 'aiowpsecurity') . '
</p>';
?>
</div>
<div class="postbox">
<h3><label for="title"><?php
_e('Export AIOWPS Settings', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-export-settings-nonce');
?>
<table class="form-table">
<tr valign="top">
<span class="description"><?php
_e('To export your All In One WP Security & Firewall settings click the button below.', 'aiowpsecurity');
?>
</span>
</tr>
</table>
<input type="submit" name="aiowps_export_settings" value="<?php
_e('Export AIOWPS Settings', 'aiowpsecurity');
?>
" class="button-primary" />
</form>
</div></div>
<div class="postbox">
<h3><label for="title"><?php
_e('Import AIOWPS Settings', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-import-settings-nonce');
?>
<table class="form-table">
<tr valign="top">
<span class="description"><?php
_e('Use this section to import your All In One WP Security & Firewall settings from a file. Alternatively, copy/paste the contents of your import file into the textarea below.', 'aiowpsecurity');
?>
</span>
<th scope="row"><?php
_e('Import File', 'aiowpsecurity');
?>
:</th>
<td>
<input type="button" id="aiowps_import_settings_file_button" name="aiowps_import_settings_file_button" class="button rbutton" value="Select Your Import Settings File" />
<input name="aiowps_import_settings_file" type="text" id="aiowps_import_settings_file" value="" size="80" />
<p class="description">
<?php
_e('After selecting your file, click the button below to apply the settings to your site.', 'aiowpsecurity');
?>
</p>
</td>
</tr>
<tr valign="top">
<th scope="row"><?php
_e('Copy/Paste Import Data', 'aiowpsecurity');
?>
:</th>
<td>
<textarea name="aiowps_import_settings_text" id="aiowps_import_settings_text" style="width:80%;height:140px;"></textarea>
</td>
</tr>
</table>
<input type="submit" name="aiowps_import_settings" value="<?php
_e('Import AIOWPS Settings', 'aiowpsecurity');
?>
" class="button-primary" />
</form>
</div></div>
<?php
}
function render_tab1()
{
global $aiowps_feature_mgr;
global $aio_wp_security;
if (isset($_POST['aiowps_apply_comment_spam_prevention_settings'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-comment-spam-settings-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on save comment spam settings!", 4);
die("Nonce check failed on save comment spam settings!");
}
//Save settings
$random_20_digit_string = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(20);
//Generate random 20 char string for use during captcha encode/decode
$aio_wp_security->configs->set_value('aiowps_captcha_secret_key', $random_20_digit_string);
$aio_wp_security->configs->set_value('aiowps_enable_comment_captcha', isset($_POST["aiowps_enable_comment_captcha"]) ? '1' : '');
$aio_wp_security->configs->set_value('aiowps_enable_spambot_blocking', isset($_POST["aiowps_enable_spambot_blocking"]) ? '1' : '');
//Commit the config settings
$aio_wp_security->configs->save_config();
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
//Now let's write the applicable rules to the .htaccess file
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($res) {
$this->show_msg_updated(__('Settings were successfully saved', 'aiowpsecurity'));
} else {
if ($res == -1) {
$this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
}
}
}
?>
<h2><?php
_e('Comment SPAM Settings', 'aiowpsecurity');
?>
</h2>
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-comment-spam-settings-nonce');
?>
<div class="postbox">
<h3><label for="title"><?php
_e('Add Captcha To Comments Form', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<div class="aio_blue_box">
<?php
echo '<p>' . __('This feature will add a simple math captcha field in the WordPress comments form.', 'aiowpsecurity') . '<br />' . __('Adding a captcha field in the comment form is a simple way of greatly reducing SPAM comments from bots without using .htaccess rules.', 'aiowpsecurity') . '</p>';
?>
</div>
<?php
//Display security info badge
$aiowps_feature_mgr->output_feature_details_badge("comment-form-captcha");
if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1) {
//Hide config settings if MS and not main site
AIOWPSecurity_Utility::display_multisite_message();
} else {
?>
<table class="form-table">
<tr valign="top">
<th scope="row"><?php
_e('Enable Captcha On Comment Forms', 'aiowpsecurity');
?>
:</th>
<td>
<input name="aiowps_enable_comment_captcha" type="checkbox"<?php
if ($aio_wp_security->configs->get_value('aiowps_enable_comment_captcha') == '1') {
echo ' checked="checked"';
}
?>
value="1"/>
<span class="description"><?php
_e('Check this if you want to insert a captcha field on the comment forms', 'aiowpsecurity');
?>
</span>
</td>
</tr>
</table>
<?php
}
//End if statement
?>
</div></div>
<div class="postbox">
<h3><label for="title"><?php
_e('Block Spambot Comments', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<div class="aio_blue_box">
<?php
echo '<p>' . __('A large portion of WordPress blog comment SPAM is mainly produced by automated bots and not necessarily by humans. ', 'aiowpsecurity') . '<br />' . __('This feature will greatly minimize the useless and unecessary traffic and load on your server resulting from SPAM comments by blocking all comment requests which do not originate from your domain.', 'aiowpsecurity') . '<br />' . __('In other words, if the comment was not submitted by a human who physically submitted the comment on your site, the request will be blocked.', 'aiowpsecurity') . '</p>';
?>
</div>
<?php
//Display security info badge
$aiowps_feature_mgr->output_feature_details_badge("block-spambots");
if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1) {
//Hide config settings if MS and not main site
AIOWPSecurity_Utility::display_multisite_message();
} else {
?>
<table class="form-table">
<tr valign="top">
<th scope="row"><?php
_e('Block Spambots From Posting Comments', 'aiowpsecurity');
?>
:</th>
<td>
<input name="aiowps_enable_spambot_blocking" type="checkbox"<?php
if ($aio_wp_security->configs->get_value('aiowps_enable_spambot_blocking') == '1') {
echo ' checked="checked"';
}
?>
value="1"/>
<span class="description"><?php
_e('Check this if you want to apply a firewall rule which will block comments originating from spambots.', 'aiowpsecurity');
?>
</span>
<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php
_e('More Info', 'aiowpsecurity');
?>
</span></span>
<div class="aiowps_more_info_body">
<?php
echo '<p class="description">' . __('This feature will implement a firewall rule to block all comment attempts which do not originate from your domain.', 'aiowpsecurity') . '</p>';
echo '<p class="description">' . __('A legitimate comment is one which is submitted by a human who physically fills out the comment form and clicks the submit button. For such events, the HTTP_REFERRER is always set to your own domain.', 'aiowpsecurity') . '</p>';
echo '<p class="description">' . __('A comment submitted by a spambot is done by directly calling the comments.php file, which usually means that the HTTP_REFERRER value is not your domain and often times empty.', 'aiowpsecurity') . '</p>';
echo '<p class="description">' . __('This feature will check and block comment requests which are not referred by your domain thus greatly reducing your overall blog SPAM and PHP requests done by the server to process these comments.', 'aiowpsecurity') . '</p>';
?>
</div>
</td>
</tr>
</table>
<?php
}
//End if statement
?>
</div></div>
<input type="submit" name="aiowps_apply_comment_spam_prevention_settings" value="<?php
_e('Save Settings', 'aiowpsecurity');
?>
" class="button-primary" />
</form>
<?php
}
/**
* Refreshes the firewall rules in .htaccess file
* eg: if permalink settings changed and white list enabled
* @param $old_permalink_structure
* @param $permalink_structure
*/
function refresh_firewall_rules($old_permalink_structure, $permalink_structure)
{
global $aio_wp_security;
//If white list enabled need to re-adjust the .htaccess rules
if ($aio_wp_security->configs->get_value('aiowps_enable_whitelisting') == '1') {
$write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
//now let's write to the .htaccess file
if ($write_result == -1) {
$this->show_msg_error(__('The plugin was unable to write to the .htaccess file. Please edit file manually.', 'all-in-one-wp-security-and-firewall'));
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_whitelist_Menu - The plugin was unable to write to the .htaccess file.");
}
}
}
function render_tab5()
{
global $aio_wp_security;
global $aiowps_feature_mgr;
if (isset($_POST['aiowps_save_prevent_hotlinking'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-prevent-hotlinking-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on prevent hotlinking options save!", 4);
die("Nonce check failed on prevent hotlinking options save!");
}
$aio_wp_security->configs->set_value('aiowps_prevent_hotlinking', isset($_POST["aiowps_prevent_hotlinking"]) ? '1' : '');
$aio_wp_security->configs->save_config();
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
//Now let's write the applicable rules to the .htaccess file
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($res) {
$this->show_msg_updated(__('Settings were successfully saved', 'aiowpsecurity'));
} else {
if ($res == -1) {
$this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
}
}
}
?>
<h2><?php
_e('Prevent Image Hotlinking', 'aiowpsecurity');
?>
</h2>
<div class="aio_blue_box">
<?php
echo '<p>' . __('A Hotlink is where someone displays an image on their site which is actually located on your site by using a direct link to the source of the image on your server.', 'aiowpsecurity');
echo '<br />' . __('Due to the fact that the image being displayed on the other person\'s site is coming from your server, this can cause leaking of bandwidth and resources for you because your server has to present this image for the people viewing it on someone elses\'s site.', 'aiowpsecurity');
echo '<br />' . __('This feature will prevent people from directly hotlinking images from your site\'s pages by writing some directives in your .htaccess file.', 'aiowpsecurity') . '</p>';
?>
</div>
<div class="postbox">
<h3><label for="title"><?php
_e('Prevent Hotlinking', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<?php
//Display security info badge
global $aiowps_feature_mgr;
$aiowps_feature_mgr->output_feature_details_badge("prevent-hotlinking");
?>
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-prevent-hotlinking-nonce');
?>
<table class="form-table">
<tr valign="top">
<th scope="row"><?php
_e('Prevent Image Hotlinking', 'aiowpsecurity');
?>
:</th>
<td>
<input name="aiowps_prevent_hotlinking" type="checkbox"<?php
if ($aio_wp_security->configs->get_value('aiowps_prevent_hotlinking') == '1') {
echo ' checked="checked"';
}
?>
value="1"/>
<span class="description"><?php
_e('Check this if you want to prevent hotlinking to images on your site.', 'aiowpsecurity');
?>
</span>
</td>
</tr>
</table>
<input type="submit" name="aiowps_save_prevent_hotlinking" value="<?php
_e('Save Settings', 'aiowpsecurity');
?>
" class="button-primary" />
</form>
</div></div>
<?php
}
function render_tab2()
{
global $aio_wp_security;
if (isset($_POST['aiowps_save_htaccess'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-save-htaccess-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on htaccess file save!", 4);
die("Nonce check failed on htaccess file save!");
}
$htaccess_path = ABSPATH . '.htaccess';
$result = AIOWPSecurity_Utility_File::backup_and_rename_htaccess($htaccess_path);
//Backup the htaccess file
if ($result) {
$random_prefix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
$aiowps_backup_dir = WP_CONTENT_DIR . '/' . AIO_WP_SECURITY_BACKUPS_DIR_NAME;
if (rename($aiowps_backup_dir . '/' . '.htaccess.backup', $aiowps_backup_dir . '/' . $random_prefix . '_htaccess_backup.txt')) {
echo '<div id="message" class="updated fade"><p>';
_e('Your .htaccess file was successfully backed up! Using an FTP program go to the "/wp-content/aiowps_backups" directory to save a copy of the file to your computer.', 'aiowpsecurity');
echo '</p></div>';
} else {
$aio_wp_security->debug_logger->log_debug("htaccess file rename failed during backup!", 4);
$this->show_msg_error(__('htaccess file rename failed during backup. Please check your root directory for the backup file using FTP.', 'aiowpsecurity'));
}
} else {
$aio_wp_security->debug_logger->log_debug("htaccess - Backup operation failed!", 4);
$this->show_msg_error(__('htaccess backup failed.', 'aiowpsecurity'));
}
}
if (isset($_POST['aiowps_restore_htaccess_button'])) {
$nonce = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce($nonce, 'aiowpsec-restore-htaccess-nonce')) {
$aio_wp_security->debug_logger->log_debug("Nonce check failed on htaccess file restore!", 4);
die("Nonce check failed on htaccess file restore!");
}
if (empty($_POST['aiowps_htaccess_file'])) {
$this->show_msg_error(__('Please choose a .htaccess to restore from.', 'aiowpsecurity'));
} else {
//Let's copy the uploaded .htaccess file into the active root file
$new_htaccess_file_path = trim($_POST['aiowps_htaccess_file']);
//TODO
//Verify that file chosen has contents which are relevant to .htaccess file
$is_htaccess = AIOWPSecurity_Utility_Htaccess::check_if_htaccess_contents($new_htaccess_file_path);
if ($is_htaccess == 1) {
$active_root_htaccess = ABSPATH . '.htaccess';
if (!copy($new_htaccess_file_path, $active_root_htaccess)) {
//Failed to make a backup copy
$aio_wp_security->debug_logger->log_debug("htaccess - Restore from .htaccess operation failed!", 4);
$this->show_msg_error(__('htaccess file restore failed. Please attempt to restore the .htaccess manually using FTP.', 'aiowpsecurity'));
} else {
$this->show_msg_updated(__('Your .htaccess file has successfully been restored!', 'aiowpsecurity'));
}
} else {
$aio_wp_security->debug_logger->log_debug("htaccess restore failed - Contents of restore file appear invalid!", 4);
$this->show_msg_error(__('htaccess Restore operation failed! Please check the contents of the file you are trying to restore from.', 'aiowpsecurity'));
}
}
}
?>
<h2><?php
_e('.htaccess File Operations', 'aiowpsecurity');
?>
</h2>
<div class="aio_blue_box">
<?php
echo '<p>' . __('Your ".htaccess" file is a key component of your website\'s security and it can be modified to implement various levels of protection mechanisms.', 'aiowpsecurity') . '
<br />' . __('This feature allows you to backup and save your currently active .htaccess file should you need to re-use the the backed up file in the future.', 'aiowpsecurity') . '
<br />' . __('You can also restore your site\'s .htaccess settings using a backed up .htaccess file.', 'aiowpsecurity') . '
</p>';
?>
</div>
<?php
if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1) {
//Hide config settings if MS and not main site
AIOWPSecurity_Utility::display_multisite_message();
} else {
?>
<div class="postbox">
<h3><label for="title"><?php
_e('Save the current .htaccess file', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-save-htaccess-nonce');
?>
<p class="description"><?php
_e('Click the button below to backup and save the currently active .htaccess file.', 'aiowpsecurity');
?>
</p>
<input type="submit" name="aiowps_save_htaccess" value="<?php
_e('Backup .htaccess File', 'aiowpsecurity');
?>
" class="button-primary" />
</form>
</div></div>
<div class="postbox">
<h3><label for="title"><?php
_e('Restore from a backed up .htaccess file', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<form action="" method="POST">
<?php
wp_nonce_field('aiowpsec-restore-htaccess-nonce');
?>
<table class="form-table">
<tr valign="top">
<th scope="row"><?php
_e('.htaccess file to restore from', 'aiowpsecurity');
?>
:</th>
<td>
<input type="button" id="aiowps_htaccess_file_button" name="aiowps_htaccess_file_button" class="button rbutton" value="Select Your htaccess File" />
<input name="aiowps_htaccess_file" type="text" id="aiowps_htaccess_file" value="" size="80" />
<p class="description">
<?php
_e('After selecting your file, click the button below to restore your site using the backed up htaccess file (htaccess_backup.txt).', 'aiowpsecurity');
?>
</p>
</td>
</tr>
</table>
<input type="submit" name="aiowps_restore_htaccess_button" value="<?php
_e('Restore .htaccess File', 'aiowpsecurity');
?>
" class="button-primary" />
</form>
</div></div>
<div class="postbox">
<h3><label for="title"><?php
_e('View Contents of the currently active .htaccess file', 'aiowpsecurity');
?>
</label></h3>
<div class="inside">
<?php
$ht_file = ABSPATH . '.htaccess';
$ht_contents = AIOWPSecurity_Utility_File::get_file_contents($ht_file);
//echo $ht_contents;
?>
<textarea class="aio_text_area_file_output aio_half_width aio_spacer_10_tb" rows="15" readonly><?php
echo $ht_contents;
?>
</textarea>
</div></div>
<?php
}
// End if statement
}
