/**
* @param string $sNewStatus
* @param string $sOldStatus
* @param WP_Post $oPost
* @return bool
*/
public function auditPostStatus($sNewStatus, $sOldStatus, $oPost)
{
if (!$oPost instanceof WP_Post || $this->getIsIgnoredPostType($oPost) || in_array($sNewStatus, array('auto-draft', 'inherit'))) {
return;
}
if ($sNewStatus == 'trash') {
$sEvent = 'post_trashed';
$sHumanEvent = _wpsf__('moved to trash');
} else {
if ($sOldStatus == 'trash' && $sNewStatus != 'trash') {
$sEvent = 'post_recovered';
$sHumanEvent = _wpsf__('recovered from trash');
} else {
if (in_array($sNewStatus, array('publish', 'private'))) {
$sEvent = 'post_published';
$sHumanEvent = _wpsf__('published');
} else {
if (in_array($sOldStatus, array('publish', 'private')) && $sNewStatus == 'draft') {
$sEvent = 'post_unpublished';
$sHumanEvent = _wpsf__('unpublished');
} else {
$sEvent = 'post_updated';
$sHumanEvent = _wpsf__('updated');
}
}
}
}
$oAuditTrail = $this->getAuditTrailEntries();
$oAuditTrail->add('posts', $sEvent, 1, sprintf(_wpsf__('Post entitled "%s" was %s.'), $oPost->post_title, $sHumanEvent));
}
/**
* Should be a filter added to WordPress's "authenticate" filter, but before WordPress performs
* it's own authentication (theirs is priority 30, so we could go in at around 20).
*
* @param null|WP_User|WP_Error $oUserOrError
* @param string $sUsername
* @return WP_User|WP_Error
*/
public function checkLoginInterval($oUserOrError, $sUsername)
{
// No login attempt was made and we do nothing
if (empty($sUsername)) {
return $oUserOrError;
}
// If we're outside the interval, let the login process proceed as per normal and
// update our last login time.
$bWithinCooldownPeriod = $this->getIsWithinCooldownPeriod();
if (!$bWithinCooldownPeriod) {
$this->updateLastLoginTime();
$this->doStatIncrement('login.cooldown.success');
return $oUserOrError;
}
// At this point someone has attempted to login within the previous login wait interval
// So we remove WordPress's authentication filter and our own user check authentication
// And finally return a WP_Error which will be reflected back to the user.
$this->doStatIncrement('login.cooldown.fail');
remove_filter('authenticate', 'wp_authenticate_username_password', 20);
// wp-includes/user.php
$oWp = $this->loadWpFunctionsProcessor();
$sErrorString = _wpsf__("Login Cooldown in effect.") . ' ' . sprintf(_wpsf__("You must wait %s seconds before attempting to %s again."), $this->getLoginCooldownInterval() - $this->getSecondsSinceLastLoginTime(), $oWp->getIsLoginRequest() ? _wpsf__('login') : _wpsf__('register'));
if (!is_wp_error($oUserOrError)) {
$oUserOrError = new WP_Error();
}
$oUserOrError->add('wpsf_logininterval', $sErrorString);
// We now black mark this IP
add_filter($this->getFeatureOptions()->doPluginPrefix('ip_black_mark'), '__return_true');
return $oUserOrError;
}
/**
* Addresses this vulnerability: http://klikki.fi/adv/wordpress2.html
*
* @param string $sCommentContent
* @return string
*/
public function secXss64kb($sCommentContent)
{
// Comments shouldn't be any longer than 64KB
if (strlen($sCommentContent) >= 64 * 1024) {
$sCommentContent = sprintf(_wpsf__('%s escaped HTML the following comment due to its size: %s'), $this->getController()->getHumanName(), esc_html($sCommentContent));
}
return $sCommentContent;
}
/**
* @param array $aWidgetArguments
* @param array $aWidgetInstance
*/
public function widget($aWidgetArguments, $aWidgetInstance)
{
$oCon = self::$oFeatureOptions->getController();
$oRender = self::$oFeatureOptions->loadRenderer($oCon->getPath_Templates() . 'php');
$aData = array('strings' => array('plugin_name' => $oCon->getHumanName()), 'hrefs' => array('img_src' => $oCon->getPluginUrl_Image('pluginlogo_32x32.png')));
$sContents = $oRender->setRenderVars($aData)->setTemplate('snippets' . ICWP_DS . 'plugin_badge_widget')->setTemplateEnginePhp()->render();
$this->standardRender($aWidgetArguments, _wpsf__('Site Secured'), $sContents);
}
/**
* @see autoAddToAdminNotices()
* @param array $aNoticeAttributes
*/
protected function addNotice_plugin_mailing_list_signup($aNoticeAttributes)
{
$nDays = $this->getInstallationDays();
if ($this->getIfShowAdminNotices() && $nDays >= 5) {
$aRenderData = array('notice_attributes' => $aNoticeAttributes, 'strings' => array('yes' => "Yes please! I'd love to join in and learn more", 'no' => "No thanks, I'm not interested in such groups", 'we_dont_spam' => "( Fear not! SPAM is for losers. And we're not losers! )", 'your_name' => _wpsf__('Your Name'), 'your_email' => _wpsf__('Your Email'), 'dismiss' => "No thanks, I'm not interested in such informative groups", 'summary' => 'The WordPress Simple Firewall team is running an initiative (with currently 1500+ members) to raise awareness of WordPress Security
and to provide further help with the WordPress Simple Firewall plugin. Get Involved here:'), 'hrefs' => array('form_action' => '//hostliketoast.us2.list-manage.com/subscribe/post?u=e736870223389e44fb8915c9a&id=0e1d527259'), 'install_days' => $nDays);
$this->insertAdminNotice($aRenderData);
}
}
/**
* @param string $sAction
* @param boolean $bResult
*/
public function auditEditedPluginFile($sAction, $bResult)
{
$sStub = 'edit-plugin_';
if (strpos($sAction, $sStub) !== 0) {
return;
}
$sFileName = str_replace($sStub, '', $sAction);
$oAuditTrail = $this->getAuditTrailEntries();
$oAuditTrail->add('plugins', 'file_edited', 2, sprintf(_wpsf__('An attempt was made to edit the plugin file "%s" directly through the WordPress editor.'), $sFileName));
}
/**
* @return bool
*/
protected function checkForUnsupportedConfiguration()
{
$oDp = $this->loadDataProcessor();
$aRequestParts = $oDp->getRequestUriParts();
if ($aRequestParts === false || empty($aRequestParts['path'])) {
$sNoticeMessage = sprintf('<strong>%s</strong>: %s', _wpsf__('Warning'), _wpsf__('Your login URL is unchanged because your current hosting/PHP configuration cannot parse the necessary information.'));
$this->loadAdminNoticesProcessor()->addRawAdminNotice($sNoticeMessage, 'error');
return true;
}
return false;
}
/**
* @param array $aNoticeAttributes
*/
protected function addNotice_akismet_running($aNoticeAttributes)
{
// We only warn when the human spam filter is running
if ($this->getIsOption('enable_comments_human_spam_filter', 'Y') && $this->getController()->getIsValidAdminArea()) {
$oWp = $this->loadWpFunctionsProcessor();
$sActivePluginFile = $oWp->getIsPluginActive('Akismet');
if ($sActivePluginFile) {
$aRenderData = array('notice_attributes' => $aNoticeAttributes, 'strings' => array('appears_running_akismet' => _wpsf__('It appears you have Akismet Anti-SPAM running alongside the our human Anti-SPAM filter.'), 'not_recommended' => _wpsf__('This is not recommended and you should disable Akismet.'), 'click_to_deactivate' => _wpsf__('Click to deactivate Akismet now.')), 'hrefs' => array('deactivate' => $oWp->getPluginDeactivateLink($sActivePluginFile)));
$this->insertAdminNotice($aRenderData);
}
}
}
function printOptionsPageHeader($insSection = '')
{
$sLinkedIcwp = '<a href="http://icwp.io/3a" target="_blank">iControlWP</a>';
echo '<div class="page-header">';
echo '<h2><a id="pluginlogo_32" class="header-icon32" href="http://icwp.io/2k" target="_blank"></a>';
$sBaseTitle = sprintf(_wpsf__('WordPress Simple Firewall (from %s)'), $sLinkedIcwp);
if (!empty($insSection)) {
echo sprintf('%s :: %s', $insSection, $sBaseTitle);
} else {
echo $sBaseTitle;
}
echo '</h2></div>';
}
/**
* @param int $nUserId
* @param int $nReassigned
*/
public function auditDeleteUser($nUserId, $nReassigned)
{
if (empty($nUserId)) {
return;
}
$oWpUsers = $this->loadWpUsersProcessor();
$oDeletedUser = $oWpUsers->getUserById($nUserId);
$oReassignedUser = empty($nReassigned) ? null : $oWpUsers->getUserById($nReassigned);
// Build the audit message
$sAuditMessage = _wpsf__('WordPress user deleted.') . ' ' . sprintf(_wpsf__('Username was "%s" with email address "%s".'), empty($oDeletedUser) ? 'unknown' : $oDeletedUser->get('user_login'), empty($oDeletedUser) ? 'unknown' : $oDeletedUser->get('user_email')) . ' ';
if (empty($oReassignedUser)) {
$sAuditMessage .= _wpsf__('Their posts were not reassigned to another user.');
} else {
$sAuditMessage .= sprintf(_wpsf__('Their posts were reassigned to user "%s".'), $oReassignedUser->get('user_login'));
}
$oAuditTrail = $this->getAuditTrailEntries();
$oAuditTrail->add('users', 'user_deleted', 2, $sAuditMessage);
}
/**
* @param array $aOptionsParams
* @return array
* @throws Exception
*/
protected function loadStrings_Options($aOptionsParams)
{
$sKey = $aOptionsParams['key'];
switch ($sKey) {
case 'enable_statistics':
$sName = sprintf(_wpsf__('Enable %s'), $this->getMainFeatureName());
$sSummary = sprintf(_wpsf__('Enable (or Disable) The %s Feature'), $this->getMainFeatureName());
$sDescription = sprintf(_wpsf__('Checking/Un-Checking this option will completely turn on/off the whole %s feature.'), $this->getMainFeatureName());
break;
case 'enable_stats_sharing':
$sName = _wpsf__('Enable Statistic Sharing');
$sSummary = _wpsf__('The plugin will share its statistics to allow for global data gathering and analysis');
$sDescription = _wpsf__('Sharing the statistics garnered from the plugin will help show how effective we are and areas we can improve.');
break;
default:
throw new Exception(sprintf('An option has been defined but without strings assigned to it. Option key: "%s".', $sKey));
}
$aOptionsParams['name'] = $sName;
$aOptionsParams['summary'] = $sSummary;
$aOptionsParams['description'] = $sDescription;
return $aOptionsParams;
}
/**
* @param array $aOptionsParams
* @return array
* @throws Exception
*/
protected function loadStrings_Options($aOptionsParams)
{
$sKey = $aOptionsParams['key'];
switch ($sKey) {
case 'block_send_email_address':
$sName = _wpsf__('Report Email');
$sSummary = _wpsf__('Where to send email reports');
$sDescription = _wpsf__('If this is empty, it will default to the blog admin email address.');
break;
case 'send_email_throttle_limit':
$sName = _wpsf__('Email Throttle Limit');
$sSummary = _wpsf__('Limit Emails Per Second');
$sDescription = _wpsf__('You throttle emails sent by this plugin by limiting the number of emails sent every second. This is useful in case you get hit by a bot attack. Zero (0) turns this off. Suggested: 10');
break;
default:
throw new Exception(sprintf('An option has been defined but without strings assigned to it. Option key: "%s".', $sKey));
}
$aOptionsParams['name'] = $sName;
$aOptionsParams['summary'] = $sSummary;
$aOptionsParams['description'] = $sDescription;
return $aOptionsParams;
}
/**
* @param string $sIp
* @param string $sLabel
* @return bool|int
*/
protected function query_addNewManualWhiteListIp($sIp, $sLabel = '')
{
// Now add new entry
$aNewData = array();
$aNewData['ip'] = $sIp;
$aNewData['label'] = empty($sLabel) ? _wpsf__('No Label') : $sLabel;
$aNewData['list'] = self::LIST_MANUAL_WHITE;
$aNewData['ip6'] = $this->loadDataProcessor()->getIpAddressVersion($sIp) == 6;
$aNewData['transgressions'] = 0;
$aNewData['is_range'] = strpos($sIp, '/') !== false;
$aNewData['last_access_at'] = 0;
$aNewData['created_at'] = $this->time();
$mResult = $this->insertData($aNewData);
return $mResult ? $aNewData : $mResult;
}
/**
* @see autoAddToAdminNotices()
* @param array $aNoticeAttributes
*/
protected function addNotice_post_plugin_update($aNoticeAttributes)
{
$oFO = $this->getFeatureOptions();
$oWpUsers = $this->loadWpUsersProcessor();
$sAdminNoticeMetaKey = $oFO->doPluginPrefix('post-plugin-update');
if ($this->loadAdminNoticesProcessor()->getAdminNoticeIsDismissed('post-plugin-update')) {
$oWpUsers->updateUserMeta($sAdminNoticeMetaKey, $oFO->getVersion());
// so they've hidden it. Now we set the current version so it doesn't display
return;
}
if (!$this->getIfShowAdminNotices()) {
return;
}
$sHumanName = $this->getController()->getHumanName();
if ($this->getInstallationDays() <= 1) {
$sMessage = sprintf(_wpsf__("Notice - %s"), sprintf(_wpsf__("The %s plugin does not automatically turn on certain features when you install."), $sHumanName));
} else {
$sMessage = sprintf(_wpsf__("Notice - %s"), sprintf(_wpsf__("The %s plugin has been recently upgraded, but please remember that new features may not be automatically enabled."), $sHumanName));
}
$aRenderData = array('notice_attributes' => $aNoticeAttributes, 'strings' => array('main_message' => $sMessage, 'read_homepage' => _wpsf__('Click to read about any important updates from the plugin home page.'), 'link_title' => $sHumanName, 'dismiss' => _wpsf__('Dismiss this notice')), 'hrefs' => array('read_homepage' => 'http://icwp.io/27'));
$this->insertAdminNotice($aRenderData);
}
/**
* @uses wp_die()
*/
public function interceptCanonicalRedirects()
{
$oDp = $this->loadDataProcessor();
if ($this->getIsOption('block_author_discovery', 'Y') && !is_user_logged_in()) {
$sAuthor = $oDp->FetchGet('author', '');
if (!empty($sAuthor)) {
$this->loadWpFunctionsProcessor()->wpDie(sprintf(_wpsf__('The "author" query parameter has been blocked by %s to protect against user login name fishing.') . '<br /><a href="" target="_blank">' . _wpsf__('Learn More.') . '</a>', $this->getController()->getHumanName()));
}
}
}
<?php
return sprintf("---\nslug: 'hack_protect'\nproperties:\n name: '%s'\n show_feature_menu_item: false\n storage_key: 'hack_protect' # should correspond exactly to that in the plugin.yaml\n auto_enabled: true\n# Options Sections\nsections:\n -\n slug: 'section_non_ui'\n hidden: true\n\n# Define Options\noptions:\n -\n key: 'current_plugin_version'\n section: 'section_non_ui'\n -\n key: 'plugin_vulnerabilities_data_source'\n value: 'https://raw.githubusercontent.com/FernleafSystems/wp-plugin-vulnerabilities/master/vulnerabilities.yaml'\n immutable: true\n section: 'section_non_ui'\n -\n key: 'notifications_cron_name'\n default: 'plugin-vulnerabilities-notification'\n section: 'section_non_ui'\n", _wpsf__('Hack Protection'));
public function getPluginsListUpdateMessage($sMessage)
{
return _wpsf__('Upgrade Now To Keep Your Firewall Up-To-Date With The Latest Features.');
}
/**
* @param string $sRecipient
* @return bool
*/
protected function sendBlockEmail($sRecipient)
{
$sIp = $this->loadDataProcessor()->getVisitorIpAddress(true);
$aMessage = array(sprintf(_wpsf__('%s has blocked a page visit to your site.'), $this->getController()->getHumanName()), _wpsf__('Log details for this visitor are below:'), '- ' . sprintf(_wpsf__('IP Address: %s'), $sIp));
$aMessage = array_merge($aMessage, $this->getRawAuditMessage('- '));
// TODO: Get audit trail messages
$aMessage[] = sprintf(_wpsf__('You can look up the offending IP Address here: %s'), 'http://ip-lookup.net/?ip=' . $sIp);
$sEmailSubject = sprintf(_wpsf__('Firewall Block Email Alert for %s'), $this->loadWpFunctionsProcessor()->getHomeUrl());
$fSendSuccess = $this->getEmailProcessor()->sendEmailTo($sRecipient, $sEmailSubject, $aMessage);
return $fSendSuccess;
}
<?php
return sprintf("---\nslug: 'autoupdates'\nproperties:\n name: '%s'\n show_feature_menu_item: true\n storage_key: 'autoupdates' # should correspond exactly to that in the plugin.yaml\n tagline: '%s'\n# Options Sections\nsections:\n -\n slug: 'section_enable_plugin_feature_automatic_updates_control'\n primary: true\n -\n slug: 'section_disable_all_wordpress_automatic_updates'\n -\n slug: 'section_automatic_plugin_self_update'\n -\n slug: 'section_automatic_updates_for_wordpress_components'\n -\n slug: 'section_automatic_update_email_notifications'\n -\n slug: 'section_non_ui'\n hidden: true\n\n# Define Options and assign to section slug\noptions:\n -\n key: 'enable_autoupdates'\n section: 'section_enable_plugin_feature_automatic_updates_control'\n default: 'Y'\n type: 'checkbox'\n link_info: 'http://icwp.io/3w'\n link_blog: ''\n -\n key: 'enable_autoupdate_disable_all'\n section: 'section_disable_all_wordpress_automatic_updates'\n default: 'N'\n type: 'checkbox'\n link_info: 'http://icwp.io/3v'\n link_blog: ''\n -\n key: 'autoupdate_plugin_self'\n section: 'section_automatic_plugin_self_update'\n default: 'Y'\n type: 'checkbox'\n link_info: 'http://icwp.io/3u'\n link_blog: ''\n -\n key: 'autoupdate_core'\n section: 'section_automatic_updates_for_wordpress_components'\n default: 'core_minor'\n type: 'select'\n value_options:\n -\n value_key: 'core_never'\n text: 'Never'\n -\n value_key: 'core_minor'\n text: 'Minor Versions Only'\n -\n value_key: 'core_major'\n text: 'Major and Minor Versions'\n link_info: 'http://icwp.io/3x'\n link_blog: ''\n -\n key: 'enable_autoupdate_plugins'\n section: 'section_automatic_updates_for_wordpress_components'\n default: 'N'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_autoupdate_themes'\n section: 'section_automatic_updates_for_wordpress_components'\n default: 'N'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_autoupdate_translations'\n section: 'section_automatic_updates_for_wordpress_components'\n default: 'Y'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_autoupdate_ignore_vcs'\n section: 'section_automatic_updates_for_wordpress_components'\n default: 'N'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_upgrade_notification_email'\n section: 'section_automatic_update_email_notifications'\n default: ''\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'override_email_address'\n section: 'section_automatic_update_email_notifications'\n default: ''\n type: 'email'\n link_info: ''\n link_blog: ''\n -\n key: 'current_plugin_version'\n section: 'section_non_ui'\n -\n key: 'action_hook_priority'\n section: 'section_non_ui'\n default: 1000\n", _wpsf__('Automatic Updates'), _wpsf__('Take back full control of WordPress automatic updates'));
/**
* @return array
*/
protected function getBaseDisplayData()
{
$oCon = $this->getController();
return array('var_prefix' => $oCon->getOptionStoragePrefix(), 'sPluginName' => $oCon->getHumanName(), 'sFeatureName' => $this->getMainFeatureName(), 'sTagline' => $this->getOptionsVo()->getFeatureTagline(), 'fShowAds' => $this->getIsShowMarketing(), 'nonce_field' => wp_nonce_field($oCon->getPluginPrefix()), 'sFeatureSlug' => $this->doPluginPrefix($this->getFeatureSlug()), 'form_action' => 'admin.php?page=' . $this->doPluginPrefix($this->getFeatureSlug()), 'nOptionsPerRow' => 1, 'aPluginLabels' => $oCon->getPluginLabels(), 'aAllOptions' => $this->buildOptions(), 'aHiddenOptions' => $this->getOptionsVo()->getHiddenOptions(), 'all_options_input' => $this->collateAllFormInputsForAllOptions(), 'sPageTitle' => $this->getMainFeatureName(), 'strings' => array('go_to_settings' => _wpsf__('Settings'), 'on' => _wpsf__('On'), 'off' => _wpsf__('Off'), 'more_info' => _wpsf__('More Info'), 'blog' => _wpsf__('Blog'), 'plugin_activated_features_summary' => _wpsf__('Plugin Activated Features Summary:'), 'save_all_settings' => _wpsf__('Save All Settings'), 'aar_what_should_you_enter' => _wpsf__('What should you enter here?'), 'aar_must_supply_key_first' => _wpsf__('At some point you entered a Security Admin Access Key - to manage this plugin, you must supply it here first.'), 'aar_to_manage_must_enter_key' => _wpsf__('To manage this plugin you must enter the access key.'), 'aar_enter_access_key' => _wpsf__('Enter Access Key'), 'aar_submit_access_key' => _wpsf__('Submit Access Key')));
}
/**
* @param WP_Error $oError
* @return WP_Error
*/
public function addLoginMessage($oError)
{
if (!$oError instanceof WP_Error) {
$oError = new WP_Error();
}
$sForceLogout = $this->loadDataProcessor()->FetchGet('wpsf-forcelogout');
if ($sForceLogout) {
switch ($sForceLogout) {
case 1:
$sMessage = _wpsf__('Your session has expired.');
break;
case 2:
$sMessage = _wpsf__('Your session was idle for too long.');
break;
case 3:
$sMessage = _wpsf__('Your session was locked to another IP Address.');
break;
case 4:
$sMessage = sprintf(_wpsf__('You do not currently have a %s user session.'), $this->getController()->getHumanName());
break;
case 5:
$sMessage = _wpsf__('An administrator has terminated this session.');
break;
case 6:
$sMessage = _wpsf__('Not a user.');
break;
default:
$sMessage = _wpsf__('Your session was terminated.');
break;
}
$sMessage .= '<br />' . _wpsf__('Please login again.');
$oError->add('wpsf-forcelogout', $sMessage);
}
return $oError;
}
<?php
return sprintf("---\nslug: 'lockdown'\nproperties:\n name: '%s'\n show_feature_menu_item: true\n storage_key: 'lockdown' # should correspond exactly to that in the plugin.yaml\n tagline: '%s'\n# Options Sections\nsections:\n -\n slug: 'section_enable_plugin_feature_wordpress_lockdown'\n primary: true\n -\n slug: 'section_system_lockdown'\n -\n slug: 'section_permission_access_options'\n -\n slug: 'section_wordpress_obscurity_options'\n -\n slug: 'section_non_ui'\n hidden: true\n\n# Define Options\noptions:\n -\n key: 'enable_lockdown'\n section: 'section_enable_plugin_feature_wordpress_lockdown'\n default: 'Y'\n type: 'checkbox'\n link_info: 'http://icwp.io/4r'\n link_blog: ''\n -\n key: 'disable_xmlrpc'\n section: 'section_system_lockdown'\n default: 'N'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'disable_file_editing'\n section: 'section_permission_access_options'\n default: 'N'\n type: 'checkbox'\n link_info: 'http://icwp.io/4q'\n link_blog: ''\n -\n key: 'force_ssl_login'\n section: 'section_permission_access_options'\n default: 'N'\n type: 'checkbox'\n link_info: 'http://icwp.io/4s'\n link_blog: ''\n -\n key: 'force_ssl_admin'\n section: 'section_permission_access_options'\n default: 'N'\n type: 'checkbox'\n link_info: 'http://icwp.io/4t'\n link_blog: ''\n -\n key: 'mask_wordpress_version'\n section: 'section_wordpress_obscurity_options'\n default: ''\n type: 'text'\n link_info: 'http://icwp.io/43'\n link_blog: ''\n -\n key: 'hide_wordpress_generator_tag'\n section: 'section_wordpress_obscurity_options'\n default: 'N'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'block_author_discovery'\n section: 'section_wordpress_obscurity_options'\n default: 'Y'\n type: 'checkbox'\n link_info: 'http://icwp.io/wpsf23'\n link_blog: ''\n -\n key: 'current_plugin_version'\n section: 'section_non_ui'\n", _wpsf__('Lockdown'), _wpsf__('Harden the more loosely controlled settings of your site'));
/**
* @param $sExplanation
*/
protected function setCommentStatusExplanation($sExplanation)
{
$this->sCommentStatusExplanation = '[* ' . sprintf(_wpsf__('%s plugin marked this comment as "%s".') . ' ' . _wpsf__('Reason: %s'), $this->getController()->getHumanName(), $this->sCommentStatus == 0 ? _wpsf__('pending') : $this->sCommentStatus, $sExplanation) . " *]\n";
}
<?php
return sprintf("---\nslug: 'admin_access_restriction'\nproperties:\n name: '%s'\n show_feature_menu_item: true\n storage_key: 'admin_access_restriction' # should correspond exactly to that in the plugin.yaml\n tagline: '%s'\n menu_title: '%s'\n\nadmin_notices:\n 'certain-options-restricted':\n id: 'certain-options-restricted'\n schedule: 'conditions'\n valid_admin: true\n type: 'warning'\n 'admin-users-restricted':\n id: 'admin-users-restricted'\n schedule: 'conditions'\n valid_admin: true\n type: 'warning'\n\n# Options Sections\nsections:\n -\n slug: 'section_enable_plugin_feature_admin_access_restriction'\n primary: true\n -\n slug: 'section_admin_access_restriction_settings'\n primary: false\n -\n slug: 'section_admin_access_restriction_areas'\n primary: false\n -\n slug: 'section_non_ui'\n hidden: true\n\n# Define Options\noptions:\n -\n key: 'enable_admin_access_restriction'\n section: 'section_enable_plugin_feature_admin_access_restriction'\n default: 'N'\n type: 'checkbox'\n link_info: 'http://icwp.io/40'\n link_blog: 'http://icwp.io/wpsf02'\n -\n key: 'admin_access_key'\n section: 'section_enable_plugin_feature_admin_access_restriction'\n default: ''\n type: 'password'\n link_info: 'http://icwp.io/42'\n link_blog: ''\n -\n key: 'admin_access_timeout'\n section: 'section_admin_access_restriction_settings'\n default: 30\n type: 'integer'\n link_info: 'http://icwp.io/41'\n link_blog: ''\n -\n key: 'admin_access_restrict_options'\n section: 'section_admin_access_restriction_areas'\n default: 'Y'\n type: 'checkbox'\n link_info: 'http://icwp.io/wpsf32'\n link_blog: ''\n -\n key: 'admin_access_restrict_admin_users'\n section: 'section_admin_access_restriction_areas'\n default: 'N'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'admin_access_restrict_plugins'\n section: 'section_admin_access_restriction_areas'\n type: 'multiple_select'\n default:\n value_options:\n -\n value_key: 'activate_plugins'\n text: 'Activate'\n -\n value_key: 'install_plugins'\n text: 'Install'\n -\n value_key: 'update_plugins'\n text: 'Update'\n -\n value_key: 'delete_plugins'\n text: 'Delete'\n link_info: 'http://icwp.io/wpsf21'\n link_blog: ''\n -\n key: 'admin_access_restrict_themes'\n section: 'section_admin_access_restriction_areas'\n type: 'multiple_select'\n default:\n value_options:\n -\n value_key: 'switch_themes'\n text: 'Activate'\n -\n value_key: 'edit_theme_options'\n text: 'Edit Theme Options'\n -\n value_key: 'install_themes'\n text: 'Install'\n -\n value_key: 'update_themes'\n text: 'Update'\n -\n value_key: 'delete_themes'\n text: 'Delete'\n link_info: 'http://icwp.io/wpsf21'\n link_blog: ''\n -\n key: 'admin_access_restrict_posts'\n section: 'section_admin_access_restriction_areas'\n type: 'multiple_select'\n default:\n value_options:\n -\n value_key: 'edit'\n text: 'Create / Edit'\n -\n value_key: 'publish'\n text: 'Publish'\n -\n value_key: 'delete'\n text: 'Delete'\n link_info: 'http://icwp.io/wpsf21'\n link_blog: ''\n -\n key: 'current_plugin_version'\n section: 'section_non_ui'\n -\n key: 'admin_access_options_to_restrict'\n section: 'section_non_ui'\n immutable: true\n value:\n wpms_options:\n - 'admin_email'\n - 'site_name'\n - 'registration'\n wpms_pages:\n - 'settings.php'\n wp_options:\n - 'blogname'\n - 'blogdescription'\n - 'siteurl'\n - 'home'\n - 'admin_email'\n - 'users_can_register'\n - 'comments_notify'\n - 'comment_moderation'\n - 'blog_public'\n wp_pages:\n - 'options-general.php'\n - 'options-discussion.php'\n - 'options-reading.php'\n -\n key: 'admin_access_key_cookie_name'\n section: 'section_non_ui'\n value: 'icwp_wpsf_aakcook'\n", _wpsf__('WordPress Security Admin'), _wpsf__('Protect your security plugin not just your WordPress site'), _wpsf__('Security Admin'));
/**
* @param string $sOld
* @param string $sNew
* @return bool
*/
public function auditPermalinkStructure($sOld, $sNew)
{
$oAuditTrail = $this->getAuditTrailEntries();
$oAuditTrail->add('wordpress', 'permalinks_structure', 1, sprintf(_wpsf__('WordPress Permalinks Structure was updated from "%s" to "%s".'), $sOld, $sNew));
}
/**
* @param array $aOptionsParams
* @return array
* @throws Exception
*/
protected function loadStrings_Options($aOptionsParams)
{
$sKey = $aOptionsParams['key'];
switch ($sKey) {
case 'enable_lockdown':
$sName = sprintf(_wpsf__('Enable %s'), $this->getMainFeatureName());
$sSummary = sprintf(_wpsf__('Enable (or Disable) The %s Feature'), $this->getMainFeatureName());
$sDescription = sprintf(_wpsf__('Checking/Un-Checking this option will completely turn on/off the whole %s feature.'), $this->getMainFeatureName());
break;
case 'disable_xmlrpc':
$sName = sprintf(_wpsf__('Disable %s'), 'XML-RPC');
$sSummary = sprintf(_wpsf__('Disable The %s System'), 'XML-RPC');
$sDescription = sprintf(_wpsf__('Checking this option will completely turn off the whole %s system.'), 'XML-RPC');
break;
case 'disable_file_editing':
$sName = _wpsf__('Disable File Editing');
$sSummary = _wpsf__('Disable Ability To Edit Files From Within WordPress');
$sDescription = _wpsf__('Removes the option to directly edit any files from within the WordPress admin area.') . '<br />' . _wpsf__('Equivalent to setting "DISALLOW_FILE_EDIT" to TRUE.');
break;
case 'force_ssl_login':
$sName = _wpsf__('Force SSL Login');
$sSummary = _wpsf__('Forces Login Form To Be Submitted Over SSL');
$sDescription = _wpsf__('Please only enable this option if you have a valid SSL certificate installed.') . '<br />' . _wpsf__('Equivalent to setting FORCE_SSL_LOGIN to TRUE.');
break;
case 'force_ssl_admin':
$sName = _wpsf__('Force SSL Admin');
$sSummary = _wpsf__('Forces WordPress Admin Dashboard To Be Delivered Over SSL');
$sDescription = _wpsf__('Please only enable this option if you have a valid SSL certificate installed.') . '<br />' . _wpsf__('Equivalent to setting "FORCE_SSL_ADMIN" to TRUE.');
break;
case 'mask_wordpress_version':
$sName = _wpsf__('Mask WordPress Version');
$sSummary = _wpsf__('Prevents Public Display Of Your WordPress Version');
$sDescription = _wpsf__('Enter how you would like your WordPress version displayed publicly. Leave blank to disable this feature.') . '<br />' . _wpsf__('Warning: This may interfere with WordPress plugins that rely on the $wp_version variable.');
break;
case 'hide_wordpress_generator_tag':
$sName = _wpsf__('WP Generator Tag');
$sSummary = _wpsf__('Remove WP Generator Meta Tag');
$sDescription = _wpsf__('Remove a meta tag from your WordPress pages that publicly displays that your site is WordPress and its current version.');
break;
case 'block_author_discovery':
$sName = _wpsf__('Block Username Fishing');
$sSummary = _wpsf__('Block the ability to discover WordPress usernames based on author IDs');
$sDescription = sprintf(_wpsf__('When enabled, any URL requests containing "%s" will be killed.'), 'author=') . '<br />' . sprintf(_wpsf__('Warning: %s'), _wpsf__('Enabling this option may interfere with expected operations of your site.'));
break;
default:
throw new Exception(sprintf('An option has been defined but without strings assigned to it. Option key: "%s".', $sKey));
}
$aOptionsParams['name'] = $sName;
$aOptionsParams['summary'] = $sSummary;
$aOptionsParams['description'] = $sDescription;
return $aOptionsParams;
}
<?php
return sprintf("---\nslug: 'audit_trail'\nproperties:\n name: '%s'\n show_feature_menu_item: true\n storage_key: 'audit_trail' # should correspond exactly to that in the plugin.yaml\n tagline: '%s'\n# Options Sections\nsections:\n -\n slug: 'section_enable_plugin_feature_audit_trail'\n primary: true\n -\n slug: 'section_audit_trail_options'\n -\n slug: 'section_enable_audit_contexts'\n -\n slug: 'section_non_ui'\n hidden: true\n\n# Define Options and assign to section slug\noptions:\n -\n key: 'enable_audit_trail'\n section: 'section_enable_plugin_feature_audit_trail'\n default: 'N'\n type: 'checkbox'\n link_info: 'http://icwp.io/5p'\n link_blog: ''\n -\n key: 'audit_trail_auto_clean'\n section: 'section_audit_trail_options'\n default: 30\n type: 'integer'\n link_info: 'http://icwp.io/5p'\n link_blog: ''\n -\n key: 'enable_audit_context_users'\n section: 'section_enable_audit_contexts'\n default: 'Y'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_audit_context_plugins'\n section: 'section_enable_audit_contexts'\n default: 'Y'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_audit_context_themes'\n section: 'section_enable_audit_contexts'\n default: 'Y'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_audit_context_posts'\n section: 'section_enable_audit_contexts'\n default: 'Y'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_audit_context_wordpress'\n section: 'section_enable_audit_contexts'\n default: 'Y'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_audit_context_emails'\n section: 'section_enable_audit_contexts'\n default: 'Y'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'enable_audit_context_wpsf'\n section: 'section_enable_audit_contexts'\n default: 'Y'\n type: 'checkbox'\n link_info: ''\n link_blog: ''\n -\n key: 'current_plugin_version'\n section: 'section_non_ui'\n -\n key: 'audit_trail_table_name'\n section: 'section_non_ui'\n value: 'audit_trail'\n -\n key: 'audit_trail_table_columns'\n section: 'section_non_ui'\n value:\n - 'id'\n - 'wp_username'\n - 'ip'\n - 'context'\n - 'event'\n - 'category'\n - 'message'\n - 'immutable'\n - 'created_at'\n - 'deleted_at'\n -\n key: 'recreate_database_table'\n section: 'section_non_ui'\n default: false\nmenu_items:\n -\n slug: 'audit_trail_viewer'\n title: '%s'\n callback: 'displayAuditTrailViewer'\n", _wpsf__('Audit Trail'), _wpsf__('Get a view on what happens on your site, when it happens'), _wpsf__('Audit Trail Viewer'));
<?php
return sprintf("---\nslug: 'email'\nproperties:\n name: '%s'\n show_feature_menu_item: false\n storage_key: 'email' # should correspond exactly to that in the plugin.yaml\n# Options Sections\nsections:\n -\n slug: 'section_email_options'\n primary: true\n -\n slug: 'section_non_ui'\n hidden: true\n\n# Define Options\noptions:\n -\n key: 'block_send_email_address'\n section: 'section_email_options'\n default: ''\n type: 'email'\n link_info: ''\n link_blog: ''\n -\n key: 'send_email_throttle_limit'\n section: 'section_email_options'\n default: 10\n type: 'integer'\n link_info: ''\n link_blog: ''\n -\n key: 'current_plugin_version'\n section: 'section_non_ui'\n", _wpsf__('Email'));
/**
* @param array $aOptionsParams
* @return array
* @throws Exception
*/
protected function loadStrings_Options($aOptionsParams)
{
$oDp = $this->loadDataProcessor();
$sKey = $aOptionsParams['key'];
switch ($sKey) {
case 'enable_firewall':
$sName = sprintf(_wpsf__('Enable %s'), $this->getMainFeatureName());
$sSummary = sprintf(_wpsf__('Enable (or Disable) The %s Feature'), $this->getMainFeatureName());
$sDescription = sprintf(_wpsf__('Checking/Un-Checking this option will completely turn on/off the whole %s feature.'), $this->getMainFeatureName());
break;
case 'include_cookie_checks':
$sName = _wpsf__('Include Cookies');
$sSummary = _wpsf__('Also Test Cookie Values In Firewall Tests');
$sDescription = _wpsf__('The firewall tests GET and POST, but with this option checked it will also check COOKIE values.');
break;
case 'block_dir_traversal':
$sName = _wpsf__('Directory Traversals');
$sSummary = _wpsf__('Block Directory Traversals');
$sDescription = _wpsf__('This will block directory traversal paths in in application parameters (e.g. ../, ../../etc/passwd, etc.).');
break;
case 'block_sql_queries':
$sName = _wpsf__('SQL Queries');
$sSummary = _wpsf__('Block SQL Queries');
$sDescription = _wpsf__('This will block sql in application parameters (e.g. union select, concat(, /**/, etc.).');
break;
case 'block_wordpress_terms':
$sName = _wpsf__('WordPress Terms');
$sSummary = _wpsf__('Block WordPress Specific Terms');
$sDescription = _wpsf__('This will block WordPress specific terms in application parameters (wp_, user_login, etc.).');
break;
case 'block_field_truncation':
$sName = _wpsf__('Field Truncation');
$sSummary = _wpsf__('Block Field Truncation Attacks');
$sDescription = _wpsf__('This will block field truncation attacks in application parameters.');
break;
case 'block_php_code':
$sName = _wpsf__('PHP Code');
$sSummary = sprintf(_wpsf__('Block %s'), _wpsf__('PHP Code Includes'));
$sDescription = _wpsf__('This will block any data that appears to try and include PHP files.') . '<br />' . _wpsf__('Will probably block saving within the Plugin/Theme file editors.');
break;
case 'block_exe_file_uploads':
$sName = _wpsf__('Exe File Uploads');
$sSummary = _wpsf__('Block Executable File Uploads');
$sDescription = _wpsf__('This will block executable file uploads (.php, .exe, etc.).');
break;
case 'block_leading_schema':
$sName = _wpsf__('Leading Schemas');
$sSummary = _wpsf__('Block Leading Schemas (HTTPS / HTTP)');
$sDescription = _wpsf__('This will block leading schemas http:// and https:// in application parameters (off by default; may cause problems with other plugins).');
break;
case 'block_response':
$sName = _wpsf__('Block Response');
$sSummary = _wpsf__('Choose how the firewall responds when it blocks a request');
$sDescription = _wpsf__('We recommend dying with a message so you know what might have occurred when the firewall blocks you');
break;
case 'block_send_email':
$sName = _wpsf__('Send Email Report');
$sSummary = _wpsf__('When a visitor is blocked the firewall will send an email to the configured email address');
$sDescription = _wpsf__('Use with caution - if you get hit by automated bots you may send out too many emails and you could get blocked by your host');
break;
case 'page_params_whitelist':
$sName = _wpsf__('Whitelist Parameters');
$sSummary = _wpsf__('Detail pages and parameters that are whitelisted (ignored by the firewall)');
$sDescription = _wpsf__('This should be used with caution and you should only provide parameter names that you must have excluded');
break;
case 'whitelist_admins':
$sName = sprintf(_wpsf__('Ignore %s'), _wpsf__('Administrators'));
$sSummary = sprintf(_wpsf__('Ignore %s'), _wpsf__('Administrators'));
$sDescription = _wpsf__('Authenticated administrator users will not be processed by the firewall rules.');
break;
case 'ignore_search_engines':
$sName = sprintf(_wpsf__('Ignore %s'), _wpsf__('Search Engines'));
$sSummary = _wpsf__('Ignore Search Engine Bot Traffic');
$sDescription = _wpsf__('The firewall will try to recognise search engine spiders/bots and not apply firewall rules to them.');
break;
case 'enable_firewall_log':
$sName = _wpsf__('Firewall Logging');
$sSummary = _wpsf__('Turn on Firewall Log');
$sDescription = _wpsf__('Will log every visit to the site and how the firewall processes it. Not recommended to leave on unless you want to debug something and check the firewall is working as you expect');
break;
default:
throw new Exception(sprintf('An option has been defined but without strings assigned to it. Option key: "%s".', $sKey));
}
$aOptionsParams['name'] = $sName;
$aOptionsParams['summary'] = $sSummary;
$aOptionsParams['description'] = $sDescription;
return $aOptionsParams;
}
/**
* @param string $sPluginFile
* @param array $aPluginData
*/
public function attachVulnerabilityWarning($sPluginFile, $aPluginData)
{
$aPluginVulnerabilityData = $this->getPluginVulnerabilityData($sPluginFile, $aPluginData);
if (is_array($aPluginVulnerabilityData)) {
$aRenderData = array('strings' => array('known_vuln' => sprintf(_wpsf__('%s has discovered that the currently installed version of the "%s" plugin has a known security vulnerability.'), $this->getController()->getHumanName(), $aPluginData['Name']), 'vuln_type' => _wpsf__('Vulnerability Type'), 'vuln_type_explanation' => ucfirst($aPluginVulnerabilityData['TypeOfVulnerability']), 'vuln_versions' => _wpsf__('Vulnerable Versions'), 'more_info' => _wpsf__('More Info'), 'first_version' => $aPluginVulnerabilityData['FirstVersion'], 'last_version' => $aPluginVulnerabilityData['LastVersion']), 'hrefs' => array('more_info' => $aPluginVulnerabilityData['URL']), 'nColspan' => $this->nColumnsCount);
echo $this->getFeatureOptions()->renderTemplate('snippets' . ICWP_DS . 'plugin-vulnerability.php', $aRenderData);
}
}
