/** * Execute module deactivation * * @return void */ public function execute_deactivate() { global $itsec_files; delete_site_transient('itsec_random_version'); //Reset recommended file permissions @chmod(ITSEC_Lib::get_htaccess(), 0644); @chmod(ITSEC_Lib::get_config(), 0644); }
/** * Execute module deactivation * * @return void */ public function execute_deactivate() { global $itsec_files; delete_site_transient('itsec_random_version'); $config_rules[] = itsec_tweaks_Admin::build_wpconfig_rules(null, true); $itsec_files->set_wpconfig($config_rules); //Reset recommended file permissions @chmod(ITSEC_Lib::get_htaccess(), 0644); @chmod(ITSEC_Lib::get_config(), 0644); }
/** * Execute module upgrade * * @return void */ public function execute_upgrade($itsec_old_version) { if ($itsec_old_version < 4000) { global $itsec_bwps_options; $current_options = get_site_option('itsec_hide_backend'); if (false !== $current_options) { $current_options['enabled'] = isset($itsec_bwps_options['hb_enabled']) && $itsec_bwps_options['hb_enabled'] == 1 ? true : false; $current_options['register'] = isset($itsec_bwps_options['hb_register']) ? sanitize_text_field($itsec_bwps_options['hb_register']) : 'wp-register.php'; if ($current_options['enabled'] === true) { $current_options['show-tooltip'] = true; set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600); } else { $current_options['show-tooltip'] = false; } $forbidden_slugs = array('admin', 'login', 'wp-login.php', 'dashboard', 'wp-admin', ''); if (isset($itsec_bwps_options['hb_login']) && !in_array(trim($itsec_bwps_options['hb_login']), $forbidden_slugs)) { $current_options['slug'] = $itsec_bwps_options['hb_login']; set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600); } else { $current_options['enabled'] = false; set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600); } update_site_option('itsec_hide_backend', $current_options); ITSEC_Response::regenerate_server_config(); } } if ($itsec_old_version < 4027) { $current_options = get_site_option('itsec_hide_backend'); if (isset($current_options['enabled']) && $current_options['enabled'] === true) { $config_file = ITSEC_Lib::get_htaccess(); //Make sure we can write to the file $perms = substr(sprintf('%o', @fileperms($config_file)), -4); @chmod($config_file, 0664); add_action('admin_init', array($this, 'flush_rewrite_rules')); //reset file permissions if we changed them if ($perms == '0444') { @chmod($config_file, 0444); } ITSEC_Response::regenerate_server_config(); } } if ($itsec_old_version < 4041) { $current_options = get_site_option('itsec_hide_backend'); // If there are no current options, go with the new defaults by not saving anything if (is_array($current_options)) { // remove 'show-tooltip' which is old and not used in the new module unset($current_options['show-tooltip']); ITSEC_Modules::set_settings('hide-backend', $current_options); } } }
/** * Deactivate execution * * @since 4.0 * * @return void * */ private function deactivate_execute() { global $itsec_files, $wpdb; wp_clear_scheduled_hook('itsec_purge_lockouts'); $this->do_modules(); $itsec_files->do_deactivate(); delete_site_option('itsec_flush_old_rewrites'); delete_site_option('itsec_manual_update'); delete_site_option('itsec_rewrites_changed'); delete_site_option('itsec_config_changed'); delete_site_option('itsec_had_other_version'); delete_site_option('itsec_no_file_lock_release'); delete_site_option('itsec_clear_login'); delete_site_option('itsec_temp_whitelist_ip'); delete_site_option('itsec_api_nag'); delete_site_transient('ITSEC_SHOW_WRITE_FILES_TOOLTIP'); delete_site_transient('itsec_upload_dir'); delete_site_transient('itsec_notification_running'); wp_clear_scheduled_hook('itsec_digest_email'); $htaccess = ITSEC_Lib::get_htaccess(); //Make sure we can write to the file $perms = substr(sprintf('%o', @fileperms($htaccess)), -4); if ($perms == '0444') { @chmod($htaccess, 0664); } flush_rewrite_rules(); //reset file permissions if we changed them if ($perms == '0444') { @chmod($htaccess, 0444); } ITSEC_Lib::clear_caches(); }
/** * Execute module deactivation * * @return void */ public function execute_deactivate() { //Reset recommended file permissions @chmod(ITSEC_Lib::get_htaccess(), 0644); @chmod(ITSEC_Lib::get_config(), 0644); }
<?php global $wpdb, $itsec_globals; $config_file = ITSEC_Lib::get_config(); $htaccess = ITSEC_Lib::get_htaccess(); ?> <ul class="itsec-support"> <li> <h4><?php _e('User Information', 'it-l10n-better-wp-security'); ?> </h4> <ul> <li><?php _e('Public IP Address', 'it-l10n-better-wp-security'); ?> : <strong><a target="_blank" title="<?php _e('Get more information on this address', 'it-l10n-better-wp-security'); ?> " href="http://whois.domaintools.com/<?php echo ITSEC_Lib::get_ip(); ?> "><?php echo ITSEC_Lib::get_ip(); ?> </a></strong> </li> <li><?php
$this_test['status'] = 'WARNING'; } else { $this_test['status'] = 'OK'; } array_push($tests, $this_test); //END FOLDERS //BEGIN FILES $this_test = array('title' => 'wp-config.php', 'suggestion' => '= 444', 'value' => substr(sprintf('%o', fileperms(ITSEC_Lib::get_config())), -4)); if (!fileperms(ITSEC_Lib::get_config()) || 444 != substr(sprintf('%o', fileperms(ITSEC_Lib::get_config())), -4)) { $this_test['status'] = 'WARNING'; } else { $this_test['status'] = 'OK'; } array_push($tests, $this_test); $this_test = array('title' => '.htaccess', 'suggestion' => '= 444', 'value' => substr(sprintf('%o', fileperms(ITSEC_Lib::get_htaccess())), -4)); if (!fileperms(ITSEC_Lib::get_htaccess()) || 444 != substr(sprintf('%o', fileperms(ITSEC_Lib::get_htaccess())), -4)) { $this_test['status'] = 'WARNING'; } else { $this_test['status'] = 'OK'; } array_push($tests, $this_test); //END FILES ?> <table class="widefat"> <thead> <tr class="thead"> <th><?php _e('Relative Path', 'better-wp-security'); ?> </th>
/** * Execute module upgrade * * @return void */ public function execute_upgrade() { global $itsec_old_version; if ($itsec_old_version < 4000) { global $itsec_bwps_options; $current_options = get_site_option('itsec_hide_backend'); if ($current_options === false) { $current_options = $this->defaults; } $current_options['enabled'] = isset($itsec_bwps_options['hb_enabled']) && $itsec_bwps_options['hb_enabled'] == 1 ? true : false; $current_options['register'] = isset($itsec_bwps_options['hb_register']) ? sanitize_text_field($itsec_bwps_options['hb_register']) : 'wp-register.php'; if ($current_options['enabled'] === true) { $current_options['show-tooltip'] = true; set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600); } else { $current_options['show-tooltip'] = false; } $forbidden_slugs = array('admin', 'login', 'wp-login.php', 'dashboard', 'wp-admin', ''); if (isset($itsec_bwps_options['hb_login']) && !in_array(trim($itsec_bwps_options['hb_login']), $forbidden_slugs)) { $current_options['slug'] = $itsec_bwps_options['hb_login']; set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600); } else { $current_options['enabled'] = false; set_site_transient('ITSEC_SHOW_HIDE_BACKEND_TOOLTIP', true, 600); } update_site_option('itsec_hide_backend', $current_options); add_site_option('itsec_rewrites_changed', true); } if ($itsec_old_version < 4027) { $current_options = get_site_option('itsec_hide_backend'); if (isset($current_options['enabled']) && $current_options['enabled'] === true) { $config_file = ITSEC_Lib::get_htaccess(); //Make sure we can write to the file $perms = substr(sprintf('%o', @fileperms($config_file)), -4); @chmod($config_file, 0664); add_action('admin_init', array($this, 'flush_rewrite_rules')); //reset file permissions if we changed them if ($perms == '0444') { @chmod($config_file, 0444); } add_site_option('itsec_rewrites_changed', true); } } }
public static function filter_nginx_server_config_modification($modification) { require_once $GLOBALS['itsec_globals']['plugin_dir'] . 'core/lib/class-itsec-lib-utility.php'; $input = ITSEC_Modules::get_settings('system-tweaks'); $wp_includes = WPINC; if ($input['protect_files']) { $config_file = ITSEC_Lib::get_htaccess(); if (0 === strpos($config_file, ABSPATH)) { $config_file = '/' . substr($config_file, strlen(ABSPATH)); } else { $config_file = '/nginx.conf'; } $modification .= "\n"; $modification .= "\t# " . __('Protect System Files - Security > Settings > System Tweaks > System Files', 'better-wp-security') . "\n"; $modification .= "\tlocation = /wp-admin/install\\.php { deny all; }\n"; $modification .= "\tlocation = {$config_file} { deny all; }\n"; $modification .= "\tlocation ~ /\\.htaccess\$ { deny all; }\n"; $modification .= "\tlocation ~ /readme\\.html\$ { deny all; }\n"; $modification .= "\tlocation ~ /readme\\.txt\$ { deny all; }\n"; $modification .= "\tlocation ~ /wp-config.php\$ { deny all; }\n"; $modification .= "\tlocation ~ ^/wp-admin/includes/ { deny all; }\n"; if (!is_multisite() || !get_site_option('ms_files_rewriting')) { // nginx can only reliably block PHP files in wp-includes if requests to wp-includes/ms-files.php are // not required. This is because there is no skip directive as Apache has. $modification .= "\tlocation ~ ^/{$wp_includes}/[^/]+\\.php\$ { deny all; }\n"; } $modification .= "\tlocation ~ ^/{$wp_includes}/js/tinymce/langs/.+\\.php\$ { deny all; }\n"; $modification .= "\tlocation ~ ^/{$wp_includes}/theme-compat/ { deny all; }\n"; } // Rewrite Rules for Disable PHP in Uploads if ($input['uploads_php']) { $dir = ITSEC_Lib_Utility::get_relative_upload_url_path(); if (!empty($dir)) { $dir = preg_quote($dir); $modification .= "\n"; $modification .= "\t# " . __('Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads', 'better-wp-security') . "\n"; $modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n"; } } // Rewrite Rules for Disable PHP in Plugins if ($input['plugins_php']) { $dir = ITSEC_Lib_Utility::get_relative_url_path(WP_PLUGIN_URL); if (!empty($dir)) { $dir = preg_quote($dir); $modification .= "\n"; $modification .= "\t# " . __('Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins', 'better-wp-security') . "\n"; $modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n"; } } // Rewrite Rules for Disable PHP in Themes if ($input['themes_php']) { $dir = ITSEC_Lib_Utility::get_relative_url_path(get_theme_root_uri()); if (!empty($dir)) { $dir = preg_quote($dir); $modification .= "\n"; $modification .= "\t# " . __('Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes', 'better-wp-security') . "\n"; $modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n"; } } // Apache rewrite rules for disable http methods if ($input['request_methods']) { $modification .= "\n"; $modification .= "\t# " . __('Filter Request Methods - Security > Settings > System Tweaks > Request Methods', 'better-wp-security') . "\n"; $modification .= "\tif ( \$request_method ~* ^(TRACE|DELETE|TRACK)\$ ) { return 403; }\n"; } // Process suspicious query rules if ($input['suspicious_query_strings']) { $modification .= "\n"; $modification .= "\t# " . __('Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings', 'better-wp-security') . "\n"; $modification .= "\tset \$susquery 0;\n"; $modification .= "\tif ( \$args ~* \"\\.\\./\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"\\.(bash|git|hg|log|svn|swp|cvs)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"etc/passwd\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"boot\\.ini\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"ftp:\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"https?:\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"(<|%3C)script(>|%3E)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"mosConfig_[a-zA-Z_]{1,21}(=|%3D)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"base64_decode\\(\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"%24&x\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"127\\.0\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"(globals|encode|localhost|loopback)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"(request|insert|concat|union|declare)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"%[01][0-9A-F]\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~ \"^loggedout=true\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$args ~ \"^action=jetpack-sso\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$args ~ \"^action=rp\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$http_cookie ~ \"wordpress_logged_in_\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$http_referer ~* \"^https?://maps\\.googleapis\\.com/\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$susquery = 1 ) { return 403; }\n"; } // Process filtering of foreign characters if ($input['non_english_characters']) { $modification .= "\n"; $modification .= "\t# " . __('Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters', 'better-wp-security') . "\n"; $modification .= "\tif (\$args ~* \"%[A-F][0-9A-F]\") { return 403; }\n"; } return $modification; }
/** * Writes given rules to htaccess or related file * * @since 4.0 * * @access private * * @return bool true on success, false on failure */ private function write_rewrites() { $rules_to_write = $this->build_rewrites(); //String of rules to insert into if ($rules_to_write === false) { //if there is nothing to write make sure we clean up the file return $this->delete_rewrites(); } $rule_open = array('# BEGIN iThemes Security', '# BEGIN Better WP Security'); $rule_close = array('# END iThemes Security', '# END Better WP Security'); $htaccess_file = ITSEC_Lib::get_htaccess(); //make sure the file exists and create it if it doesn't if (!file_exists($htaccess_file)) { @touch($htaccess_file); } $htaccess_contents = @file_get_contents($htaccess_file); //get the contents of the htaccess or nginx file $htaccess_contents = preg_replace("/(\\r\\n|\\n|\\r)/", PHP_EOL, $htaccess_contents); if ($htaccess_contents === false) { //we couldn't get the file contents return false; } else { //write out what we need to. $lines = explode(PHP_EOL, $htaccess_contents); //create an array to make this easier $state = false; foreach ($lines as $line_number => $line) { //for each line in the file if (in_array($line, $rule_open) !== false) { //if we're at the beginning of the section $state = true; } if ($state == true) { //as long as we're not in the section keep writing unset($lines[$line_number]); } if (in_array($line, $rule_close) !== false) { //see if we're at the end of the section $state = false; } } if (sizeof($rules_to_write) > 0) { //make sure we have something to write $htaccess_contents = $rule_open[0] . PHP_EOL . implode(PHP_EOL, $rules_to_write) . PHP_EOL . $rule_close[0] . PHP_EOL . implode(PHP_EOL, $lines); } //Actually write the new content to wp-config. if ($htaccess_contents !== false) { //Make sure we can write to the file $perms = substr(sprintf('%o', @fileperms($htaccess_file)), -4); @chmod($htaccess_file, 0664); if (!@file_put_contents($htaccess_file, $htaccess_contents, LOCK_EX)) { //reset file permissions if we changed them if ($perms == '0444' || $this->write_files === true) { @chmod($htaccess_file, 0444); } return false; } //reset file permissions if we changed them if ($perms == '0444' || $this->write_files === true) { @chmod($htaccess_file, 0444); } } } return true; }