Пример #1
0
    protected function render_settings($form)
    {
        $settings = $form->get_options();
        $xmlrpc_options = array('2' => __('Disable XML-RPC (recommended)', 'better-wp-security'), '1' => __('Disable Pingbacks', 'better-wp-security'), '0' => __('Enable XML-RPC', 'better-wp-security'));
        $allow_xmlrpc_multiauth_options = array(false => __('Block (recommended)', 'better-wp-security'), true => __('Allow', 'better-wp-security'));
        $jquery_version = ITSEC_Modules::get_setting($this->id, 'jquery_version');
        $jquery_version_is_safe = ITSEC_Lib::is_jquery_version_safe();
        if (empty($jquery_version)) {
            $jquery_description = sprintf(__('Your current jQuery version is undetermined. Please <a href="%1$s" target="_blank">check your homepage</a> to see if you even need this feature'), site_url());
        } else {
            $jquery_description = sprintf(__('Your current jQuery version is %1$s'), $jquery_version);
        }
        if ($jquery_version_is_safe) {
            $jquery_description_color = 'green';
        } else {
            $jquery_description_color = 'red';
        }
        ?>
	<p><?php 
        _e('Note: These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.', 'better-wp-security');
        ?>
</p>
	<p><?php 
        _e('Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.', 'better-wp-security');
        ?>
</p>
	<table class="form-table">
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-wlwmanifest_header"><?php 
        _e('Windows Live Writer Header', 'better-wp-security');
        ?>
</label></th>
			<td>
				<?php 
        $form->add_checkbox('wlwmanifest_header');
        ?>
				<label for="itsec-wordpress-tweaks-wlwmanifest_header"><?php 
        _e('Remove the Windows Live Writer header.', 'better-wp-security');
        ?>
</label>
				<p class="description"><?php 
        _e('This is not needed if you do not use Windows Live Writer or other blogging clients that rely on this file.', 'better-wp-security');
        ?>
</p>
			</td>
		</tr>
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-edituri_header"><?php 
        _e('EditURI Header', 'better-wp-security');
        ?>
</label></th>
			<td>
				<?php 
        $form->add_checkbox('edituri_header');
        ?>
				<label for="itsec-wordpress-tweaks-edituri_header"><?php 
        _e('Remove the RSD (Really Simple Discovery) header.', 'better-wp-security');
        ?>
</label>
				<p class="description"><?php 
        _e('Removes the RSD (Really Simple Discovery) header. If you don\'t integrate your blog with external XML-RPC services such as Flickr then the "RSD" function is pretty much useless to you.', 'better-wp-security');
        ?>
</p>
			</td>
		</tr>
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-comment_spam"><?php 
        _e('Comment Spam', 'better-wp-security');
        ?>
</label></th>
			<td>
				<?php 
        $form->add_checkbox('comment_spam');
        ?>
				<label for="itsec-wordpress-tweaks-comment_spam"><?php 
        _e('Reduce Comment Spam', 'better-wp-security');
        ?>
</label>
				<p class="description"><?php 
        _e('This option will cut down on comment spam by denying comments from bots with no referrer or without a user-agent identified.', 'better-wp-security');
        ?>
</p>
			</td>
		</tr>
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-file_editor"><?php 
        _e('File Editor', 'better-wp-security');
        ?>
</label></th>
			<td>
				<?php 
        $form->add_checkbox('file_editor');
        ?>
				<label for="itsec-wordpress-tweaks-file_editor"><?php 
        _e('Disable File Editor', 'better-wp-security');
        ?>
</label>
				<p class="description"><?php 
        _e('Disables the file editor for plugins and themes requiring users to have access to the file system to modify files. Once activated you will need to manually edit theme and other files using a tool other than WordPress.', 'better-wp-security');
        ?>
</p>
			</td>
		</tr>
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-disable_xmlrpc"><?php 
        _e('XML-RPC', 'better-wp-security');
        ?>
</label></th>
			<td>
				<p><?php 
        printf(__('WordPress\' XML-RPC feature allows external services to access and modify content on the site. Common example of services that make use of XML-RPC are <a href="%1$s">the Jetpack plugin</a>, <a href="%2$s">the WordPress mobile app</a>, and <a href="%3$s">pingbacks</a>. If the site does not use a service that requires XML-RPC, select the "Disable XML-RPC" setting as disabling XML-RPC prevents attackers from using the feature to attack the site.', 'better-wp-security'), esc_url('https://jetpack.me/'), esc_url('https://apps.wordpress.org/'), esc_url('https://make.wordpress.org/support/user-manual/building-your-wordpress-community/trackbacks-and-pingbacks/#pingbacks'));
        ?>
</p>
				<?php 
        $form->add_select('disable_xmlrpc', $xmlrpc_options);
        ?>
				<ul>
					<li><?php 
        _e('<strong>Disable XML-RPC</strong> - XML-RPC is disabled on the site. This setting is highly recommended if Jetpack, the WordPress mobile app, pingbacks, and other services that use XML-RPC are not used.', 'better-wp-security');
        ?>
</li>
					<li><?php 
        _e('<strong>Disable Pingbacks</strong> - Only disable pingbacks. Other XML-RPC features will work as normal. Select this setting if you require features such as Jetpack or the WordPress Mobile app.', 'better-wp-security');
        ?>
</li>
					<li><?php 
        _e('<strong>Enable XML-RPC</strong> - XML-RPC is fully enabled and will function as normal. Use this setting only if the site must have unrestricted use of XML-RPC.', 'better-wp-security');
        ?>
</li>
				</ul>
			</td>
		</tr>
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-allow_xmlrpc_multiauth"><?php 
        _e('Multiple Authentication Attempts per XML-RPC Request', 'better-wp-security');
        ?>
</label></th>
			<td>
				<p><?php 
        _e('WordPress\' XML-RPC feature allows hundreds of username and password guesses per request. Use the recommended "Block" setting below to prevent attackers from exploiting this feature.', 'better-wp-security');
        ?>
</p>
				<?php 
        $form->add_select('allow_xmlrpc_multiauth', $allow_xmlrpc_multiauth_options);
        ?>
				<ul>
					<li><?php 
        _e('<strong>Block</strong> - Blocks XML-RPC requests that contain multiple login attempts. This setting is highly recommended.', 'better-wp-security');
        ?>
</li>
					<li><?php 
        _e('<strong>Allow</strong> - Allows XML-RPC requests that contain multiple login attempts. Only use this setting if a service requires it.', 'better-wp-security');
        ?>
</li>
				</ul>
			</td>
		</tr>
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-safe_jquery"><?php 
        _e('Replace jQuery With a Safe Version', 'better-wp-security');
        ?>
</label></th>
			<td>
				<?php 
        if ($jquery_version_is_safe) {
            ?>
					<?php 
            $form->add_checkbox('safe_jquery');
            ?>
					<label for="itsec-wordpress-tweaks-safe_jquery"><?php 
            _e('Enqueue a safe version of jQuery', 'better-wp-security');
            ?>
</label>
					<p class="description"><?php 
            _e('Remove the existing jQuery version used and replace it with a safe version (the version that comes default with WordPress).', 'better-wp-security');
            ?>
</p>
				<?php 
        }
        ?>
				
				<p class="description" style="color: <?php 
        echo esc_attr($jquery_description_color);
        ?>
"><?php 
        echo $jquery_description;
        ?>
</p>
				<p class="description"><?php 
        printf(__('Note that this only checks the homepage of your site and only for users who are logged in. This is done intentionally to save resources. If you think this is in error <a href="%s" target="_blank">click here to check again.</a> This will open your homepage in a new window allowing the plugin to determine the version of jQuery actually being used. You can then come back here and reload this page to see your version.', 'better-wp-security'), site_url());
        ?>
</p>
			</td>
		</tr>
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-login_errors"><?php 
        _e('Login Error Messages', 'better-wp-security');
        ?>
</label></th>
			<td>
				<?php 
        $form->add_checkbox('login_errors');
        ?>
				<label for="itsec-wordpress-tweaks-login_errors"><?php 
        _e('Disable login error messages', 'better-wp-security');
        ?>
</label>
				<p class="description"><?php 
        _e('Prevents error messages from being displayed to a user upon a failed login attempt.', 'better-wp-security');
        ?>
</p>
			</td>
		</tr>
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-force_unique_nicename"><?php 
        _e('Force Unique Nickname', 'better-wp-security');
        ?>
</label></th>
			<td>
				<?php 
        $form->add_checkbox('force_unique_nicename');
        ?>
				<label for="itsec-wordpress-tweaks-force_unique_nicename"><?php 
        _e('Force users to choose a unique nickname', 'better-wp-security');
        ?>
</label>
				<p class="description"><?php 
        _e('This forces users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting user\'s login usernames from the code on author pages. Note this does not automatically update existing users as it will affect author feed urls if used.', 'better-wp-security');
        ?>
</p>
			</td>
		</tr>
		<tr>
			<th scope="row"><label for="itsec-wordpress-tweaks-disable_unused_author_pages"><?php 
        _e('Disable Extra User Archives', 'better-wp-security');
        ?>
</label></th>
			<td>
				<?php 
        $form->add_checkbox('disable_unused_author_pages');
        ?>
				<label for="itsec-wordpress-tweaks-disable_unused_author_pages"><?php 
        _e('Disables a user\'s author page if their post count is 0.', 'better-wp-security');
        ?>
</label>
				<p class="description"><?php 
        _e('This makes it harder for bots to determine usernames by disabling post archives for users that don\'t post to your site.', 'better-wp-security');
        ?>
</p>
			</td>
		</tr>
	</table>
<?php 
    }