'render_tab1',
'tab2' => 'render_tab2',
'tab3' => 'render_tab3',
'tab4' => 'render_tab4',
'tab5' => 'render_tab5',
);
function __construct()
{
$this->render_menu_page();
}
function set_menu_tabs()
{
$this->menu_tabs = array(
'tab1' => __('Rename Login Page','all-in-one-wp-security-and-firewall'),
'tab2' => __('Cookie Based Brute Force Prevention', 'all-in-one-wp-security-and-firewall'),
'tab3' => __('Login Captcha', 'all-in-one-wp-security-and-firewall'),
'tab4' => __('Login Whitelist', 'all-in-one-wp-security-and-firewall'),
'tab5' => __('Honeypot', 'all-in-one-wp-security-and-firewall'),
);
}
function get_current_tab()
{
$tab_keys = array_keys($this->menu_tabs);
$tab = isset( $_GET['tab'] ) ? sanitize_text_field($_GET['tab']) : $tab_keys[0];
return $tab;
}
/*
* Renders our tabs of this menu as nav items
*/
function render_menu_tabs()
{
$current_tab = $this->get_current_tab();
echo '
';
foreach ( $this->menu_tabs as $tab_key => $tab_caption )
{
if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1
&& stristr($tab_caption, "Rename Login Page") === false && stristr($tab_caption, "Login Captcha") === false){
//Suppress the all Brute Force menu tabs if site is a multi site AND not the main site except "rename login" and "captcha"
}else{
$active = $current_tab == $tab_key ? 'nav-tab-active' : '';
echo '' . $tab_caption . '';
}
}
echo '
';
}
/*
* The menu rendering goes here
*/
function render_menu_page()
{
echo '
debug_logger->log_debug("Nonce check failed for rename login page save!",4);
die("Nonce check failed for rename login page save!");
}
if (empty($_POST['aiowps_login_page_slug']) && isset($_POST["aiowps_enable_rename_login_page"])){
$error .= ' '.__('Please enter a value for your login page slug.','all-in-one-wp-security-and-firewall');
}else if (!empty($_POST['aiowps_login_page_slug'])){
$aiowps_login_page_slug = sanitize_text_field($_POST['aiowps_login_page_slug']);
if($aiowps_login_page_slug == 'wp-admin'){
$error .= ' '.__('You cannot use the value "wp-admin" for your login page slug.','all-in-one-wp-security-and-firewall');
}elseif(preg_match('/[^a-z_\-0-9]/i', $aiowps_login_page_slug)){
$error .= ' '.__('You must use alpha numeric characters for your login page slug.','all-in-one-wp-security-and-firewall');
}
}
if($error){
$this->show_msg_error(__('Attention!','all-in-one-wp-security-and-firewall').$error);
}else{
//Save all the form values to the options
if (isset($_POST["aiowps_enable_rename_login_page"])){
$aio_wp_security->configs->set_value('aiowps_enable_rename_login_page', '1');
$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention', '');//deactivate cookie based feature
}else{
$aio_wp_security->configs->set_value('aiowps_enable_rename_login_page', '');
}
$aio_wp_security->configs->set_value('aiowps_login_page_slug',$aiowps_login_page_slug);
$aio_wp_security->configs->save_config();
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); //Delete the cookie based directives if that feature is active
if ($res) {
$this->show_msg_settings_updated();
}
else {
$this->show_msg_error(__('Could not delete the Cookie-based directives from the .htaccess file. Please check the file permissions.', 'all-in-one-wp-security-and-firewall'));
}
/** The following is a fix/workaround for the following issue:
* https://wordpress.org/support/topic/applying-brute-force-rename-login-page-not-working/
* ie, when saving the rename login config, the logout link does not update on the first page load after the $_POST submit to reflect the new rename login setting.
* Added a page refresh to fix this for now until I figure out a better solution.
*
**/
$cur_url = "admin.php?page=".AIOWPSEC_BRUTE_FORCE_MENU_SLUG."&tab=tab1";
AIOWPSecurity_Utility::redirect_to_url($cur_url);
}
}
?>
Cookie Based Brute Force Prevention';
$white_list_feature_url = 'Login Page White List';
echo '
'.__('An effective Brute Force prevention technique is to change the default WordPress login page URL.', 'all-in-one-wp-security-and-firewall').'
'.
'
'.__('Normally if you wanted to login to WordPress you would type your site\'s home URL followed by wp-login.php.', 'all-in-one-wp-security-and-firewall').'
'.
'
'.__('This feature allows you to change the login URL by setting your own slug and renaming the last portion of the login URL which contains the wp-login.php to any string that you like.', 'all-in-one-wp-security-and-firewall').'
'.
'
'.__('By doing this, malicious bots and hackers will not be able to access your login page because they will not know the correct login page URL.', 'all-in-one-wp-security-and-firewall').'
'.
''.
'
'.__('You may also be interested in the following alternative brute force prevention features:', 'all-in-one-wp-security-and-firewall').'
debug_logger->log_debug("Nonce check failed on enable cookie based brute force prevention feature!",4);
die("Nonce check failed on enable cookie based brute force prevention feature!");
}
if(isset($_POST['aiowps_enable_brute_force_attack_prevention']))
{
$brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
if(empty($brute_force_feature_secret_word)){
$brute_force_feature_secret_word = "aiowps_secret";
}else if(!ctype_alnum($brute_force_feature_secret_word)){
$msg = '
'.__('Settings have not been saved - your secret word must consist only of alphanumeric characters, ie, letters and/or numbers only!', 'all-in-one-wp-security-and-firewall').'
'.__('It is important that you save this URL value somewhere in case you forget it, OR,', 'all-in-one-wp-security-and-firewall').'
';
$msg .= '
'.sprintf( __('simply remember to add a "?%s=1" to your current site URL address.', 'all-in-one-wp-security-and-firewall'), $brute_force_feature_secret_word).'
';
}
}
else
{
$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');
$msg = __('You have successfully saved cookie based brute force prevention feature settings.', 'all-in-one-wp-security-and-firewall');
}
if(isset($_POST['aiowps_brute_force_attack_prevention_pw_protected_exception']))
{
$aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','1');
}
else
{
$aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','');
}
if(isset($_POST['aiowps_brute_force_attack_prevention_ajax_exception']))
{
$aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception','1');
}
else
{
$aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception','');
}
if (!$error)
{
$aio_wp_security->configs->save_config();//save the value
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
if ($res) {
echo '
';
echo $msg;
echo '
';
}
else {
$this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'all-in-one-wp-security-and-firewall'));
}
}
else
{
$this->show_msg_error($msg);
}
}
?>
'.__('A Brute Force Attack is when a hacker tries many combinations of usernames and passwords until they succeed in guessing the right combination.', 'all-in-one-wp-security-and-firewall').
' '.__('Due to the fact that at any one time there may be many concurrent login attempts occurring on your site via malicious automated robots, this also has a negative impact on your server\'s memory and performance.', 'all-in-one-wp-security-and-firewall').
' '.__('The features in this tab will stop the majority of Brute Force Login Attacks at the .htaccess level thus providing even better protection for your WP login page and also reducing the load on your server because the system does not have to run PHP code to process the login attempts.', 'all-in-one-wp-security-and-firewall').'';
?>
backup';
$video_link = 'video tutorial';
$info_msg = sprintf( __('Even though this feature should not have any impact on your site\'s general functionality you are strongly encouraged to take a %s of your .htaccess file before proceeding.', 'all-in-one-wp-security-and-firewall'), $backup_tab_link);
$info_msg1 = __('If this feature is not used correctly, you can get locked out of your site. A backed up .htaccess file will come in handy if that happens.', 'all-in-one-wp-security-and-firewall');
$info_msg2 = sprintf( __('To learn more about how to use this feature please watch the following %s.', 'all-in-one-wp-security-and-firewall'), $video_link);
$brute_force_login_feature_link = 'Cookie-Based Brute Force Login Prevention';
echo '
debug_logger->log_debug("Nonce check failed on captcha settings save!",4);
die("Nonce check failed on captcha settings save!");
}
//Save all the form values to the options
$random_20_digit_string = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(20); //Generate random 20 char string for use during captcha encode/decode
$aio_wp_security->configs->set_value('aiowps_captcha_secret_key', $random_20_digit_string);
$aio_wp_security->configs->set_value('aiowps_enable_login_captcha',isset($_POST["aiowps_enable_login_captcha"])?'1':'');
$aio_wp_security->configs->set_value('aiowps_enable_woo_login_captcha',isset($_POST["aiowps_enable_woo_login_captcha"])?'1':'');
$aio_wp_security->configs->set_value('aiowps_enable_woo_register_captcha',isset($_POST["aiowps_enable_woo_register_captcha"])?'1':'');
$aio_wp_security->configs->set_value('aiowps_enable_custom_login_captcha',isset($_POST["aiowps_enable_custom_login_captcha"])?'1':'');
$aio_wp_security->configs->set_value('aiowps_enable_lost_password_captcha',isset($_POST["aiowps_enable_lost_password_captcha"])?'1':'');
$aio_wp_security->configs->save_config();
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
$this->show_msg_settings_updated();
}
?>
'.__('This feature allows you to add a captcha form on the WordPress login page.', 'all-in-one-wp-security-and-firewall').'
'.__('Users who attempt to login will also need to enter the answer to a simple mathematical question - if they enter the wrong answer, the plugin will not allow them login even if they entered the correct username and password.', 'all-in-one-wp-security-and-firewall').'
'.__('Therefore, adding a captcha form on the login page is another effective yet simple "Brute Force" prevention technique.', 'all-in-one-wp-security-and-firewall').'
';
?>
debug_logger->log_debug("Nonce check failed for save whitelist settings!",4);
die(__('Nonce check failed for save whitelist settings!','all-in-one-wp-security-and-firewall'));
}
if (isset($_POST["aiowps_enable_whitelisting"]) && empty($_POST['aiowps_allowed_ip_addresses']))
{
$this->show_msg_error('You must submit at least one IP address!','all-in-one-wp-security-and-firewall');
}
else
{
if (!empty($_POST['aiowps_allowed_ip_addresses']))
{
$ip_addresses = $_POST['aiowps_allowed_ip_addresses'];
$ip_list_array = AIOWPSecurity_Utility_IP::create_ip_list_array_from_string_with_newline($ip_addresses);
$payload = AIOWPSecurity_Utility_IP::validate_ip_list($ip_list_array, 'whitelist');
if($payload[0] == 1){
//success case
$result = 1;
$list = $payload[1];
$whitelist_ip_data = implode(PHP_EOL, $list);
$aio_wp_security->configs->set_value('aiowps_allowed_ip_addresses',$whitelist_ip_data);
$_POST['aiowps_allowed_ip_addresses'] = ''; //Clear the post variable for the banned address list
}
else{
$result = -1;
$error_msg = htmlspecialchars($payload[1][0]);
$this->show_msg_error($error_msg);
}
}
else
{
$aio_wp_security->configs->set_value('aiowps_allowed_ip_addresses',''); //Clear the IP address config value
}
if ($result == 1)
{
$aio_wp_security->configs->set_value('aiowps_enable_whitelisting',isset($_POST["aiowps_enable_whitelisting"])?'1':'');
$aio_wp_security->configs->save_config(); //Save the configuration
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
$this->show_msg_settings_updated();
$write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); //now let's write to the .htaccess file
if ( !$write_result )
{
$this->show_msg_error(__('The plugin was unable to write to the .htaccess file. Please edit file manually.','all-in-one-wp-security-and-firewall'));
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_whitelist_Menu - The plugin was unable to write to the .htaccess file.");
}
}
}
}
?>
'.__('The All In One WP Security Whitelist feature gives you the option of only allowing certain IP addresses or ranges to have access to your WordPress login page.', 'all-in-one-wp-security-and-firewall').'
'.__('This feature will deny login access for all IP addresses which are not in your whitelist as configured in the settings below.', 'all-in-one-wp-security-and-firewall').'
'.__('The plugin achieves this by writing the appropriate directives to your .htaccess file.', 'all-in-one-wp-security-and-firewall').'
'.__('By allowing/blocking IP addresses via the .htaccess file your are using the most secure first line of defence because login access will only be granted to whitelisted IP addresses and other addresses will be blocked as soon as they try to access your login page.', 'all-in-one-wp-security-and-firewall').'
';
?>
'.sprintf( __('Attention: If in addition to enabling the white list feature, you also have one of the %s or %s features enabled, you will still need to use your secret word or special slug in the URL when trying to access your WordPress login page.', 'all-in-one-wp-security-and-firewall'), $brute_force_login_feature_link, $rename_login_feature_link).'
'.__('These features are NOT functionally related. Having both of them enabled on your site means you are creating 2 layers of security.', 'all-in-one-wp-security-and-firewall').'
debug_logger->log_debug("Nonce check failed on honeypot settings save!",4);
die("Nonce check failed on honeypot settings save!");
}
//Save all the form values to the options
$aio_wp_security->configs->set_value('aiowps_enable_login_honeypot',isset($_POST["aiowps_enable_login_honeypot"])?'1':'');
$aio_wp_security->configs->save_config();
//Recalculate points after the feature status/options have been altered
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
$this->show_msg_settings_updated();
}
?>
'.__('This feature allows you to add a special hidden "honeypot" field on the WordPress login page. This will only be visible to robots and not humans.', 'all-in-one-wp-security-and-firewall').'
'.__('Since robots usually fill in every input field from a login form, they will also submit a value for the special hidden honeypot field.', 'all-in-one-wp-security-and-firewall').'
'.__('The way honeypots work is that a hidden field is placed somewhere inside a form which only robots will submit. If that field contains a value when the form is submitted then a robot has most likely submitted the form and it is consequently dealt with.', 'all-in-one-wp-security-and-firewall').'
'.__('Therefore, if the plugin detects that this field has a value when the login form is submitted, then the robot which is attempting to login to your site will be redirected to its localhost address - http://127.0.0.1.', 'all-in-one-wp-security-and-firewall').'
';
?>