configs->get_value('aiowps_disable_xmlrpc_pingback_methods') == '1') { add_filter( 'xmlrpc_methods', array(&$this, 'aiowps_disable_xmlrpc_pingback_methods') ); add_filter( 'wp_headers', array(&$this, 'aiowps_remove_x_pingback_header') ); } add_action( 'permalink_structure_changed', array(&$this, 'refresh_firewall_rules' ), 10, 2); if ($aio_wp_security->configs->get_value('aiowps_enable_autoblock_spam_ip') == '1') { AIOWPSecurity_Blocking::check_visitor_ip_and_perform_blocking(); //add_action( 'spammed_comment', array(&$this, 'process_spammed_comment' )); //this hook gets fired when admin marks comment as spam //add_action( 'akismet_submit_spam_comment', array(&$this, 'process_akismet_submit_spam_comment' ), 10, 2); //this hook gets fired when akismet marks a comment as spam add_action( 'comment_post', array(&$this, 'spam_detect_process_comment_post' ), 10, 2); //this hook gets fired just after comment is saved to DB add_action( 'transition_comment_status', array(&$this, 'process_transition_comment_status' ), 10, 3); //this hook gets fired when a comment's status changes } if ($aio_wp_security->configs->get_value('aiowps_enable_rename_login_page') == '1') { add_action( 'widgets_init', array(&$this, 'remove_standard_wp_meta_widget' )); add_filter( 'retrieve_password_message', array(&$this, 'decode_reset_pw_msg'), 10, 4); //Fix for non decoded html entities in password reset link } add_action('admin_notices', array(&$this,'reapply_htaccess_rules_notice')); if(isset($_REQUEST['aiowps_reapply_htaccess'])){ if(strip_tags($_REQUEST['aiowps_reapply_htaccess']) == 1){ include_once ('wp-security-installer.php'); if(AIOWPSecurity_Installer::reactivation_tasks()){ echo '

The AIOWPS .htaccess rules were successfully re-inserted.

'; }else{ echo '

AIOWPS encountered an error when trying to write to your .htaccess file. Please check the logs.

'; } }elseif(strip_tags($_REQUEST['aiowps_reapply_htaccess']) == 2){ //Don't re-write the rules and just delete the temp config item delete_option('aiowps_temp_configs'); } } if($aio_wp_security->configs->get_value('aiowps_prevent_site_display_inside_frame') == '1'){ send_frame_options_header(); //send X-Frame-Options: SAMEORIGIN in HTTP header } if($aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info') == '1'){ add_filter('the_generator', array(&$this,'remove_wp_generator_meta_info')); add_filter('style_loader_src', array(&$this,'remove_wp_css_js_meta_info')); add_filter('script_loader_src', array(&$this,'remove_wp_css_js_meta_info')); } //For the cookie based brute force prevention feature if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == 1){ $bfcf_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word'); if(isset($_GET[$bfcf_secret_word])){ //If URL contains secret word in query param then set cookie and then redirect to the login page AIOWPSecurity_Utility::set_cookie_value($bfcf_secret_word, "1"); AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL."/wp-admin"); } } //Stop users enumeration feature if( $aio_wp_security->configs->get_value('aiowps_prevent_users_enumeration') == 1) { include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-stop-users-enumeration.php'); } //For user unlock request feature if(isset($_POST['aiowps_unlock_request']) || isset($_POST['aiowps_wp_submit_unlock_request'])){ nocache_headers(); remove_action('wp_head','head_addons',7); include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-unlock-request.php'); exit(); } if(isset($_GET['aiowps_auth_key'])){ //If URL contains unlock key in query param then process the request $unlock_key = strip_tags($_GET['aiowps_auth_key']); AIOWPSecurity_User_Login::process_unlock_request($unlock_key); } //For honeypot feature if(isset($_POST['aio_special_field'])){ $special_field_value = strip_tags($_POST['aio_special_field']); if(!empty($special_field_value)){ //This means a robot has submitted the login form! //Redirect back to its localhost AIOWPSecurity_Utility::redirect_to_url('http://127.0.0.1'); } } //For 404 IP lockout feature if($aio_wp_security->configs->get_value('aiowps_enable_404_IP_lockout') == '1'){ if (!is_user_logged_in() || !current_user_can('administrator')) { $this->do_404_lockout_tasks(); } } //For login captcha feature if($aio_wp_security->configs->get_value('aiowps_enable_login_captcha') == '1'){ if (!is_user_logged_in()) { add_action('login_form', array(&$this, 'insert_captcha_question_form')); } } //For custom login form captcha feature, ie, when wp_login_form() function is used to generate login form if($aio_wp_security->configs->get_value('aiowps_enable_custom_login_captcha') == '1'){ if (!is_user_logged_in()) { add_filter( 'login_form_middle', array(&$this, 'insert_captcha_custom_login'), 10, 2); //For cases where the WP wp_login_form() function is used } } //For honeypot feature if($aio_wp_security->configs->get_value('aiowps_enable_login_honeypot') == '1'){ if (!is_user_logged_in()) { add_action('login_form', array(&$this, 'insert_honeypot_hidden_field')); } } //For lost password captcha feature if($aio_wp_security->configs->get_value('aiowps_enable_lost_password_captcha') == '1'){ if (!is_user_logged_in()) { add_action('lostpassword_form', array(&$this, 'insert_captcha_question_form')); add_action('lostpassword_post', array(&$this, 'process_lost_password_form_post')); } } //For registration manual approval feature if($aio_wp_security->configs->get_value('aiowps_enable_manual_registration_approval') == '1'){ add_filter('wp_login_errors', array(&$this, 'modify_registration_page_messages'),10, 2); } //For registration page captcha feature if (AIOWPSecurity_Utility::is_multisite_install()){ $blog_id = get_current_blog_id(); switch_to_blog($blog_id); if($aio_wp_security->configs->get_value('aiowps_enable_registration_page_captcha') == '1'){ if (!is_user_logged_in()) { add_action('signup_extra_fields', array(&$this, 'insert_captcha_question_form_multi')); //add_action('preprocess_signup_form', array(&$this, 'process_signup_form_multi')); add_filter( 'wpmu_validate_user_signup', array(&$this, 'process_signup_form_multi') ); } } restore_current_blog(); }else{ if($aio_wp_security->configs->get_value('aiowps_enable_registration_page_captcha') == '1'){ if (!is_user_logged_in()) { add_action('register_form', array(&$this, 'insert_captcha_question_form')); } } } //For comment captcha feature if (AIOWPSecurity_Utility::is_multisite_install()){ $blog_id = get_current_blog_id(); switch_to_blog($blog_id); if($aio_wp_security->configs->get_value('aiowps_enable_comment_captcha') == '1'){ add_action( 'comment_form_after_fields', array(&$this, 'insert_captcha_question_form'), 1 ); add_action( 'comment_form_logged_in_after', array(&$this, 'insert_captcha_question_form'), 1 ); add_filter( 'preprocess_comment', array(&$this, 'process_comment_post') ); } restore_current_blog(); }else{ if($aio_wp_security->configs->get_value('aiowps_enable_comment_captcha') == '1'){ add_action( 'comment_form_after_fields', array(&$this, 'insert_captcha_question_form'), 1 ); add_action( 'comment_form_logged_in_after', array(&$this, 'insert_captcha_question_form'), 1 ); add_filter( 'preprocess_comment', array(&$this, 'process_comment_post') ); } } //For buddypress registration captcha feature if($aio_wp_security->configs->get_value('aiowps_enable_bp_register_captcha') == '1'){ add_action('bp_account_details_fields', array(&$this, 'insert_captcha_question_form')); add_action('bp_signup_validate', array(&$this, 'buddy_press_signup_validate_captcha')); } //For feature which displays logged in users $this->update_logged_in_user_transient(); //For block fake googlebots feature if($aio_wp_security->configs->get_value('aiowps_block_fake_googlebots') == '1'){ include_once(AIO_WP_SECURITY_PATH.'/classes/wp-security-bot-protection.php'); AIOWPSecurity_Fake_Bot_Protection::block_fake_googlebots(); } //For 404 event logging if($aio_wp_security->configs->get_value('aiowps_enable_404_logging') == '1'){ add_action('wp_head', array(&$this, 'check_404_event')); } //Add more tasks that need to be executed at init time } function aiowps_disable_xmlrpc_pingback_methods( $methods ) { unset( $methods['pingback.ping'] ); unset( $methods['pingback.extensions.getPingbacks'] ); return $methods; } function aiowps_remove_x_pingback_header( $headers ) { unset( $headers['X-Pingback'] ); return $headers; } /** * Refreshes the firewall rules in .htaccess file * eg: if permalink settings changed and white list enabled * @param $old_permalink_structure * @param $permalink_structure */ function refresh_firewall_rules($old_permalink_structure, $permalink_structure){ global $aio_wp_security; //If white list enabled need to re-adjust the .htaccess rules if ($aio_wp_security->configs->get_value('aiowps_enable_whitelisting') == '1') { $write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); //now let's write to the .htaccess file if ( !$write_result ) { $this->show_msg_error(__('The plugin was unable to write to the .htaccess file. Please edit file manually.','all-in-one-wp-security-and-firewall')); $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_whitelist_Menu - The plugin was unable to write to the .htaccess file."); } } } function spam_detect_process_comment_post($comment_id, $comment_approved) { if($comment_approved === "spam"){ $this->block_comment_ip($comment_id); } } function process_transition_comment_status($new_status, $old_status, $comment) { if($new_status == 'spam'){ $this->block_comment_ip($comment->comment_ID); } } /** * Will check auto-spam blocking settings and will add IP to blocked table accordingly * @param $comment_id */ function block_comment_ip($comment_id) { global $aio_wp_security, $wpdb; $comment_obj = get_comment( $comment_id ); $comment_ip = $comment_obj->comment_author_IP; //Get number of spam comments from this IP $sql = $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_approved = 'spam' AND comment_author_IP = %s ", $comment_ip); $comment_data = $wpdb->get_results($sql, ARRAY_A); $spam_count = count($comment_data); $min_comment_before_block = $aio_wp_security->configs->get_value('aiowps_spam_ip_min_comments_block'); if(!empty($min_comment_before_block) && $spam_count >= ($min_comment_before_block - 1)){ AIOWPSecurity_Blocking::add_ip_to_block_list($comment_ip, 'spam'); } } function remove_standard_wp_meta_widget() { unregister_widget('WP_Widget_Meta'); } function remove_wp_generator_meta_info() { return ''; } function remove_wp_css_js_meta_info($src) { global $wp_version; static $wp_version_hash = null; // Cache hash value for all function calls // Replace only version number of assets with WP version if ( strpos($src, 'ver=' . $wp_version) !== false ) { if ( !$wp_version_hash ) { $wp_version_hash = wp_hash($wp_version); } // Replace version number with computed hash $src = add_query_arg('ver', $wp_version_hash, $src); } return $src; } function do_404_lockout_tasks(){ global $aio_wp_security; $redirect_url = $aio_wp_security->configs->get_value('aiowps_404_lock_redirect_url'); //This is the redirect URL for blocked users $visitor_ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); $is_locked = AIOWPSecurity_Utility::check_locked_ip($visitor_ip); if($is_locked){ //redirect blocked user to configured URL AIOWPSecurity_Utility::redirect_to_url($redirect_url); }else{ //allow through } } function update_logged_in_user_transient(){ if(is_user_logged_in()){ $current_user_ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); // get the logged in users list from transients entry $logged_in_users = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('users_online') : get_transient('users_online')); $current_user = wp_get_current_user(); $current_user = $current_user->ID; $current_time = current_time('timestamp'); $current_user_info = array("user_id" => $current_user, "last_activity" => $current_time, "ip_address" => $current_user_ip); //We will store last activity time and ip address in transient entry if($logged_in_users === false || $logged_in_users == NULL){ $logged_in_users = array(); $logged_in_users[] = $current_user_info; AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60); } else { $key = 0; $do_nothing = false; $update_existing = false; $item_index = 0; foreach ($logged_in_users as $value) { if($value['user_id'] == $current_user && strcmp($value['ip_address'], $current_user_ip) == 0) { if ($value['last_activity'] < ($current_time - (15 * 60))) { $update_existing = true; $item_index = $key; break; }else{ $do_nothing = true; break; } } $key++; } if($update_existing) { //Update transient if the last activity was less than 15 min ago for this user $logged_in_users[$item_index] = $current_user_info; AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60); }else if($do_nothing){ //Do nothing }else{ $logged_in_users[] = $current_user_info; AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60); } } } } function insert_captcha_custom_login($cust_html_code, $args) { global $aio_wp_security; $cap_form = '

'; $cap_form .= '

'; $maths_question_output = $aio_wp_security->captcha_obj->generate_maths_question(); $cap_form .= $maths_question_output . '

'; $cust_html_code .= $cap_form; return $cust_html_code; } function insert_captcha_question_form_multi($error) { global $aio_wp_security; $aio_wp_security->captcha_obj->display_captcha_form(); } function process_signup_form_multi($result) { global $aio_wp_security; //Check if captcha enabled if (array_key_exists('aiowps-captcha-answer', $_POST)) //If the register form with captcha was submitted then do some processing { isset($_POST['aiowps-captcha-answer'])?$captcha_answer = strip_tags(trim($_POST['aiowps-captcha-answer'])): $captcha_answer = ''; $captcha_secret_string = $aio_wp_security->configs->get_value('aiowps_captcha_secret_key'); $submitted_encoded_string = base64_encode($_POST['aiowps-captcha-temp-string'].$captcha_secret_string.$captcha_answer); $trans_handle = sanitize_text_field($_POST['aiowps-captcha-string-info']); $captcha_string_info_trans = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('aiowps_captcha_string_info_'.$trans_handle) : get_transient('aiowps_captcha_string_info_'.$trans_handle)); if($submitted_encoded_string !== $captcha_string_info_trans) { //This means a wrong answer was entered $result['errors']->add('generic', __('ERROR: Your answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall')); } } return $result; } function insert_captcha_question_form(){ global $aio_wp_security; $aio_wp_security->captcha_obj->display_captcha_form(); } function insert_honeypot_hidden_field(){ $honey_input = '

'; $honey_input .= '

'; echo $honey_input; } function process_comment_post( $comment ) { global $aio_wp_security; if (is_user_logged_in()) { return $comment; } //Don't process captcha for comment replies inside admin menu if (isset( $_REQUEST['action'] ) && $_REQUEST['action'] == 'replyto-comment' && (check_ajax_referer('replyto-comment', '_ajax_nonce', false) || check_ajax_referer('replyto-comment', '_ajax_nonce-replyto-comment', false))) { return $comment; } //Don't do captcha for pingback/trackback if ($comment['comment_type'] != '' && $comment['comment_type'] != 'comment') { return $comment; } if (isset($_REQUEST['aiowps-captcha-answer'])) { // If answer is empty if ($_REQUEST['aiowps-captcha-answer'] == ''){ wp_die( __('Please enter an answer in the CAPTCHA field.', 'all-in-one-wp-security-and-firewall' ) ); } $captcha_answer = trim($_REQUEST['aiowps-captcha-answer']); $captcha_secret_string = $aio_wp_security->configs->get_value('aiowps_captcha_secret_key'); $submitted_encoded_string = base64_encode($_POST['aiowps-captcha-temp-string'].$captcha_secret_string.$captcha_answer); $trans_handle = sanitize_text_field($_POST['aiowps-captcha-string-info']); $captcha_string_info_trans = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('aiowps_captcha_string_info_'.$trans_handle) : get_transient('aiowps_captcha_string_info_'.$trans_handle)); if ($captcha_string_info_trans === $submitted_encoded_string){ //Correct answer given return($comment); }else{ //Wrong answer wp_die( __('Error: You entered an incorrect CAPTCHA answer. Please go back and try again.', 'all-in-one-wp-security-and-firewall')); } } } function process_lost_password_form_post() { global $aio_wp_security; //Check if captcha enabled if ($aio_wp_security->configs->get_value('aiowps_enable_lost_password_captcha') == '1') { if (array_key_exists('aiowps-captcha-answer', $_POST)) //If the lost pass form with captcha was submitted then do some processing { isset($_POST['aiowps-captcha-answer'])?($captcha_answer = strip_tags(trim($_POST['aiowps-captcha-answer']))):($captcha_answer = ''); $captcha_secret_string = $aio_wp_security->configs->get_value('aiowps_captcha_secret_key'); $submitted_encoded_string = base64_encode($_POST['aiowps-captcha-temp-string'].$captcha_secret_string.$captcha_answer); $trans_handle = sanitize_text_field($_POST['aiowps-captcha-string-info']); $captcha_string_info_trans = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('aiowps_captcha_string_info_'.$trans_handle) : get_transient('aiowps_captcha_string_info_'.$trans_handle)); if($submitted_encoded_string !== $captcha_string_info_trans) { add_filter('allow_password_reset', array(&$this, 'add_lostpassword_captcha_error_msg')); } } } } function add_lostpassword_captcha_error_msg() { //Insert an error just before the password reset process kicks in return new WP_Error('aiowps_captcha_error',__('ERROR: Your answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall')); } function check_404_event() { if(is_404()){ //This means a 404 event has occurred - let's log it! AIOWPSecurity_Utility::event_logger('404'); } } function buddy_press_signup_validate_captcha($errors) { global $bp, $aio_wp_security; //Check if captcha enabled if (array_key_exists('aiowps-captcha-answer', $_POST)) //If the register form with captcha was submitted then do some processing { isset($_POST['aiowps-captcha-answer'])?$captcha_answer = strip_tags(trim($_POST['aiowps-captcha-answer'])): $captcha_answer = ''; $captcha_secret_string = $aio_wp_security->configs->get_value('aiowps_captcha_secret_key'); $submitted_encoded_string = base64_encode($_POST['aiowps-captcha-temp-string'].$captcha_secret_string.$captcha_answer); $trans_handle = sanitize_text_field($_POST['aiowps-captcha-string-info']); $captcha_string_info_trans = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('aiowps_captcha_string_info_'.$trans_handle) : get_transient('aiowps_captcha_string_info_'.$trans_handle)); if($submitted_encoded_string !== $captcha_string_info_trans) { //This means a wrong answer was entered $bp->signup->errors['aiowps-captcha-answer'] = __('Your CAPTCHA answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall'); } } return; } //Displays a notice message if the plugin was reactivated after being initially deactivated. //Notice message gives users option of re-applying the aiowps rules which were deleted from the .htaccess when deactivation occurred function reapply_htaccess_rules_notice() { if (get_option('aiowps_temp_configs') !== FALSE){ echo '

Would you like All In One WP Security & Firewall to re-insert the security rules in your .htaccess file which were cleared when you deactivated the plugin?  Yes  No

'; } } //This is a fix for cases when the password reset URL in the email was not decoding all html entities properly function decode_reset_pw_msg($message, $key, $user_login, $user_data) { global $aio_wp_security; $message = html_entity_decode($message); return $message; } function modify_registration_page_messages($errors, $redirect_to) { if( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] ){ if(is_wp_error($errors)){ $errors->remove('registered'); $pending_approval_msg = __('Your registration is pending approval.', 'all-in-one-wp-security-and-firewall'); $pending_approval_msg = apply_filters('aiowps_pending_registration_message', $pending_approval_msg); $errors->add('registered', $pending_approval_msg, array('registered'=>'message')); } } return $errors; } }