759 lines
30 KiB
PHP
759 lines
30 KiB
PHP
<?php
|
|
if (!defined('ABSPATH')) {
|
|
exit;//Exit if accessed directly
|
|
}
|
|
|
|
class AIOWPSecurity_General_Init_Tasks {
|
|
public function __construct() {
|
|
// Do init time tasks
|
|
global $aio_wp_security;
|
|
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_disable_xmlrpc_pingback_methods')) {
|
|
add_filter('xmlrpc_methods', array($this, 'aiowps_disable_xmlrpc_pingback_methods'));
|
|
add_filter('wp_headers', array($this, 'aiowps_remove_x_pingback_header'));
|
|
}
|
|
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_disable_rss_and_atom_feeds')) {
|
|
add_action('do_feed', array($this, 'block_feed'), 1);
|
|
add_action('do_feed_rdf', array($this, 'block_feed'), 1);
|
|
add_action('do_feed_rss', array($this, 'block_feed'), 1);
|
|
add_action('do_feed_rss2', array($this, 'block_feed'), 1);
|
|
add_action('do_feed_atom', array($this, 'block_feed'), 1);
|
|
add_action('do_feed_rss2_comments', array($this, 'block_feed'), 1);
|
|
add_action('do_feed_atom_comments', array($this, 'block_feed'), 1);
|
|
|
|
remove_action('wp_head', 'feed_links_extra', 3);
|
|
remove_action('wp_head', 'feed_links', 2);
|
|
}
|
|
|
|
// Check permanent block list and block if applicable (ie, do PHP blocking)
|
|
if (!is_user_logged_in()) {
|
|
AIOWPSecurity_Blocking::check_visitor_ip_and_perform_blocking();
|
|
}
|
|
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_spambot_detecting') && '0' == $aio_wp_security->configs->get_value('aiowps_spam_comments_should')) {
|
|
add_action('pre_comment_on_post', array($this, 'spam_detecting_and_process_comments_discard'), 10, 2); //this hook gets fired before comment is added
|
|
}
|
|
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_spambot_detecting') && '1' == $aio_wp_security->configs->get_value('aiowps_spam_comments_should')) {
|
|
add_filter('pre_comment_approved', array($this, 'spam_detecting_and_process_comments_mark_spam'), 10, 2); //this hook filters a comments approval status before it is set
|
|
}
|
|
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_autoblock_spam_ip')) {
|
|
add_action('comment_post', array($this, 'spam_detect_process_comment_post'), 10, 2); //this hook gets fired just after comment is saved to DB
|
|
add_action('transition_comment_status', array($this, 'process_transition_comment_status'), 10, 3); //this hook gets fired when a comment's status changes
|
|
}
|
|
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_rename_login_page')) {
|
|
add_action('widgets_init', array($this, 'remove_standard_wp_meta_widget'));
|
|
add_filter('retrieve_password_message', array($this, 'decode_reset_pw_msg'), 10, 4); //Fix for non decoded html entities in password reset link
|
|
}
|
|
|
|
if (AIOWPSecurity_Utility_Permissions::has_manage_cap() && is_admin()) {
|
|
if ('1' == $aio_wp_security->configs->get_value('aios_google_recaptcha_invalid_configuration')) {
|
|
add_action('all_admin_notices', array($this, 'google_recaptcha_notice'));
|
|
}
|
|
|
|
if (is_main_site() && is_super_admin()) {
|
|
add_action('all_admin_notices', array($this, 'do_firewall_notice'));
|
|
add_action('admin_post_aiowps_firewall_setup', array(AIOWPSecurity_Firewall_Setup_Notice::get_instance(), 'handle_setup_form'));
|
|
add_action('admin_post_aiowps_firewall_downgrade', array(AIOWPSecurity_Firewall_Setup_Notice::get_instance(), 'handle_downgrade_protection_form'));
|
|
add_action('admin_post_aiowps_firewall_setup_dismiss', array(AIOWPSecurity_Firewall_Setup_Notice::get_instance(), 'handle_dismiss_form'));
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Send X-Frame-Options: SAMEORIGIN in HTTP header
|
|
*/
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_prevent_site_display_inside_frame')) {
|
|
add_action('template_redirect', 'send_frame_options_header');
|
|
}
|
|
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info')) {
|
|
add_filter('the_generator', array($this,'remove_wp_generator_meta_info'));
|
|
add_filter('style_loader_src', array($this,'remove_wp_css_js_meta_info'));
|
|
add_filter('script_loader_src', array($this,'remove_wp_css_js_meta_info'));
|
|
}
|
|
|
|
// For the cookie based brute force prevention feature
|
|
// Already logged in user should not redirected to brute_force_redirect_url in any case so added condition !is_user_logged_in()
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')) {
|
|
$bfcf_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
|
|
if (isset($_GET[$bfcf_secret_word])) {
|
|
AIOWPSecurity_Utility_IP::check_login_whitelist_and_forbid();
|
|
|
|
// If URL contains secret word in query param then set cookie and then redirect to the login page
|
|
AIOWPSecurity_Utility::set_cookie_value(AIOWPSecurity_Utility::get_brute_force_secret_cookie_name(), AIOS_Helper::get_hash($bfcf_secret_word));
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_rename_login_page') && !is_user_logged_in()) {
|
|
$login_url = home_url((get_option('permalink_structure') ? '' : '?') . $aio_wp_security->configs->get_value('aiowps_login_page_slug'));
|
|
AIOWPSecurity_Utility::redirect_to_url($login_url);
|
|
} elseif (!is_user_logged_in()) {
|
|
AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL.'/wp-admin');
|
|
}
|
|
}
|
|
}
|
|
// Stop users enumeration feature
|
|
if (1 == $aio_wp_security->configs->get_value('aiowps_prevent_users_enumeration')) {
|
|
include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-stop-users-enumeration.php');
|
|
add_filter('rest_request_before_callbacks', array($this, 'rest_request_before_callbacks'), 10, 1);
|
|
add_filter('oembed_response_data', array($this, 'oembed_response_data'), 10, 1);
|
|
}
|
|
|
|
// REST API security
|
|
if ($aio_wp_security->configs->get_value('aiowps_disallow_unauthorized_rest_requests') == 1) {
|
|
add_action('rest_api_init', array($this, 'check_rest_api_requests'), 10, 1);
|
|
}
|
|
|
|
// For user unlock request feature
|
|
if (isset($_POST['aiowps_unlock_request']) || isset($_POST['aiowps_wp_submit_unlock_request'])) {
|
|
nocache_headers();
|
|
remove_action('wp_head', 'head_addons', 7);
|
|
include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-unlock-request.php');
|
|
exit();
|
|
}
|
|
|
|
if (isset($_GET['aiowps_auth_key'])) {
|
|
//If URL contains unlock key in query param then process the request
|
|
$unlock_key = sanitize_text_field($_GET['aiowps_auth_key']);
|
|
AIOWPSecurity_User_Login::process_unlock_request($unlock_key);
|
|
}
|
|
|
|
// For honeypot feature
|
|
if (isset($_POST['aio_special_field'])) {
|
|
$special_field_value = sanitize_text_field($_POST['aio_special_field']);
|
|
if (!empty($special_field_value)) {
|
|
//This means a robot has submitted the login form!
|
|
//Redirect back to its localhost
|
|
AIOWPSecurity_Utility::redirect_to_url('http://127.0.0.1');
|
|
}
|
|
}
|
|
|
|
// For 404 IP lockout feature
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_404_IP_lockout') == '1') {
|
|
if (!is_user_logged_in() || !current_user_can('administrator')) {
|
|
$this->do_404_lockout_tasks();
|
|
}
|
|
}
|
|
|
|
|
|
// For login CAPTCHA feature
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_login_captcha') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('login_form', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'));
|
|
}
|
|
}
|
|
|
|
// For woo form CAPTCHA features
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_woo_login_captcha') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('woocommerce_login_form', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'));
|
|
}
|
|
if (isset($_POST['woocommerce-login-nonce'])) {
|
|
add_filter('woocommerce_process_login_errors', array($this, 'aiowps_validate_woo_login_or_reg_captcha'), 10, 3);
|
|
}
|
|
}
|
|
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_woo_register_captcha') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('woocommerce_register_form', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'));
|
|
}
|
|
|
|
if (isset($_POST['woocommerce-register-nonce'])) {
|
|
add_filter('woocommerce_process_registration_errors', array($this, 'aiowps_validate_woo_login_or_reg_captcha'), 10, 3);
|
|
}
|
|
}
|
|
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_woo_lostpassword_captcha') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('woocommerce_lostpassword_form', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'));
|
|
}
|
|
if (isset($_POST['woocommerce-lost-password-nonce'])) {
|
|
add_action('lostpassword_post', array($this, 'process_woo_lost_password_form_post'));
|
|
}
|
|
}
|
|
|
|
// For bbPress new topic form CAPTCHA
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_bbp_new_topic_captcha') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('bbp_theme_before_topic_form_submit_wrapper', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'));
|
|
}
|
|
}
|
|
|
|
// For custom login form CAPTCHA feature, ie, when wp_login_form() function is used to generate login form
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_custom_login_captcha') && !is_user_logged_in()) {
|
|
add_filter('login_form_middle', array($aio_wp_security->captcha_obj, 'insert_captcha_custom_login'), 10, 2); //For cases where the WP wp_login_form() function is used
|
|
add_filter('login_form_bottom', array($aio_wp_security->captcha_obj, 'add_captcha_script'), 20);
|
|
}
|
|
|
|
// For password protected pages CAPTCHA feature
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_password_protected_captcha')) {
|
|
add_filter('the_password_form', array($aio_wp_security->captcha_obj, 'insert_captcha_password_protected'));
|
|
add_action('login_form_postpass', array($aio_wp_security->captcha_obj, 'validate_password_protected_password_form_with_captcha'));
|
|
}
|
|
|
|
// For honeypot feature
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_login_honeypot') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('login_form', array($this, 'insert_honeypot_hidden_field'));
|
|
}
|
|
}
|
|
|
|
// For registration honeypot feature
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_registration_honeypot') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('register_form', array($this, 'insert_honeypot_hidden_field'));
|
|
}
|
|
}
|
|
|
|
// For disable application password feature hide generate password
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_disable_application_password')) {
|
|
add_filter('wp_is_application_passwords_available', '__return_false');
|
|
add_action('edit_user_profile', array($this, 'show_disabled_application_password_message'));
|
|
add_action('show_user_profile', array($this, 'show_disabled_application_password_message'));
|
|
|
|
// Override the wp_die handler for app passwords were disabled.
|
|
if (!empty($_SERVER['SCRIPT_FILENAME']) && ABSPATH . 'wp-admin/authorize-application.php' == $_SERVER['SCRIPT_FILENAME']) {
|
|
add_filter('wp_die_handler', function () {
|
|
return function ($message, $title, $args) {
|
|
if ('Application passwords are not available.' == $message) {
|
|
$message = htmlspecialchars(__('Application passwords have been disabled by All In One WP Security & Firewall plugin.', 'all-in-one-wp-security-and-firewall'));
|
|
}
|
|
_default_wp_die_handler($message, $title, $args);
|
|
};
|
|
}, 10, 1);
|
|
}
|
|
}
|
|
|
|
// For lost password CAPTCHA feature
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_lost_password_captcha') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('lostpassword_form', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'));
|
|
add_action('lostpassword_post', array($this, 'process_lost_password_form_post'));
|
|
}
|
|
}
|
|
|
|
// For registration manual approval feature
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_manual_registration_approval') == '1') {
|
|
add_filter('wp_login_errors', array($this, 'modify_registration_page_messages'), 10, 2);
|
|
}
|
|
|
|
// For registration page CAPTCHA feature
|
|
if (is_multisite()) {
|
|
$blog_id = get_current_blog_id();
|
|
switch_to_blog($blog_id);
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_registration_page_captcha') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('signup_extra_fields', array($this, 'insert_captcha_question_form_multi'));
|
|
//add_action('preprocess_signup_form', array($this, 'process_signup_form_multi'));
|
|
add_filter('wpmu_validate_user_signup', array($this, 'process_signup_form_multi'));
|
|
}
|
|
}
|
|
restore_current_blog();
|
|
} else {
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_registration_page_captcha') == '1') {
|
|
if (!is_user_logged_in()) {
|
|
add_action('register_form', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'));
|
|
}
|
|
}
|
|
}
|
|
|
|
// For comment CAPTCHA feature or custom login form CAPTCHA
|
|
if (is_multisite()) {
|
|
$blog_id = get_current_blog_id();
|
|
switch_to_blog($blog_id);
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_comment_captcha') && !is_user_logged_in()) {
|
|
add_action('comment_form_after_fields', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'), 1);
|
|
add_action('comment_form_after_fields', array($aio_wp_security->captcha_obj, 'add_captcha_script'), 10);
|
|
add_filter('preprocess_comment', array($this, 'process_comment_post'));
|
|
}
|
|
restore_current_blog();
|
|
} else {
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_comment_captcha') && !is_user_logged_in()) {
|
|
add_action('comment_form_after_fields', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'), 1);
|
|
add_action('comment_form_after_fields', array($aio_wp_security->captcha_obj, 'add_captcha_script'), 10);
|
|
add_filter('preprocess_comment', array($this, 'process_comment_post'));
|
|
}
|
|
}
|
|
|
|
// For BuddyPress registration CAPTCHA feature
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_bp_register_captcha')) {
|
|
add_action('bp_before_registration_submit_buttons', array($aio_wp_security->captcha_obj, 'insert_captcha_question_form'));
|
|
add_action('bp_before_registration_submit_buttons', array($aio_wp_security->captcha_obj, 'add_captcha_script'), 10);
|
|
add_action('bp_signup_validate', array($this, 'buddy_press_signup_validate_captcha'));
|
|
}
|
|
|
|
// For 404 event logging
|
|
if ($aio_wp_security->configs->get_value('aiowps_enable_404_logging') == '1') {
|
|
add_action('wp_head', array($this, 'check_404_event'));
|
|
}
|
|
|
|
// For antibot post page set cookies.
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_enable_spambot_detecting')) {
|
|
add_action('template_redirect', array($this, 'post_antibot_cookie'));
|
|
add_filter('comment_form_submit_field', array($this, 'comment_form_submit_field'), 10, 1);
|
|
}
|
|
|
|
// For delete readme.html and wp-config-sample.php.
|
|
if ('1' == $aio_wp_security->configs->get_value('aiowps_auto_delete_default_wp_files')) {
|
|
add_action('upgrader_process_complete', array($this, 'delete_unneeded_files_after_upgrade'), 10, 2);
|
|
}
|
|
|
|
// Add more tasks that need to be executed at init time
|
|
|
|
} // end _construct()
|
|
|
|
public function aiowps_disable_xmlrpc_pingback_methods($methods) {
|
|
unset($methods['pingback.ping']);
|
|
unset($methods['pingback.extensions.getPingbacks']);
|
|
return $methods;
|
|
}
|
|
|
|
public function aiowps_remove_x_pingback_header($headers) {
|
|
unset($headers['X-Pingback']);
|
|
return $headers;
|
|
}
|
|
|
|
/**
|
|
* Blocks feed by redirecting user to home url.
|
|
*
|
|
* @return Void
|
|
*/
|
|
public function block_feed() {
|
|
wp_redirect(home_url());
|
|
}
|
|
|
|
/**
|
|
* Spam detection and discard comment.
|
|
*
|
|
* @param int $comment_post_id
|
|
*
|
|
* @return void
|
|
*/
|
|
public function spam_detecting_and_process_comments_discard($comment_post_id) {
|
|
$is_comment_should_not_allowed = AIOWPSecurity_Comment::is_comment_spam_detected();
|
|
if ($is_comment_should_not_allowed) {
|
|
$this->spam_discard_auto_block_ip();
|
|
$comments = get_comments(array('number' => '1', 'post_id' => $comment_post_id));
|
|
if ($comments) {
|
|
$loc = get_comment_link($comments[0]->comment_ID);
|
|
} else {
|
|
$loc = get_permalink($comment_post_id) . '#spam-comment-msg';
|
|
}
|
|
wp_safe_redirect($loc);
|
|
exit;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Block IP for spam discard after minimum comments reached.
|
|
*
|
|
* @return void
|
|
*/
|
|
public function spam_discard_auto_block_ip() {
|
|
global $aio_wp_security, $wpdb;
|
|
|
|
if ('1' != $aio_wp_security->configs->get_value('aiowps_enable_autoblock_spam_ip')) return;
|
|
|
|
AIOWPSecurity_Utility::event_logger('spam_discard');
|
|
$comment_ip = AIOWPSecurity_Utility_IP::get_user_ip_address();
|
|
$spam_count = $wpdb->get_var($wpdb->prepare("SELECT COUNT(id) FROM ".AIOWPSEC_TBL_EVENTS." WHERE ip_or_host = %s AND event_type=%s", $comment_ip, 'spam_discard'));
|
|
$min_comment_before_block = $aio_wp_security->configs->get_value('aiowps_spam_ip_min_comments_block');
|
|
if (!empty($min_comment_before_block) && $spam_count > $min_comment_before_block) {
|
|
AIOWPSecurity_Blocking::add_ip_to_block_list($comment_ip, 'spam_discard');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Spam detection and mark as spam comment.
|
|
*
|
|
* @param string $approved
|
|
*
|
|
* @return string status
|
|
*/
|
|
public function spam_detecting_and_process_comments_mark_spam($approved) {
|
|
return AIOWPSecurity_Comment::is_comment_spam_detected() ? 'spam' : $approved;
|
|
}
|
|
|
|
public function spam_detect_process_comment_post($comment_id, $comment_approved) {
|
|
if ("spam" === $comment_approved) {
|
|
$this->block_comment_ip($comment_id);
|
|
}
|
|
|
|
}
|
|
|
|
public function process_transition_comment_status($new_status, $old_status, $comment) {
|
|
if ('spam' == $new_status) {
|
|
$this->block_comment_ip($comment->comment_ID);
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
* Will check auto-spam blocking settings and will add IP to blocked table accordingly
|
|
*
|
|
* @param int $comment_id
|
|
*/
|
|
public function block_comment_ip($comment_id) {
|
|
global $aio_wp_security, $wpdb;
|
|
$comment_obj = get_comment($comment_id);
|
|
$comment_ip = $comment_obj->comment_author_IP;
|
|
//Get number of spam comments from this IP
|
|
$sql = $wpdb->prepare("SELECT * FROM $wpdb->comments
|
|
WHERE comment_approved = 'spam'
|
|
AND comment_author_IP = %s
|
|
", $comment_ip);
|
|
$comment_data = $wpdb->get_results($sql, ARRAY_A);
|
|
$spam_count = count($comment_data);
|
|
$min_comment_before_block = $aio_wp_security->configs->get_value('aiowps_spam_ip_min_comments_block');
|
|
if (!empty($min_comment_before_block) && $spam_count >= ($min_comment_before_block - 1)) {
|
|
AIOWPSecurity_Blocking::add_ip_to_block_list($comment_ip, 'spam');
|
|
}
|
|
}
|
|
|
|
public function remove_standard_wp_meta_widget() {
|
|
unregister_widget('WP_Widget_Meta');
|
|
}
|
|
|
|
public function remove_wp_generator_meta_info() {
|
|
return '';
|
|
}
|
|
|
|
/**
|
|
* This function removes wp meta info from style and script src
|
|
*
|
|
* @param string|null $src - the src for the style or script
|
|
* @return string
|
|
*/
|
|
public function remove_wp_css_js_meta_info($src) {
|
|
global $wp_version;
|
|
static $wp_version_hash = null; // Cache hash value for all function calls
|
|
|
|
if (empty($src)) return '';
|
|
|
|
// Replace only version number of assets with WP version
|
|
if (strpos($src, 'ver=' . $wp_version) !== false) {
|
|
if (!$wp_version_hash) {
|
|
$wp_version_hash = wp_hash($wp_version);
|
|
}
|
|
// Replace version number with computed hash
|
|
$src = add_query_arg('ver', $wp_version_hash, $src);
|
|
}
|
|
return $src;
|
|
}
|
|
|
|
public function do_404_lockout_tasks() {
|
|
global $aio_wp_security;
|
|
$redirect_url = $aio_wp_security->configs->get_value('aiowps_404_lock_redirect_url'); //This is the redirect URL for blocked users
|
|
|
|
$visitor_ip = AIOWPSecurity_Utility_IP::get_user_ip_address();
|
|
|
|
$is_locked = AIOWPSecurity_Utility::check_locked_ip($visitor_ip, '404');
|
|
|
|
if ($is_locked) {
|
|
//redirect blocked user to configured URL
|
|
AIOWPSecurity_Utility::redirect_to_url($redirect_url);
|
|
} else {
|
|
//allow through
|
|
}
|
|
}
|
|
|
|
public function insert_captcha_question_form_multi() {
|
|
global $aio_wp_security;
|
|
$default_captcha = $aio_wp_security->configs->get_value('aiowps_default_captcha');
|
|
$aio_wp_security->captcha_obj->display_captcha_form($default_captcha);
|
|
}
|
|
|
|
public function process_signup_form_multi($result) {
|
|
global $aio_wp_security;
|
|
// Check if CAPTCHA enabled
|
|
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
|
if (false === $verify_captcha) {
|
|
// wrong answer was entered
|
|
$result['errors']->add('generic', __('<strong>ERROR</strong>: Your answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall'));
|
|
}
|
|
return $result;
|
|
}
|
|
|
|
/**
|
|
* This function echos a honeypot hidden field into login or register form
|
|
*
|
|
* @return void
|
|
*/
|
|
public function insert_honeypot_hidden_field() {
|
|
$honey_input = '<p style="display: none;"><label>'.__('Enter something special:', 'all-in-one-wp-security-and-firewall').'</label>';
|
|
$honey_input .= '<input name="aio_special_field" type="text" class="aio_special_field" value="" /></p>';
|
|
echo $honey_input;
|
|
}
|
|
|
|
/**
|
|
* Shows application password disabled message on user edit profile page.
|
|
* If logged user is admin showing the Change Setting option.
|
|
*
|
|
* @return void
|
|
*/
|
|
public function show_disabled_application_password_message() {
|
|
if (is_user_logged_in() && is_admin()) {
|
|
$disabled_message = '<h2>'.__('Application passwords', 'all-in-one-wp-security-and-firewall').'</h2>';
|
|
$disabled_message .= '<table class="form-table" role="presentation">';
|
|
$disabled_message .= '<tbody>';
|
|
$disabled_message .= '<tr id="disable-password">';
|
|
$disabled_message .= '<th>'.__('Disabled', 'all-in-one-wp-security-and-firewall').'</th>';
|
|
$disabled_message .= '<td>'.htmlspecialchars(__('Application passwords have been disabled by All In One WP Security & Firewall plugin.', 'all-in-one-wp-security-and-firewall'));
|
|
if (AIOWPSecurity_Utility_Permissions::has_manage_cap()) {
|
|
$aiowps_additional_setting_url = 'admin.php?page=aiowpsec_userlogin&tab=additional';
|
|
$change_setting_url = is_multisite() ? network_admin_url($aiowps_additional_setting_url) : admin_url($aiowps_additional_setting_url);
|
|
$disabled_message .= '<p><a href="'.$change_setting_url.'" class="button">'.__('Change setting', 'all-in-one-wp-security-and-firewall').'</a></p>';
|
|
} else {
|
|
$disabled_message .= ' '.__('Site admin can only change this setting.', 'all-in-one-wp-security-and-firewall');
|
|
}
|
|
$disabled_message .= '</td>';
|
|
$disabled_message .= '</tr>';
|
|
$disabled_message .= '<tbody>';
|
|
$disabled_message .= '</table>';
|
|
echo $disabled_message;
|
|
}
|
|
}
|
|
|
|
public function process_comment_post($comment) {
|
|
global $aio_wp_security;
|
|
if (is_user_logged_in()) {
|
|
return $comment;
|
|
}
|
|
|
|
// Don't process CAPTCHA for comment replies inside admin menu
|
|
if (isset($_REQUEST['action']) && 'replyto-comment' == $_REQUEST['action'] && (check_ajax_referer('replyto-comment', '_ajax_nonce', false) || check_ajax_referer('replyto-comment', '_ajax_nonce-replyto-comment', false))) {
|
|
return $comment;
|
|
}
|
|
|
|
// Don't do CAPTCHA for pingback/trackback
|
|
if ('' != $comment['comment_type'] && 'comment' != $comment['comment_type'] && 'review' != $comment['comment_type']) {
|
|
return $comment;
|
|
}
|
|
|
|
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
|
if (false === $verify_captcha) {
|
|
//Wrong answer
|
|
wp_die(__('Error: You entered an incorrect CAPTCHA answer, please go back and try again.', 'all-in-one-wp-security-and-firewall'));
|
|
} else {
|
|
return($comment);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Process the main Wordpress account lost password login form post
|
|
* Called by wp hook "lostpassword_post"
|
|
*/
|
|
public function process_lost_password_form_post() {
|
|
global $aio_wp_security;
|
|
|
|
// Workaround - the WooCommerce lost password form also uses the same "lostpassword_post" hook.
|
|
// We don't want to process woo forms here so ignore if this is a woo lost password $_POST
|
|
if (!array_key_exists('woocommerce-lost-password-nonce', $_POST)) {
|
|
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
|
if (false === $verify_captcha) {
|
|
add_filter('allow_password_reset', array($this, 'add_lostpassword_captcha_error_msg'));
|
|
}
|
|
}
|
|
}
|
|
|
|
public function add_lostpassword_captcha_error_msg() {
|
|
//Insert an error just before the password reset process kicks in
|
|
return new WP_Error('aiowps_captcha_error', __('<strong>ERROR</strong>: Your answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall'));
|
|
}
|
|
|
|
public function check_404_event() {
|
|
if (is_404()) {
|
|
//This means a 404 event has occurred - let's log it!
|
|
AIOWPSecurity_Utility::event_logger('404');
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
* Deletes unneeded default WP files if they're regenerated after core upgrade.
|
|
*
|
|
* @param WP_Upgrader $upgrader
|
|
* @param array $hook_extra
|
|
*
|
|
* @return void
|
|
*/
|
|
public function delete_unneeded_files_after_upgrade($upgrader, $hook_extra) {
|
|
if (empty($hook_extra)) {
|
|
return;
|
|
}
|
|
|
|
if (isset($hook_extra['action']) && 'update' == $hook_extra['action'] && isset($hook_extra['type']) && 'core' == $hook_extra['type']) {
|
|
AIOWPSecurity_Utility::delete_unneeded_default_files();
|
|
}
|
|
}
|
|
|
|
public function buddy_press_signup_validate_captcha() {
|
|
global $bp, $aio_wp_security;
|
|
// Check CAPTCHA if required
|
|
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
|
if (false === $verify_captcha) {
|
|
// wrong answer was entered
|
|
$bp->signup->errors['aiowps-captcha-answer'] = __('Your CAPTCHA answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall');
|
|
}
|
|
return;
|
|
}
|
|
|
|
public function aiowps_validate_woo_login_or_reg_captcha($errors) {
|
|
global $aio_wp_security;
|
|
$locked = $aio_wp_security->user_login_obj->check_locked_user();
|
|
if (!empty($locked)) {
|
|
$errors->add('authentication_failed', __('<strong>ERROR</strong>: Your IP address is currently locked please contact the administrator!', 'all-in-one-wp-security-and-firewall'));
|
|
return $errors;
|
|
}
|
|
|
|
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
|
if (false === $verify_captcha) {
|
|
// wrong answer was entered
|
|
$errors->add('authentication_failed', __('<strong>ERROR</strong>: Your answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall'));
|
|
}
|
|
return $errors;
|
|
|
|
}
|
|
|
|
/**
|
|
* Process the WooCommerce lost password login form post
|
|
* Called by wp hook "lostpassword_post"
|
|
*/
|
|
public function process_woo_lost_password_form_post() {
|
|
global $aio_wp_security;
|
|
|
|
if (isset($_POST['woocommerce-lost-password-nonce'])) {
|
|
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
|
if (false === $verify_captcha) {
|
|
add_filter('allow_password_reset', array($this, 'add_lostpassword_captcha_error_msg'));
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Displays a notice message if the entered recatcha site key is wrong.
|
|
*/
|
|
public function google_recaptcha_notice() {
|
|
global $aio_wp_security;
|
|
|
|
if (($aio_wp_security->is_admin_dashboard_page() || $aio_wp_security->is_plugin_admin_page() || $aio_wp_security->is_aiowps_admin_page()) && !$aio_wp_security->is_aiowps_google_recaptcha_tab_page()) {
|
|
$recaptcha_tab_url = 'admin.php?page='.AIOWPSEC_BRUTE_FORCE_MENU_SLUG.'&tab=login-captcha';
|
|
echo '<div class="notice notice-warning"><p>';
|
|
/* translators: %s: Admin Dashboard > WP Security > Brute Force > Login CAPTCHA Tab Link */
|
|
printf(__('Your Google reCAPTCHA configuration is invalid.', 'all-in-one-wp-security-and-firewall').' '.__('Please enter the correct reCAPTCHA keys %s to use the Google reCAPTCHA feature.', 'all-in-one-wp-security-and-firewall'), '<a href="'.esc_url($recaptcha_tab_url).'">'.__('here', 'all-in-one-wp-security-and-firewall').'</a>');
|
|
echo '</p></div>';
|
|
}
|
|
}
|
|
|
|
/**
|
|
* This is a fix for cases when the password reset URL in the email was not decoding all html entities properly
|
|
*
|
|
* @param string $message
|
|
* @return string
|
|
*/
|
|
public function decode_reset_pw_msg($message) {
|
|
$message = html_entity_decode($message);
|
|
return $message;
|
|
}
|
|
|
|
public function modify_registration_page_messages($errors) {
|
|
if (isset($_GET['checkemail']) && 'registered' == $_GET['checkemail']) {
|
|
if (is_wp_error($errors)) {
|
|
$errors->remove('registered');
|
|
$pending_approval_msg = __('Your registration is pending approval.', 'all-in-one-wp-security-and-firewall');
|
|
$pending_approval_msg = apply_filters('aiowps_pending_registration_message', $pending_approval_msg);
|
|
$errors->add('registered', $pending_approval_msg, array('registered' => 'message'));
|
|
}
|
|
}
|
|
return $errors;
|
|
}
|
|
|
|
/**
|
|
* Re-wrote code which checks for REST API requests
|
|
* Below uses the "rest_api_init" action hook to check for REST requests.
|
|
* The code will block "unauthorized" requests whilst allowing genuine requests.
|
|
* (P. Petreski June 2018)
|
|
*
|
|
* @return void
|
|
*/
|
|
public function check_rest_api_requests() {
|
|
$rest_user = wp_get_current_user();
|
|
if (empty($rest_user->ID)) {
|
|
$error_message = apply_filters('aiowps_rest_api_error_message', __('You are not authorized to perform this action.', 'all-in-one-wp-security-and-firewall'));
|
|
wp_die($error_message);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Shows the firewall notice
|
|
*
|
|
* @return void
|
|
*/
|
|
public function do_firewall_notice() {
|
|
|
|
$firewall_setup = AIOWPSecurity_Firewall_Setup_Notice::get_instance();
|
|
$firewall_setup->start_firewall_setup();
|
|
|
|
}
|
|
|
|
/**
|
|
* Called by the WP filter rest_request_before_callbacks
|
|
*
|
|
* @param WP_REST_Response $response
|
|
*
|
|
* @return WP_REST_Response|WP_Error $response
|
|
*/
|
|
public function rest_request_before_callbacks($response) {
|
|
$rest_route = !empty($_GET['rest_route']) ? $_GET['rest_route'] : (empty($_SERVER['REQUEST_URI']) ? '' : (string) parse_url(urldecode($_SERVER['REQUEST_URI']), PHP_URL_PATH));
|
|
$rest_route = trim($rest_route, '/');
|
|
if ('' != $rest_route && !current_user_can('edit_others_posts')) {
|
|
if (preg_match('/wp\/v2\/users$/i', $rest_route)) {
|
|
$error = new WP_Error('aios_user_lists_forbidden', __('Listing users is forbidden.', 'all-in-one-wp-security-and-firewall'));
|
|
$response = rest_ensure_response($error);
|
|
} elseif (preg_match('/wp\/v2\/users\/+(\d+)$/i', $rest_route, $matches)) {
|
|
$id = empty($matches) ? 0 : (int) $matches[1];
|
|
if (get_current_user_id() !== $id) {
|
|
$error = new WP_Error('aios_user_details_forbidden', __('Accessing user details is forbidden.', 'all-in-one-wp-security-and-firewall'), array('status' => 403));
|
|
$response = rest_ensure_response($error);
|
|
}
|
|
}
|
|
}
|
|
return $response;
|
|
}
|
|
|
|
/**
|
|
* Called by the WP filter oembed_response_data
|
|
*
|
|
* @param Array $data
|
|
*
|
|
* @return Array $data
|
|
*/
|
|
public function oembed_response_data($data) {
|
|
unset($data['author_name']);
|
|
unset($data['author_url']);
|
|
return $data;
|
|
}
|
|
|
|
/**
|
|
* Sets the antibot cookie for post page comment form
|
|
*
|
|
* @return void
|
|
*/
|
|
public function post_antibot_cookie() {
|
|
if (is_singular() || is_archive()) {
|
|
AIOWPSecurity_Comment::insert_antibot_keys_in_cookie();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Sets the hidden fields html code for post page comment form
|
|
*
|
|
* @param string $submit_field HTML markup for the submit field
|
|
*
|
|
* @return string
|
|
*/
|
|
public function comment_form_submit_field($submit_field) {
|
|
return $submit_field . " " . AIOWPSecurity_Comment::insert_antibot_keys_in_comment_form();
|
|
}
|
|
}
|