'Basic Firewall Rules', 'tab2' => 'Additional Firewall Rules', 'tab3' => '5G Blacklist Firewall Rules', 'tab4' => 'Brute Force Prevention', ); var $menu_tabs_handler = array( 'tab1' => 'render_tab1', 'tab2' => 'render_tab2', 'tab3' => 'render_tab3', 'tab4' => 'render_tab4', ); function __construct() { $this->render_menu_page(); } function get_current_tab() { $tab_keys = array_keys($this->menu_tabs); $tab = isset( $_GET['tab'] ) ? $_GET['tab'] : $tab_keys[0]; return $tab; } /* * Renders our tabs of this menu as nav items */ function render_menu_tabs() { $current_tab = $this->get_current_tab(); echo '

'; foreach ( $this->menu_tabs as $tab_key => $tab_caption ) { $active = $current_tab == $tab_key ? 'nav-tab-active' : ''; echo '' . $tab_caption . ''; } echo '

'; } /* * The menu rendering goes here */ function render_menu_page() { $tab = $this->get_current_tab(); ?>
render_menu_tabs(); //$tab_keys = array_keys($this->menu_tabs); call_user_func(array(&$this, $this->menu_tabs_handler[$tab])); ?>
debug_logger->log_debug("Nonce check failed on enable basic firewall settings!",4); die("Nonce check failed on enable basic firewall settings!"); } //Save settings if(isset($_POST['aiowps_enable_basic_firewall'])) { $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','1'); } else { $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall',''); } $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall',isset($_POST["aiowps_enable_pingback_firewall"])?'1':''); //Commit the config settings $aio_wp_security->configs->save_config(); //Recalculate points after the feature status/options have been altered $aiowps_feature_mgr->check_feature_status_and_recalculate_points(); //Now let's write the applicable rules to the .htaccess file $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); if ($res) { $this->show_msg_updated(__('Settings were successfully saved', 'aiowpsecurity')); } else if($res == -1) { $this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity')); } } ?>

backup'; $info_msg = sprintf( __('This should not have any impact on your site\'s general functionality but if you wish you can take a %s of your .htaccess file before proceeding.', 'aiowpsecurity'), $backup_tab_link); echo '

'.__('The features in this tab allow you to activate some basic firewall security protection rules for your site.', 'aiowpsecurity'). '
'.__('The firewall functionality is achieved via the insertion of special code into your currently active .htaccess file.', 'aiowpsecurity'). '
'.$info_msg.'

'; ?>

output_feature_details_badge("firewall-basic-rules"); ?>
: configs->get_value('aiowps_enable_basic_firewall')=='1') echo ' checked="checked"'; ?> value="1"/> +
'.__('This setting will implement the following basic firewall protection mechanisms on your site:', 'aiowpsecurity').'

'; echo '

'.__('1) Protect your htaccess file by denying access to it.', 'aiowpsecurity').'

'; echo '

'.__('2) Disable the server signature.', 'aiowpsecurity').'

'; echo '

'.__('3) Limit file upload size (10MB).', 'aiowpsecurity').'

'; echo '

'.__('4) Protect your wp-config.php file by denying access to it.', 'aiowpsecurity').'

'; echo '

'.__('The above firewall features will be applied via your .htaccess file and should not affect your site\'s overall functionality.', 'aiowpsecurity').'

'; echo '

'.__('You are still advised to take a backup of your active .htaccess file just in case.', 'aiowpsecurity').'

'; ?>

output_feature_details_badge("firewall-pingback-rules"); ?>
: configs->get_value('aiowps_enable_pingback_firewall')=='1') echo ' checked="checked"'; ?> value="1"/> +
'.__('This setting will add a directive in your .htaccess to disable access to the WordPress xmlrpc.php file which is responsible for the XML-RPC functionality such as pingbacks in WordPress.', 'aiowpsecurity').'

'; echo '

'.__('Hackers can exploit various pingback vulnerabilities in the WordPress XML-RPC API in a number of ways such as:', 'aiowpsecurity').'

'; echo '

'.__('1) Denial of Service (DoS) attacks', 'aiowpsecurity').'

'; echo '

'.__('2) Hacking internal routers.', 'aiowpsecurity').'

'; echo '

'.__('3) Scanning ports in internal networks to get info from various hosts.', 'aiowpsecurity').'

'; echo '

'.__('Apart from the security protection benefit, this feature may also help reduce load on your server, particularly if your site currently has a lot of unwanted traffic hitting the XML-RPC API on your installation.', 'aiowpsecurity').'

'; echo '

'.__('NOTE: You should only enable this feature if you are not currently using the XML-RPC functionality on your WordPress installation.', 'aiowpsecurity').'

'; ?>
debug_logger->log_debug("Nonce check failed on enable advanced firewall settings!",4); die("Nonce check failed on enable advanced firewall settings!"); } //Save settings if(isset($_POST['aiowps_disable_index_views'])) { $aio_wp_security->configs->set_value('aiowps_disable_index_views','1'); } else { $aio_wp_security->configs->set_value('aiowps_disable_index_views',''); } if(isset($_POST['aiowps_disable_trace_and_track'])) { $aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','1'); } else { $aio_wp_security->configs->set_value('aiowps_disable_trace_and_track',''); } if(isset($_POST['aiowps_forbid_proxy_comments'])) { $aio_wp_security->configs->set_value('aiowps_forbid_proxy_comments','1'); } else { $aio_wp_security->configs->set_value('aiowps_forbid_proxy_comments',''); } if(isset($_POST['aiowps_deny_bad_query_strings'])) { $aio_wp_security->configs->set_value('aiowps_deny_bad_query_strings','1'); } else { $aio_wp_security->configs->set_value('aiowps_deny_bad_query_strings',''); } if(isset($_POST['aiowps_advanced_char_string_filter'])) { $aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter','1'); } else { $aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter',''); } //Commit the config settings $aio_wp_security->configs->save_config(); //Now let's write the applicable rules to the .htaccess file $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); if ($res) { $this->show_msg_updated(__('You have successfully saved the Additional Firewall Protection configuration', 'aiowpsecurity')); } else if($res == -1) { $this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity')); } if($error) { $this->show_msg_error($error); } } ?>

backup'; $info_msg = sprintf( __('Due to the nature of the code being inserted to the .htaccess file, this feature may break some functionality for certain plugins and you are therefore advised to take a %s of .htaccess before applying this configuration.', 'aiowpsecurity'), $backup_tab_link); echo '

'.__('This feature allows you to activate more advanced firewall settings to your site.', 'aiowpsecurity'). '
'.__('The advanced firewall rules are applied via the insertion of special code to your currently active .htaccess file.', 'aiowpsecurity'). '
'.$info_msg.'

'; ?>

output_feature_details_badge("firewall-disable-index-views"); ?>
: configs->get_value('aiowps_disable_index_views')=='1') echo ' checked="checked"'; ?> value="1"/> +

'; _e('This feature will prevent the listing of contents for all directories.', 'aiowpsecurity'); echo '
'; _e('NOTE: In order for this feature to work "AllowOverride" must be enabled in your httpd.conf file. Ask your hosting provider to check this if you don\'t have access to httpd.conf', 'aiowpsecurity'); ?>

output_feature_details_badge("firewall-disable-trace-track"); ?>
: configs->get_value('aiowps_disable_trace_and_track')=='1') echo ' checked="checked"'; ?> value="1"/> +

'; _e('This hacking technique is usually used together with cross site scripting attacks (XSS).', 'aiowpsecurity'); echo '
'; _e('Disabling trace and track on your site will help prevent HTTP Trace attacks.', 'aiowpsecurity'); ?>

output_feature_details_badge("firewall-forbid-proxy-comments"); ?>
: configs->get_value('aiowps_forbid_proxy_comments')=='1') echo ' checked="checked"'; ?> value="1"/> +

'.__('By forbidding proxy comments you are in effect eliminating some SPAM and other proxy requests.', 'aiowpsecurity'); ?>

output_feature_details_badge("firewall-deny-bad-queries"); ?>
: configs->get_value('aiowps_deny_bad_query_strings')=='1') echo ' checked="checked"'; ?> value="1"/> +

'.__('NOTE: Some of these strings might be used for plugins or themes and hence this might break some functionality.', 'aiowpsecurity'); echo '
'.__('You are therefore strongly advised to take a backup of your active .htaccess file before applying this feature.', 'aiowpsecurity').''; ?>

output_feature_details_badge("firewall-advanced-character-string-filter"); ?>
: configs->get_value('aiowps_advanced_char_string_filter')=='1') echo ' checked="checked"'; ?> value="1"/> +

'.__('This setting matches for common malicious string patterns and exploits and will produce a 403 error for the hacker attempting the query.', 'aiowpsecurity'); echo '
'.__('NOTE: Some strings for this setting might break some functionality.', 'aiowpsecurity'); echo '
'.__('You are therefore strongly advised to take a backup of your active .htaccess file before applying this feature.', 'aiowpsecurity').''; ?>

debug_logger->log_debug("Nonce check failed on enable 5G firewall settings!",4); die("Nonce check failed on enable 5G firewall settings!"); } //Save settings if(isset($_POST['aiowps_enable_5g_firewall'])) { $aio_wp_security->configs->set_value('aiowps_enable_5g_firewall','1'); } else { $aio_wp_security->configs->set_value('aiowps_enable_5g_firewall',''); } //Commit the config settings $aio_wp_security->configs->save_config(); //Now let's write the applicable rules to the .htaccess file $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); if ($res) { $this->show_msg_updated(__('You have successfully saved the 5G Firewall Protection configuration', 'aiowpsecurity')); } else if($res == -1) { $this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity')); } } ?>

backup'; $info_msg = '

'.sprintf( __('This feature allows you to activate the 5G firewall security protection rules designed and produced by %s.', 'aiowpsecurity'), 'Perishable Press').'

'; $info_msg .= '

'.__('The 5G Blacklist is a simple, flexible blacklist that helps reduce the number of malicious URL requests that hit your website.', 'aiowpsecurity').'

'; $info_msg .= '

'.__('The added advantage of applying the 5G firewall to your site is that it has been tested and confirmed by the people at PerishablePress.com to be an optimal and least disruptive set of .htaccess security rules for general WP sites running on an Apache server or similar.', 'aiowpsecurity').'

'; $info_msg .= '

'.sprintf( __('Therefore the 5G firewall rules should not have any impact on your site\'s general functionality but if you wish you can take a %s of your .htaccess file before proceeding.', 'aiowpsecurity'), $backup_tab_link).'

'; echo $info_msg; ?>

output_feature_details_badge("firewall-enable-5g-blacklist"); ?>
: configs->get_value('aiowps_enable_5g_firewall')=='1') echo ' checked="checked"'; ?> value="1"/> +
'.__('This setting will implement the 5G security firewall protection mechanisms on your site which include the following things:', 'aiowpsecurity').'

'; echo '

'.__('1) Block forbidden characters commonly used in exploitative attacks.', 'aiowpsecurity').'

'; echo '

'.__('2) Block malicious encoded URL characters such as the ".css(" string.', 'aiowpsecurity').'

'; echo '

'.__('3) Guard against the common patterns and specific exploits in the root portion of targeted URLs.', 'aiowpsecurity').'

'; echo '

'.__('4) Stop attackers from manipulating query strings by disallowing illicit characters.', 'aiowpsecurity').'

'; echo '

'.__('....and much more.', 'aiowpsecurity').'

'; ?>
debug_logger->log_debug("Nonce check failed on enable cookie based brute force prevention feature!",4); die("Nonce check failed on enable cookie based brute force prevention feature!"); } if(isset($_POST['aiowps_enable_brute_force_attack_prevention'])) { $brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']); if(empty($brute_force_feature_secret_word)){ $brute_force_feature_secret_word = "aiowps_secret"; }else if(!ctype_alnum($brute_force_feature_secret_word)){ $msg = '

'.__('Settings have not been saved - your secret word must consist only of alphanumeric characters, ie, letters and/or numbers only!', 'aiowpsecurity').'

'; $error = true; } if(filter_var($_POST['aiowps_cookie_based_brute_force_redirect_url'], FILTER_VALIDATE_URL)) { $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url',esc_url_raw($_POST['aiowps_cookie_based_brute_force_redirect_url'])); } else { $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1'); } $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','1'); if (!$error) { $aio_wp_security->configs->set_value('aiowps_brute_force_secret_word',$brute_force_feature_secret_word); $msg = '

'.__('You have successfully enabled the cookie based brute force prevention feature', 'aiowpsecurity').'

'; $msg .= '

'.__('From now on you will need to log into your WP Admin using the following URL:', 'aiowpsecurity').'

'; $msg .= '

'.AIOWPSEC_WP_URL.'/?'.$brute_force_feature_secret_word.'=1

'; $msg .= '

'.__('It is important that you save this URL value somewhere in case you forget it, OR,', 'aiowpsecurity').'

'; $msg .= '

'.sprintf( __('simply remember to add a "?%s=1" to your current site URL address.', 'aiowpsecurity'), $brute_force_feature_secret_word).'

'; } } else { $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention',''); $msg = __('You have successfully saved cookie based brute force prevention feature settings.', 'aiowpsecurity'); } if(isset($_POST['aiowps_brute_force_attack_prevention_pw_protected_exception'])) { $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','1'); } else { $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception',''); } if(isset($_POST['aiowps_brute_force_attack_prevention_ajax_exception'])) { $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception','1'); } else { $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception',''); } if (!$error) { $aio_wp_security->configs->save_config();//save the value //Recalculate points after the feature status/options have been altered $aiowps_feature_mgr->check_feature_status_and_recalculate_points(); $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); if ($res){ echo '

'; echo $msg; echo '

'; } else if($res == -1){ $this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity')); } } else { $this->show_msg_error($msg); } } ?>

'.__('A Brute Force Attack is when a hacker tries many combinations of usernames and passwords until they succeed in guessing the right combination.', 'aiowpsecurity'). '
'.__('Due to the fact that at any one time there may be many concurrent login attempts occurring on your site via malicious automated robots, this also has a negative impact on your server\'s memory and performance.', 'aiowpsecurity'). '
'.__('The features in this tab will stop the majority of Brute Force Login Attacks at the .htaccess level thus providing even better protection for your WP login page and also reducing the load on your server because the system does not have to run PHP code to process the login attempts.', 'aiowpsecurity').'

'; ?>
backup'; $video_link = 'video tutorial'; $info_msg = sprintf( __('Even though this feature should not have any impact on your site\'s general functionality you are strongly encouraged to take a %s of your .htaccess file before proceeding.', 'aiowpsecurity'), $backup_tab_link); $info_msg1 = __('If this feature is not used correctly, you can get locked out of your site. A backup file will come in handy if that happens.', 'aiowpsecurity'); $info_msg2 = sprintf( __('To learn more about how to use this feature please watch the following %s.', 'aiowpsecurity'), $video_link); $brute_force_login_feature_link = 'Cookie-Based Brute Force Login Prevention'; echo '

'.$info_msg. '
'.$info_msg1. '
'.$info_msg2.'

'; ?>

output_feature_details_badge("firewall-enable-brute-force-attack-prevention"); ?>
: configs->get_value('aiowps_enable_brute_force_attack_prevention')=='1') echo ' checked="checked"'; ?> value="1"/> +

'; _e('To use this feature do the following:', 'aiowpsecurity'); echo '
'; _e('1) Enable the checkbox.', 'aiowpsecurity'); echo '
'; _e('2) Enter a secret word consisting of alphanumeric characters which will be difficult to guess. This secret word will be useful whenever you need to know the special URL which you will use to access the login page (see point below).', 'aiowpsecurity'); echo '
'; _e('3) You will then be provided with a special login URL. You will need to use this URL to login to your WordPress site instead of the usual login URL. NOTE: The system will deposit a special cookie in your browser which will allow you access to the WordPress administration login page.', 'aiowpsecurity'); echo '
'; _e('Any person trying to access your login page who does not have the special cookie in their browser will be automatically blocked.', 'aiowpsecurity'); ?>

:
: +

'; _e('This field will default to: http://127.0.0.1 if you do not enter a value.', 'aiowpsecurity'); echo '
'; _e('Useful Tip:', 'aiowpsecurity'); echo '
'; _e('It\'s a good idea to not redirect attempted brute force login attempts to your site because it increases the load on your server.', 'aiowpsecurity'); echo '
'; _e('Redirecting a hacker or malicious bot back to "http://127.0.0.1" is ideal because it deflects them back to their own local host and puts the load on their server instead of yours.', 'aiowpsecurity'); ?>

: configs->get_value('aiowps_brute_force_attack_prevention_pw_protected_exception')=='1') echo ' checked="checked"'; ?> value="1"/> +

'; _e('By enabling this checkbox the plugin will add the necessary rules and exceptions to your .htacces file so that people trying to access these pages are not automatically blocked.', 'aiowpsecurity'); echo '
'; echo "".__('Helpful Tip:', 'aiowpsecurity').""; echo '
'; _e('If you do not use the WordPress password protection feature for your posts or pages then it is highly recommended that you leave this checkbox disabled.', 'aiowpsecurity'); ?>

: configs->get_value('aiowps_brute_force_attack_prevention_ajax_exception')=='1') echo ' checked="checked"'; ?> value="1"/> +

'; _e('By enabling this checkbox the plugin will add the necessary rules and exceptions to your .htacces file so that AJAX operations will work as expected.', 'aiowpsecurity'); ?>

configs->get_value('aiowps_cookie_test_success'); $bfla_feature_enabled = $aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention'); if($cookie_test_value == '1' || $bfla_feature_enabled == '1')//If the cookie test is successful or if the feature is already enabled then go ahead as normal { if (isset($_REQUEST['aiowps_cookie_test'])) {//Cookie test was just performed and the test succeded echo '

'; _e('The cookie test was successful. You can now enable this feature.', 'aiowpsecurity'); echo '

'; } echo ''; } else { //Cookie test needs to be performed if(isset($_REQUEST['aiowps_cookie_test']) && $cookie_test_value != '1'){//Test failed echo '

'; _e('The cookie test failed on this server. So this feature cannot be used on this site.', 'aiowpsecurity'); echo '

'; } //TODO - pretty up the message echo '

'; _e("Before using this feature you are required to perform a cookie test first. This is to make sure that your browser cookie is working correctly and that you won't lock yourself out.", 'aiowpsecurity'); echo '

'; echo ''; } ?>