Options configuration panel Version: 3.1 Author: AskApache Author URI: http://www.askapache.com */ /* == Installation == 1. Extract askapache-password-protect.zip into your wp-content/plugins directory into its own folder 2. Activate the Plugin. 3. Setup a username and password from the plugin options page */ /* /--------------------------------------------------------------------\ | | | License: GPL | | | | AskApache Password Protect Plugin - Adds HTTP Basic Authentication | | Copyright (C) 2008, AskApache, www.askapache.com | | All rights reserved. | | | | This program is free software; you can redistribute it and/or | | modify it under the terms of the GNU General Public License | | as published by the Free Software Foundation; either version 2 | | of the License, or (at your option) any later version. | | | | This program is distributed in the hope that it will be useful, | | but WITHOUT ANY WARRANTY; without even the implied warranty of | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | | GNU General Public License for more details. | | | | You should have received a copy of the GNU General Public License | | along with this program; if not, write to the | | Free Software Foundation, Inc. | | 51 Franklin Street, Fifth Floor | | Boston, MA 02110-1301, USA | | | \--------------------------------------------------------------------/ */ ?> FATAL ERROR
Please disable this plugin but dont delete, updates are on the horizon.

'; } if($_SERVER['REQUEST_METHOD']==='POST') { check_admin_referer('askapache-password-protect-update_modify'); if($aa_PP['aa_pp_config_step']=='install' && isset($_POST['aacompleteinstall'])){ if(!isset($_POST['htaccessuser']) || !isset($_POST['htaccesspass']) || !isset($_POST['htaccessrealm']) || !isset($_POST['aapassformat'])) { $aa_PP['E'].='

Ooops!
Missing Required Fields.

'; $okgonext=0; } if($_POST['htaccessrealm']!=$aa_PP['aa_pp_wp_admin_realm']){ $aa_PP['aa_pp_wp_admin_realm']=$_POST['htaccessrealm']; update_option('aa_pp_wp_admin_realm',$aa_PP['aa_pp_wp_admin_realm']); } if($_POST['htaccessuser']!=$aa_PP['aa_pp_main_user']){ $aa_PP['aa_pp_main_user']=$_POST['htaccessuser']; update_option('aa_pp_main_user',$aa_PP['aa_pp_main_user']); } if($_POST['aapassformat']!=$aa_PP['aa_pp_htpasswd_format']){$aa_PP['aa_pp_htpasswd_format']=$_POST['aapassformat']; update_option('aa_pp_htpasswd_format',$aa_PP['aa_pp_htpasswd_format']); } if(!$aa_htpasswd_rules[]=aa_pp_hashpass($_POST['aapassformat'],$_POST['htaccessuser'],$_POST['htaccesspass'])){ $aa_PP['E'].="

Error Creating .htpasswd hashes!

"; $okgonext=0; } if(!aa_pp_iswritable($aa_PP['aa_pp_htpasswd_file'])||!insert_with_markers($aa_PP['aa_pp_htpasswd_file'],'AskApache PassPro',$aa_htpasswd_rules)){ $aa_PP['E'].='

Ahh!
Error Creating '.$aa_PP['aa_pp_htpasswd_file'].'

'; $okgonext=0; } if($okgonext!==false){ $aa_PP['aa_pp_config_step']='config'; update_option('aa_pp_config_step','config'); $htaccessrules=array('AuthName "'.$aa_PP['aa_pp_wp_admin_realm'].'"',"AuthUserFile ".$aa_PP['aa_pp_htpasswd_file'],"AuthType Basic","Order Deny,Allow","Deny from all","Require valid-user","Satisfy Any", '','Allow from all',''); if(!aa_pp_iswritable($aa_PP['wpadmin_htaccess']) || !insert_with_markers($aa_PP['wpadmin_htaccess'], 'AskApache PassPro', $htaccessrules) || !@chmod($aa_PP['wpadmin_htaccess'],0644)) { $aa_PP['E'].="

Couldnt create wp-admin/.htaccess file!

"; return false; } } } else { $chhtpasswd=false; $chhtaccess=false; if(!isset($_POST['htaccessuser']) || !isset($_POST['htaccesspass']) || !isset($_POST['htaccessrealm']) || !isset($_POST['aapassformat'])) $aa_PP['E'].='

Ooops!
Missing Required Fields.

'; if($_POST['htaccessrealm']!=$aa_PP['aa_pp_wp_admin_realm']){ $aa_PP['aa_pp_wp_admin_realm']=$_POST['htaccessrealm']; update_option('aa_pp_wp_admin_realm',$aa_PP['aa_pp_wp_admin_realm']); $chhtaccess=true; } if($_POST['htaccessuser']!=$aa_PP['aa_pp_main_user']){ $aa_PP['aa_pp_main_user']=$_POST['htaccessuser']; update_option('aa_pp_main_user',$aa_PP['aa_pp_main_user']); $chhtpasswd=true; } if(isset($_POST['htaccesspass'])) $chhtpasswd=true; if($_POST['aapassformat']!=$aa_PP['aa_pp_htpasswd_format']){$aa_PP['aa_pp_htpasswd_format']=$_POST['aapassformat']; update_option('aa_pp_htpasswd_format',$aa_PP['aa_pp_htpasswd_format']); $chhtpasswd=true; } if($chhtaccess){ $htaccessrules=array('AuthName "'.$aa_PP['aa_pp_wp_admin_realm'].'"',"AuthUserFile ".$aa_PP['aa_pp_htpasswd_file'],"AuthType Basic","Order Deny,Allow","Deny from all","Require valid-user","Satisfy Any", '','Allow from all',''); if(!aa_pp_iswritable($aa_PP['wpadmin_htaccess']) || !insert_with_markers($aa_PP['wpadmin_htaccess'], 'AskApache PassPro', $htaccessrules) || !@chmod($aa_PP['wpadmin_htaccess'],0644)) { $aa_PP['E'].="

Couldnt create wp-admin/.htaccess file!

"; return false; } else { if(!$chhtpasswd)$aa_PP['I'].="

Locked and Loaded!
Your .htaccess file was successfully updated.

"; else $aa_PP['O'].="

SUCCESS: .htaccess file updated, everythings cool.

"; } } if($chhtpasswd){ $aa_htpasswd_rules[]=aa_pp_hashpass($aa_PP['aa_pp_htpasswd_format'],$aa_PP['aa_pp_main_user'],$_POST['htaccesspass']); if(!aa_pp_iswritable($aa_PP['aa_pp_htpasswd_file']) || !insert_with_markers($aa_PP['aa_pp_htpasswd_file'],'AskApache PassPro', $aa_htpasswd_rules) || !@chmod($aa_PP['aa_pp_htpasswd_file'],0644)){ $aa_PP['E'].='

Ahh!
Error Creating '.$aa_PP['aa_pp_htpasswd_file'].'

'; return false; } else { if(!$chhtaccess)$aa_PP['I'].="

Password Protection Updated!
Your .htpasswd file was successfully updated, you are good to go bro!

"; else $aa_PP['O'].="

SUCCESS: .htpasswd file updated, now ready to rock.

"; } } } } } // aa_pp_main_page function aa_pp_main_page() { global $aa_GPASS,$aa_PP; if(!defined('ABSPATH'))die(); if (! user_can_access_admin_page()) wp_die( __('You do not have sufficient permissions to access this page.') ); if ( function_exists('current_user_can') && !current_user_can('manage_options') ) die(__('Cheatin’ uh?')); ?> 1){ ?>

1){ ?>
1){ ?>
" method="post">
Installation

Create User and Pass for .htpasswd

" method="post">
1){ ?>
1){ ?>

About This Plugin

'.$aa_GPASS['Version'].''; ?>

:

AskApache Links

Google 404.php Plugin

.htpasswd Generator

htaccess tutorial

Security Articles

· Hardening WordPress

· mod_security tricks

· File Permissions

Modify .htaccess User

Multi-Users.. Coming Soon
Username Password enabled

Yes

No

No

No

View .htpasswd

View .htaccess

Direct Edit:

Password Encryption Algorithms

File Locations

Folder Location enabled
.htpasswd
 Yes
/
 Yes
/wp-admin/
 Yes
/wp-includes/
 No
/wp-content/
 No
0) { if(!$f = @fopen($fn, 'r'))return false; $filecontent = fread($f, filesize($fn)); $filecontent = htmlspecialchars($filecontent); } else $filecontent = 'file does not exist!'; if(fclose($f))echo $filecontent; } // aa_pp_test_server function aa_pp_test_server(){ global $aa_PP; $prefix='aa30tst'; $t='eNrj5bKxL8go4OVyyEhNTEkt0lByzs8rSc0r0Q2pLEi1UsjMTUxP1U/PTFPStMaiyCc1L70kw0rBxBIsn5qcka9QkJicraHkoaWko2RibmJpYmZsYWxpZmhgaGAAwpYgGgrSkABExMgwzdLAxMDU0ATEAaJkuGKofrC4kakJiG2cBLG2IrMESmmA+PZ2AEyvN7w='; $e='eNqFUU1PwkAQvTfpfxgbDnCgQ40nKIsIGEhQG60HT2RpV7bhY9fdIRV/vdtSEi/E05vMvDdvJi8eaanB99R6ZYkbancGvncvBc+FaQfzNE0wCiO460UwPpJUpvjhVKgDvIqvY2FEHnQG8EfxRpyOtv+vYMR8L76ZvkzSj2QG8/RpCcn7w3IxgaCLuJilj4jTdHqe3IY9xNlzUGkk7Xc1OsMKqaCdYNftYjwzHBUvmrXKT/WOiF0TuZEjaJYYRSIjkcP6BDEHacTnMJBEuo9YlmXI7ZZrnkkRZmqPpTK5NsJalMSzzBVdza2t2l19XhVWHwRsbLfjWgdJQ4DGyx0SI2cx6vroy7F4+bxKzPdam6HLbCNole0EP9S5iUwqaG2q6rugBurJiP0CaXaZXQ=='; if(!$tmtest=aa_pp_mktempdir(dirname($aa_PP['docroot_htaccess']), $prefix)){ $aa_PP['E'].='

Error Creating Test Directory

'; return false; } $tme = $tmtest.'/404.php';$tm1 = $tmtest.'/test.php';$tt=trim(gzuncompress(base64_decode($t))); if(!file_put_contents($tme,trim(gzuncompress(base64_decode($e))))){ $aa_PP['E'].="

Error Creating test pages for HTTP Authentication Enabled Test!

"; return false; } else if(!file_put_contents($tm1,$tt)){ $aa_PP['E'].="

Error Creating test pages for HTTP Authentication Enabled Test!

"; return false; } $htpasswdrules=array(aa_pp_hashpass('CRYPT','testCRYPT','testCRYPT'), aa_pp_hashpass('MD5','testMD5','testMD5'),aa_pp_hashpass('SHA1','testSHA1','testSHA1'), aa_pp_hashpass('PLAIN','testPLAIN','testPLAIN')); if(!aa_pp_iswritable($aa_PP['aa_pp_htpasswd_file']) || !insert_with_markers( $aa_PP['aa_pp_htpasswd_file'], 'AskApache Test', $htpasswdrules ))$aa_PP['E'].='

Error Creating '.$aa_PP['aa_pp_htpasswd_file'].'

'; $htaccessrules=array( "Options +All", "DirectoryIndex /".basename($tmtest)."/404.php 404.php","ErrorDocument 401 /".basename($tmtest)."/404.php", "ErrorDocument 403 /".basename($tmtest)."/404.php", 'AuthName "htpasstest"',"AuthUserFile ".$aa_PP['aa_pp_htpasswd_file'],"AuthType Basic","Require valid-user"); if(!aa_pp_iswritable($tmtest.'/.htaccess') || !insert_with_markers($tmtest.'/.htaccess', 'AskApache Test', $htaccessrules)) { $aa_PP['E'].="

Couldnt create $tmh test htpasswd file!

"; return false; } $tmtest_uri = get_option('siteurl').$tmtest_file; if(!aa_pp_test_userpass($encoded,$tmtest_file)) $aa_PP['O'].='

Password successfully tested!

'; if((!$r=aa_pp_test_userpass(base64_encode('test:test'),'/'.basename($tmtest).'/test.php')) || $r!='401') $aa_PP['E'].="

FATAL ERROR! response code: $r
My thorough testing shows your server isnt good enough to to handle .htaccess / .htpasswd files.".' Switch to Apache

'; else { $aa_PP['I'].='

Your Server Rocks!
My tests show HTTP Basic Authentication will work on this server!

'; if((!$r=aa_pp_test_userpass(base64_encode('testCRYPT:testCRYPT'),'/'.basename($tmtest).'/test.php'))||$r!='200') $aa_PP['E'].="

Notice: CRYPT Encryption Algorithm Failed Test with Status Code: $r

"; else { $aa_PP['O'].="

SUCCESS: CRYPT Encryption Algorithm is Working

"; $aa_PP['aa_pp_htpasswd_format']='CRYPT'; update_option('aa_pp_htpasswd_format', 'CRYPT'); } if((!$r=aa_pp_test_userpass(base64_encode('testMD5:testMD5'),'/'.basename($tmtest).'/test.php'))||$r!='200') $aa_PP['E'].="

Notice: MD5 Encryption Algorithm Failed Test with Status Code: $r

"; else $aa_PP['O'].="

SUCCESS: MD5 Encryption Algorithm is Working

"; if((!$r=aa_pp_test_userpass(base64_encode('testSHA1:testSHA1'),'/'.basename($tmtest).'/test.php'))||$r!='200') $aa_PP['E'].="

Notice: SHA1 Encryption Algorithm Failed Test with Status Code: $r

"; else $aa_PP['O'].="

SUCCESS: SHA1 Encryption Algorithm is Working

"; if((!$r=aa_pp_test_userpass(base64_encode('testPLAIN:testPLAIN'),'/'.basename($tmtest).'/test.php'))||$r!='200') $aa_PP['E'].="

Notice: PLAIN Encryption Algorithm Failed Test with Status Code: $r

"; else $aa_PP['O'].="

SUCCESS: PLAIN Encryption Algorithm is Working

"; sleep(5); if(!aa_pp_unlink($tme) || !aa_pp_unlink($tm1) || !aa_pp_unlink($aa_PP['aa_pp_htpasswd_file']))$aa_PP['E'].="

Small Problem
Failed to delete test files, please delete manually.
$tme
$tm1

"; return true; } return false; } // aa_pp_test_userpass function aa_pp_test_userpass($encoded,$path='/'){ $host=$_SERVER['HTTP_HOST']; $port=$_SERVER['SERVER_PORT']; $ref=get_option('siteurl'); $ip=(isset($_SERVER["SERVER_ADDR"])) ? $_SERVER["SERVER_ADDR"] : gethostbyname($_SERVER['HTTP_HOST']); $timeout=10; $scheme=((isset($_SERVER['HTTPS'] ) && strtolower($_SERVER['HTTPS']) == 'on') || $_SERVER['SERVER_PORT']=='443' ) ? 'ssl://' : ''; if(!$fp = @fsockopen($ip, $port, $errno, $errstr, $timeout)) return false; if(!@fputs($fp, "GET $path HTTP/1.1\r\nHost: $host\r\nUser-Agent: AskApache/ AskApache.com Password Protect\r\nReferer: $ref\r\nAccept: */*\r\nAuthorization: Basic $encoded\r\nConnection: Close\r\n\r\n")) return false; list(,$response) = explode(" ", fgets($fp, 1024)); if(fclose($fp)) return $response; } // aa_pp_hashpass function aa_pp_hashpass($format,$user,$pass){ $hash=array(); switch ($format){ case 'PLAIN': $hash['PLAIN']=$user.':'.$pass; break; case 'CRYPT': $seed = NULL; for ($i = 0; $i < 8; $i++) {$seed .= substr('0123456789abcdef', rand(0,15), 1);} $hash['CRYPT']=$user.':'.crypt($pass, "$1$".$seed); break; case 'SHA1': $hash['SHA1']=$user.':{SHA}'.base64_encode(sha1($pass, TRUE)); break; case 'MD5': // php.net/crypt.php#73619 $saltt = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789"), 0, 8); $len = strlen($pass);$text = $pass.'$apr1$'.$saltt;$bin = pack("H32", md5($pass.$saltt.$pass)); for($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); } for($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $pass{0}; } $bin = pack("H32", md5($text)); for($i=0; $i<1000; $i++) { $new = ($i & 1) ? $pass : $bin; if ($i % 3) $new .= $saltt; if ($i % 7) $new .= $pass; $new .= ($i & 1) ? $bin : $pass; $bin = pack("H32", md5($new)); } for($i=0; $i<5; $i++) { $k = $i + 6; $j=$i + 12; if($j==16){ $j = 5; } $tmp = $bin[$i].$bin[$k].$bin[$j].$tmp; } $tmp = chr(0).chr(0).$bin[11].$tmp; $tmp = strtr(strrev(substr(base64_encode($tmp), 2)),"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"); $hash['MD5']="$user:$"."apr1"."$".$saltt."$".$tmp; break; } return $hash[$format]; } // aa_pp_activate function aa_pp_activate(){ global $userdata,$user_pass_md5,$user_login; get_currentuserinfo(); $username = (isset($user_login)&&!empty($user_login)&&$user_login!='admin') ? $user_login : ''; $DOC_ROOT = (isset($_SERVER['DOCUMENT_ROOT'])) ? $_SERVER['DOCUMENT_ROOT'] : ABSPATH; // delete previous installs options // delete previous installs options delete_option('aa_home_folder'); delete_option('aa_wpadmin_folder'); delete_option('aa_htpasswd_file'); delete_option('aa_htaccess_file'); delete_option('aa_original_htpasswd'); delete_option('aa_original_htaccess'); delete_option('aa_plugin_message'); delete_option('aa_plugin_version'); delete_option('aa_home'); delete_option('aa_wpadmin'); delete_option('aa_htpasswd_f'); delete_option('aa_htaccess_f'); delete_option('aa_user'); delete_option('aa_plugin_message'); delete_option('aa_home_folder'); delete_option('aa_wpadmin_folder'); delete_option('aa_htpasswd_file'); delete_option('aa_htaccess_file'); delete_option('aa_original_htpasswd'); delete_option('aa_original_htaccess'); delete_option('aa_plugin_message'); delete_option('aa_plugin_version'); delete_option('aa_pp_htpasswd_file'); delete_option('aa_pp_config_step'); delete_option('aa_pp_htpasswd_file'); delete_option('aa_pp_htpasswd_format'); delete_option('aa_pp_main_user'); delete_option('aa_pp_docroot_htaccess'); delete_option('aa_pp_wp_admin_realm'); delete_option('aa_pp_wp_admin_htaccess'); delete_option('aa_pp_wp_content_htaccess'); delete_option('aa_pp_wp_includes_htaccess'); delete_option('aa_pp_main_base64'); delete_option('aa_pp_config_step'); delete_option('aa_pp_ok'); insert_with_markers(ABSPATH . 'wp-admin/.htaccess', 'AskApache Password Protect', array()); if(!$aa_goadm=strpos('aa-password-protect', __FILE__)){ $files=@glob(ABSPATH . PLUGINDIR . '/aa-password-protect/*'); if(is_array($files) && !empty($files)){ foreach ($files as $filename){ if(!aa_pp_unlink($filename))$p=''; } if(!@rmdir(ABSPATH . PLUGINDIR . '/aa-password-protect'))$p=''; } } $g=ini_get('open_basedir'); if(is_string($g) && !is_writable(dirname($DOC_ROOT)) && !file_exists(dirname($DOC_ROOT)) && !chmod(dirname($DOC_ROOT),0755) && !is_dir(dirname($DOC_ROOT)))$htpasswd=$DOC_ROOT.'/.htpasswdaa1'; else $htpasswd=dirname($DOC_ROOT).'/.htpasswdaa1'; aa_pp_unlink(get_home_path() . '.aahtpasswd1'); aa_pp_unlink($htpasswd); update_option('aa_pp_htpasswd_file', $htpasswd); update_option('aa_pp_config_step', 'install'); update_option('aa_pp_htpasswd_format', 'SHA1'); update_option('aa_pp_main_user', $username); update_option('aa_pp_wp_admin_realm', 'Protected by AskApache'); } // aa_pp_deactivate function aa_pp_deactivate(){ // delete previous installs options delete_option('aa_home_folder'); delete_option('aa_wpadmin_folder'); delete_option('aa_htpasswd_file'); delete_option('aa_htaccess_file'); delete_option('aa_original_htpasswd'); delete_option('aa_original_htaccess'); delete_option('aa_plugin_message'); delete_option('aa_plugin_version'); delete_option('aa_passpro_code'); delete_option('aa_passpro_config_step'); delete_option('aa_home'); delete_option('aa_wpadmin'); delete_option('aa_htpasswd_f'); delete_option('aa_htaccess_f'); delete_option('aa_user'); delete_option('aa_plugin_message'); delete_option('aa_home_folder'); delete_option('aa_wpadmin_folder'); delete_option('aa_htpasswd_file'); delete_option('aa_htaccess_file'); delete_option('aa_original_htpasswd'); delete_option('aa_original_htaccess'); delete_option('aa_plugin_message'); delete_option('aa_plugin_version'); delete_option('aa_pp_htpasswd_file'); delete_option('aa_pp_config_step'); delete_option('aa_pp_htpasswd_file'); delete_option('aa_pp_htpasswd_format'); delete_option('aa_pp_main_user'); delete_option('aa_pp_docroot_htaccess'); delete_option('aa_pp_wp_admin_realm'); delete_option('aa_pp_wp_admin_htaccess'); delete_option('aa_pp_wp_content_htaccess'); delete_option('aa_pp_wp_includes_htaccess'); delete_option('aa_pp_main_base64'); delete_option('aa_pp_config_step'); delete_option('aa_pp_ok'); $dirss=glob(get_home_path()."aa30tst*",GLOB_ONLYDIR); if(is_array($dirrs) && !empty($dirss)){ foreach ($dirss as $d){ if(!aa_pp_unlink($d.'/.htaccess')||!aa_pp_unlink($d.'/test.php'))$p=''; if(!@rmdir($d))$p=''; } } aa_pp_unlink(dirname(dirname($DOC_ROOT)).'/.htpasswdaa1'); aa_pp_unlink(dirname($DOC_ROOT).'/.htpasswdaa1'); aa_pp_unlink($DOC_ROOT.'/.htpasswdaa1'); @ chmod(ABSPATH . 'wp-admin/.htaccess',0666); insert_with_markers(ABSPATH . 'wp-admin/.htaccess', 'AskApache PassPro', array("#deleted")); @ chmod(ABSPATH . 'wp-admin/.htaccess',0644); } register_activation_hook(__FILE__, 'aa_pp_activate'); register_deactivation_hook(__FILE__, 'aa_pp_deactivate'); add_action('admin_menu', 'aa_pp_options_setup'); if(false!==($aa_goadm=strpos($_SERVER['REQUEST_URI'], basename(__FILE__)))) add_action('admin_head', 'aa_pp_admin_header'); ?>