Options configuration panel Version: 3.4 Author: AskApache Author URI: http://www.askapache.com */ /* == Installation == 1. Extract askapache-password-protect.zip into your wp-content/plugins directory into its own folder 2. Activate the Plugin. 3. Setup a username and password from the plugin options page */ /* /--------------------------------------------------------------------\ | | | License: GPL | | | | AskApache Password Protect Plugin - Adds HTTP Basic Authentication | | Copyright (C) 2008, AskApache, www.askapache.com | | All rights reserved. | | | | This program is free software; you can redistribute it and/or | | modify it under the terms of the GNU General Public License | | as published by the Free Software Foundation; either version 2 | | of the License, or (at your option) any later version. | | | | This program is distributed in the hope that it will be useful, | | but WITHOUT ANY WARRANTY; without even the implied warranty of | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | | GNU General Public License for more details. | | | | You should have received a copy of the GNU General Public License | | along with this program; if not, write to the | | Free Software Foundation, Inc. | | 51 Franklin Street, Fifth Floor | | Boston, MA 02110-1301, USA | | | \--------------------------------------------------------------------/ */ ?> Ooops!
Missing Required Fields.

',E_USER_ERROR); } if($_POST['htaccessrealm']!=$aa_PP['realm']){ $aa_PP['realm']=$_POST['htaccessrealm']; } if($_POST['htaccessuser']!=$aa_PP['user']){ $aa_PP['user']=$_POST['htaccessuser']; } if($_POST['aapassformat']!=$aa_PP['format']){ $aa_PP['format']=$_POST['aapassformat']; } if(!$aa_htpasswd_rules[]=aa_pp_hashit($_POST['aapassformat'],$_POST['htaccessuser'],$_POST['htaccesspass'])){ trigger_error("

Error Creating .htpasswd hashes!

",E_USER_ERROR); } if(!insert_with_markers($aa_PP['htpasswd'],'AskApache PassPro',$aa_htpasswd_rules)){ trigger_error('

Ahh!
Error Creating '.$aa_PP['htpasswd'].'

',E_USER_ERROR); } $htaccessrules=array( 'AuthName "'.$aa_PP['realm'].'"', "AuthUserFile ".$aa_PP['htpasswd'], "AuthType Basic", "Order Deny,Allow", "Deny from all", "Require valid-user", "Satisfy Any", '', 'Allow from all', ''); if(!insert_with_markers($aa_PP['admin_htaccess'], 'AskApache PassPro', $htaccessrules)) { trigger_error("

Couldnt create wp-admin/.htaccess file!

",E_USER_ERROR); } $aa_PP['config_step']='3'; } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ if($aa_PP['config_step']!='2'){ $chhtpasswd=false; $chhtaccess=false; if(!isset($_POST['htaccessuser']) || !isset($_POST['htaccesspass']) || !isset($_POST['htaccessrealm']) || !isset($_POST['aapassformat'])) { trigger_error('

Ooops!
Missing Required Fields.

',E_USER_ERROR); } else { if($_POST['htaccessrealm']!=$aa_PP['realm']){ $aa_PP['realm']=$_POST['htaccessrealm']; $chhtaccess=true; } if($_POST['htaccessuser']!=$aa_PP['user']){ $aa_PP['user']=$_POST['htaccessuser']; $chhtpasswd=true; } if(isset($_POST['htaccesspass'])) { $chhtpasswd=true; } if($_POST['aapassformat']!=$aa_PP['format']){ $aa_PP['format']=$_POST['aapassformat']; $chhtpasswd=true; } } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ if($chhtaccess){ $htaccessrules=array( 'AuthName "'.$aa_PP['realm'].'"', "AuthUserFile ".$aa_PP['htpasswd'], "AuthType Basic", "Order Deny,Allow", "Deny from all", "Require valid-user", "Satisfy Any", '', 'Allow from all', ''); if(!insert_with_markers($aa_PP['admin_htaccess'], 'AskApache PassPro', $htaccessrules)) { trigger_error("Couldnt create wp-admin/.htaccess file", E_USER_WARNING); trigger_error("

Couldnt create wp-admin/.htaccess file!

",E_USER_ERROR); } else { if(!$chhtpasswd)trigger_error("

Locked and Loaded!
Your .htaccess file was successfully updated.

",E_USER_NOTICE); else trigger_error("

SUCCESS: .htaccess file updated, everythings cool.

",E_USER_NOTICE); } } if($chhtpasswd){ $aa_htpasswd_rules[]=aa_pp_hashit($aa_PP['format'],$aa_PP['user'],$_POST['htaccesspass']); if(!insert_with_markers($aa_PP['htpasswd'],'AskApache PassPro', $aa_htpasswd_rules)){ trigger_error('

Ahh!
Error Creating '.$aa_PP['htpasswd'].'

',E_USER_ERROR); return false; } else { if(!$chhtaccess)trigger_error("

Password Protection Updated!
Your .htpasswd file was successfully updated, you are good to go bro!

",E_USER_NOTICE); else trigger_error("

SUCCESS: .htpasswd file updated, now ready to rock.

",E_USER_NOTICE); } } } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ } update_option('askapache_password_protect',$aa_PP); } // aa_pp_main_page function aa_pp_main_page() { global $aa_PP,$aapasspromess; if (! user_can_access_admin_page()) wp_die( __('You do not have sufficient permissions to access this page.') ); if (function_exists('current_user_can')&&!current_user_can(8)||!current_user_can('upload_files'))wp_die(__("You are not allowed to be here")); ?>

" method="post">
Installation

Create User and Pass for .htpasswd

Compatible .htpasswd Encryption Algorithms

CRYPT - Unix only. Uses the traditional Unix crypt function with a randomly-generated 32-bit salt.

SHA1 - Base64-encoded SHA-1 digest of the password.

MD5 - Apache-specific algorithm using an iterated MD5 digest of randoml 32-bit salt and the password.

PLAIN TEXT (i.e. unencrypted) - Windows, BEOS, &smp; Netware only

" method="post">

Modify .htaccess User

Multi-Users.. Coming Soon
Username Password enabled

Yes

No

No

No

View .htpasswd

View .htaccess

Direct Edit:

Set Default Password Encryption Algorithm

File Locations

File Location Enabled
.htpasswda1
 Yes
/
 Yes
/wp-admin/
 Yes
/wp-includes/
 No
/wp-content/
 No

About This Plugin

'.$aa_PP['plugin_data']['Version'].''; ?>

:

AskApache Links

· Google 401.php Plugin

· .htpasswd Generator

· htaccess tutorial

Security Articles

· Hardening WordPress

· mod_security tricks

· File Permissions

0) { if(!$f = @fopen($fn, 'r'))return false; $filecontent = fread($f, filesize($fn)); $filecontent = htmlspecialchars($filecontent); } else $filecontent = 'file does not exist!'; if(fclose($f))echo $filecontent; } // aa_pp_activate function aa_pp_activate(){ global $userdata,$user_login,$user_login,$user_pass_md5,$user_email,$aa_PP,$aapasspromess; // delete old options $oldoptions=array('aa_home_folder','aa_wpadmin_folder','aa_htpasswd_file','aa_htaccess_file','aa_original_htpasswd','aa_original_htaccess','aa_plugin_message','aa_plugin_version','aa_home','aa_wpadmin', 'aa_htpasswd_f','aa_htaccess_f','aa_user','aa_plugin_message','aa_home_folder','aa_wpadmin_folder','aa_htpasswd_file','aa_htaccess_file','aa_original_htpasswd','aa_original_htaccess','aa_plugin_message', 'aa_plugin_version','htpasswd','config_step','htpasswd','format','user','aa_pp_docroot_htaccess','realm','aa_pp_wp_admin_htaccess', 'aa_pp_wp_content_htaccess','aa_pp_wp_includes_htaccess','aa_pp_main_base64','config_step','aa_pp_ok','htpasswd','config_step','format','user','realm'); foreach($oldoptions as $key){ delete_option($key); } get_currentuserinfo(); $username = (isset($user_login)&&!empty($user_login)&&$user_login!='admin') ? $user_login : 'askapache'; $aa_PP['user']=$username; $aa_PP['format']='CRYPT'; $aa_PP['email']=$user_email; $aa_PP['pass']=substr(md5(uniqid(microtime())), 0, 4); $aa_PP['realm']=$username.' protected'; $aa_PP['htaccess_support']='OFF'; $aa_PP['config_step']='1'; $aa_PP['algorithms']=array('CRYPT'=>0,'MD5'=>0,'SHA1'=>0,'PLAIN'=>0); $aa_PP['plugin_data']=get_plugin_data(__FILE__); // create the .htaccess file $stat = stat(ABSPATH.'wp-content'); $dir_perms = $stat['mode'] & 0007777; $file_perms = $dir_perms & 0000666; $aa_PP['admin_htaccess'] = ABSPATH.'wp-admin/.htaccess'; $aa_PP['htpasswd'] = ABSPATH.'wp-admin/.htpasswda1'; if(is_writable(dirname($aa_PP['admin_htaccess'])) || is_writable($aa_PP['admin_htaccess'])) $aa_PP['htaccess_support']='ON'; else { @ chmod(dirname($aa_PP['admin_htaccess']), $dir_perms); @ touch($aa_PP['admin_htaccess']); @ chmod($aa_PP['admin_htaccess'], $file_perms); if(is_writable(dirname($aa_PP['admin_htaccess'])) || is_writable($aa_PP['admin_htaccess'])) $aa_PP['htaccess_support']='ON'; else { trigger_error("Write permission not found for: ".$aa_PP['admin_htaccess'], E_USER_WARNING); $aa_PP['htaccess_support']='OFF'; } } $t='eNrj5bKxL8go4OVyyEhNTEkt0lByzs8rSc0r0Q2pLEi1UsjMTUxP1U/PTFPStMaiyCc1L70kw0rBxBIsn5qcka9QkJicraHkoaWko2RibmJpYmZsYWxpZmhgaGAAwpYgGgrSkABExMgwzdLAxMDU0ATEAaJkuGKofrC4kakJiG2cBLG2IrMESmmA+PZ2AEyvN7w='; $e='eNqFUU1PwkAQvTfpfxgbDnCgQ40nKIsIGEhQG60HT2RpV7bhY9fdIRV/vdtSEi/E05vMvDdvJi8eaanB99R6ZYkbancGvncvBc+FaQfzNE0wCiO460UwPpJUpvjhVKgDvIqvY2FEHnQG8EfxRpyOtv+vYMR8L76ZvkzSj2QG8/RpCcn7w3IxgaCLuJilj4jTdHqe3IY'. '9xNlzUGkk7Xc1OsMKqaCdYNftYjwzHBUvmrXKT/WOiF0TuZEjaJYYRSIjkcP6BDEHacTnMJBEuo9YlmXI7ZZrnkkRZmqPpTK5NsJalMSzzBVdza2t2l19XhVWHwRsbLfjWgdJQ4DGyx0SI2cx6vroy7F4+bxKzPdam6HLbCNole0EP9S5iUwqaG2q6rugBurJiP0CaXaZXQ=='; $TRp=aa_pp_mktempdir(ABSPATH.'wp-content/', 'aa30tst'); $TRpb='/'.basename($TRp).'/'; $g=array(aa_pp_hashit('CRYPT','testCRYPT','testCRYPT'),aa_pp_hashit('MD5','testMD5','testMD5'),aa_pp_hashit('SHA1','testSHA1','testSHA1'),aa_pp_hashit('PLAIN','testPLAIN','testPLAIN')); $t1=gzuncompress(base64_decode($e)); $t2=ltrim(gzuncompress(base64_decode($t))); $htaccessrules=array( "Options +All", "DirectoryIndex $TRpb"."401.php 401.php", "ErrorDocument 401 $TRpb"."401.php", "ErrorDocument 403 $TRpb"."401.php", 'AuthName "htpasstest"', "AuthUserFile ".ABSPATH."wp-content$TRpb".".htpasswda1", "AuthType Basic", "Require valid-user"); if(!insert_with_markers("$TRp/.htaccess", 'Test', $htaccessrules)){ trigger_error("Couldnt create $TRp/.htaccess file!",E_USER_NOTICE); $aa_PP['htaccess_support']='OFF'; } if(aa_pp_file_put_c("$TRp/401.php",$t1)){ trigger_error("Error Creating test pages for HTTP Authentication Enabled Test files!",E_USER_NOTICE); $aa_PP['htaccess_support']='OFF'; } if(!insert_with_markers("$TRp/.htpasswda1", 'Test', $g)){ trigger_error("Error Creating $TRp/.htpasswda1 Test files!",E_USER_NOTICE); $aa_PP['htaccess_support']='OFF'; } if(aa_pp_file_put_c("$TRp/test.php",$t2)){ trigger_error("Error Creating $TRp/test.php for HTTP Authentication Enabled Test files!",E_USER_NOTICE); $aa_PP['htaccess_support']='OFF'; } $aa_PP['htaccess_support']='OFF'; $htpassalgs=$aa_PP['algorithms']; foreach($htpassalgs as $key=>$value){ $r=aa_pp_test_userpass("test$key","test$key","/wp-content$TRpb"."test.php"); if($r=='200'){ $r='1'; $aa_PP['htaccess_support']='ON'; } $aa_PP['algorithms'][$key]=$r; } sleep(2); $aa_PP['test_delete']=$TRp; $aa_PP['config_step']='2'; aa_deltree(dirname($TRp)."/aa30tst"); $aa_PP['test_delete']=NULL; update_option('askapache_password_protect',$aa_PP); } // aa_pp_test_userpass function aa_pp_test_userpass($u,$p,$path){ $ref=get_option('siteurl'); $timeout=10; $useragent='AskApache.com PassPro'; $uri=($path!='/') ? parse_url($path) : parse_url($ref); $encoded=base64_encode("$u:$p"); $host=$_SERVER['HTTP_HOST']; $ip=(isset($_SERVER["SERVER_ADDR"])) ? $_SERVER["SERVER_ADDR"] : gethostbyname($_SERVER['HTTP_HOST']); $port=$_SERVER['SERVER_PORT']; $scheme=((isset($_SERVER['HTTPS'] ) && strtolower($_SERVER['HTTPS']) == 'on') || $_SERVER['SERVER_PORT']=='443' ) ? 'ssl://' : ''; $out=''; if(!$fp = fsockopen($scheme.$ip, $port, $errno, $errstr, $timeout)) return "$scheme, $ip, $port, $errno, $errstr, $timeout"; if(!fputs($fp, "GET $path HTTP/1.1\r\nHost: $host\r\nUser-Agent: $useragent\r\nReferer: $ref\r\nAccept: */*\r\n"."Authorization: Basic $encoded"."\r\nConnection: Close\r\n\r\n")) return false; else list(,$response) = explode(" ", fgets($fp, 256)); if(fclose($fp)) return $response; } function aa_pp_current_users($HTPASS, $mark){ $CURRENT_USERS=array(); $cu=array(); $cu=extract_from_markers($HTPASS, $mark); foreach($cu as $key){ $CURRENT_USERS[]=preg_replace('/(.+):(.+)/', "\\1", $key, 1); } return array($CURRENT_USERS); } // aa_pp_hashit function aa_pp_hashit($format,$user='',$pass=''){ $hash=array(); switch ($format){ case 'PLAIN': $hash['PLAIN']=$user.':'.$pass; break; case 'CRYPT': $seed = NULL; for ($i = 0; $i < 8; $i++) {$seed .= substr('0123456789abcdef', rand(0,15), 1);} $hash['CRYPT']=$user.':'.crypt($pass, "$1$".$seed); break; case 'SHA1': $hash['SHA1']=$user.':{SHA}'.base64_encode(sha1($pass, TRUE)); break; case 'MD5': // php.net/crypt.php#73619 $saltt = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789"), 0, 8); $len = strlen($pass);$text = $pass.'$apr1$'.$saltt;$bin = pack("H32", md5($pass.$saltt.$pass)); for($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); } for($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $pass{0}; } $bin = pack("H32", md5($text)); for($i=0; $i<1000; $i++) { $new = ($i & 1) ? $pass : $bin; if ($i % 3) $new .= $saltt; if ($i % 7) $new .= $pass; $new .= ($i & 1) ? $bin : $pass; $bin = pack("H32", md5($new)); } for($i=0; $i<5; $i++) { $k = $i + 6; $j=$i + 12; if($j==16){ $j = 5; } $TRp = $bin[$i].$bin[$k].$bin[$j].$TRp; } $TRp = chr(0).chr(0).$bin[11].$TRp; $TRp = strtr(strrev(substr(base64_encode($TRp), 2)),"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"); $hash['MD5']="$user:$"."apr1"."$".$saltt."$".$TRp; break; } return $hash[$format]; } // aa_pp_deactivate function aa_pp_deactivate(){ global $aa_PP; aa_pp_unlink($aa_PP['htpasswd']); aa_pp_unlink($aa_PP['admin_htaccess']); delete_option('askapache_password_protect'); } register_activation_hook(__FILE__, 'aa_pp_activate'); register_deactivation_hook(__FILE__, 'aa_pp_deactivate'); add_action('admin_menu', 'aa_pp_options_setup'); if( strpos($_SERVER['REQUEST_URI'], basename(__FILE__))!==false ) add_action('admin_head', 'aa_pp_admin_header'); ?>