Options configuration panel Version: 3.5 Author: AskApache Author URI: http://www.askapache.com */ /* == Installation == 1. Extract zip so- wp-content/plugins/askapache-password-protect/askapache-password-protect.php 2. Activate the Plugin. 3. Setup plugin options */ /* /--------------------------------------------------------------------\ | | | License: GPL | | | | AskApache Password Protect Plugin - Adds HTTP Basic Authentication | | Copyright (C) 2008, AskApache, www.askapache.com | | All rights reserved. | | | | This program is free software; you can redistribute it and/or | | modify it under the terms of the GNU General Public License | | as published by the Free Software Foundation; either version 2 | | of the License, or (at your option) any later version. | | | | This program is distributed in the hope that it will be useful, | | but WITHOUT ANY WARRANTY; without even the implied warranty of | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | | GNU General Public License for more details. | | | | You should have received a copy of the GNU General Public License | | along with this program; if not, write to the | | Free Software Foundation, Inc. | | 51 Franklin Street, Fifth Floor | | Boston, MA 02110-1301, USA | | | \--------------------------------------------------------------------/ */ ?> 10)$aa_PP['realm']=substr($aa_PP['realm'], 0, 10); $aa_PP['change_htaccess']='1'; } if(isset($_POST['htaccessuser']) && $_POST['htaccessuser']!=$aa_PP['user']){ $aa_PP['user']=$_POST['htaccessuser']; $aa_PP['change_htpasswd']='1'; } if(isset($_POST['htaccesspass'])||isset($_POST['modifyuser'])) { $aa_PP['change_htpasswd']='1'; $aa_PP['change_htaccess']='1'; } if(isset($_POST['htpasswdfile']) && $_POST['htpasswdfile']!=$aa_PP['htpasswd']) { if(is_writable(dirname($_POST['htpasswdfile'])) && touch($_POST['htpasswdfile'])){ $aa_PP['htpasswd']=$_POST['htpasswdfile']; $aa_PP['change_htpasswd']='1'; } else trigger_error($_POST['htpasswdfile'].' location is not writable!',E_USER_ERROR); } if(isset($_POST['aapassformat1']) && $_POST['aapassformat1']!=$aa_PP['format']){ $aa_PP['format']=$_POST['aapassformat1']; $aa_PP['change_htpasswd']='1'; } if(isset($_POST['aapassformat']) && $_POST['aapassformat']!=$aa_PP['format']){ $aa_PP['format']=$_POST['aapassformat']; $aa_PP['change_htpasswd']='1'; } update_option('askapache_password_protect',$aa_PP); } // aa_pp_admin_header function aa_pp_admin_header(){ global $aa_PP; if (function_exists('current_user_can')&&!current_user_can(8)||!current_user_can('upload_files')) wp_die(__("You are not allowed to be here")); $aa_PP=get_option('askapache_password_protect'); $aa_PP['htaccessusers']=aa_pp_current_users($aa_PP['htpasswd'],'AskApache PassPro'); if($_SERVER['REQUEST_METHOD']==='POST') { check_admin_referer('askapache-password-protect-update_modify'); /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ if($aa_PP['config_step']=='2'){ aa_pp_get_post_values(); @ aa_pp_unlink($aa_PP['htpasswd']); @ aa_pp_unlink($aa_PP['admin_htaccess']); $aa_PP['admin_htaccess_rules']=array('AuthName "'.$aa_PP['realm'].'"',"AuthUserFile ".$aa_PP['htpasswd'],"AuthType Basic","Order Deny,Allow","Deny from all","Require valid-user","Satisfy Any", '','Allow from all',''); if(!insert_with_markers($aa_PP['admin_htaccess'], 'AskApache PassPro', $aa_PP['admin_htaccess_rules'])) trigger_error("Couldnt create wp-admin/.htaccess file!",E_USER_ERROR); $aa_PP['htpasswd_rules']=array(aa_pp_hashit($aa_PP['format'],$aa_PP['user'],$_POST['htaccesspass'])); if(!insert_with_markers($aa_PP['htpasswd'],'AskApache PassPro',$aa_PP['htpasswd_rules'])) trigger_error('Error Creating '.$aa_PP['htpasswd'].'',E_USER_ERROR); $aa_PP['config_step']='3'; update_option('askapache_password_protect',$aa_PP); } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ if($aa_PP['config_step']=='3' || $aa_PP['config_step']=='4'){ aa_pp_get_post_values(); if(isset($_POST['togglewpincludes'])) { @ aa_pp_unlink($aa_PP['wpincludes_htaccess']); $aa_PP['wpincludes_htaccess_rules']=array('','RewriteEngine On','RewriteBase /','RewriteCond %{THE_REQUEST} ^.*/wp-includes/.*$ [NC]','RewriteCond %{REQUEST_FILENAME} ^.+\.php$','RewriteRule .* - [F]',''); if(!insert_with_markers($aa_PP['wpincludes_htaccess'], 'AskApache PassPro', $aa_PP['wpincludes_htaccess_rules']))trigger_error("Couldnt create ".$aa_PP['wpincludes_htaccess']." file!",E_USER_ERROR); } else @ aa_pp_unlink($aa_PP['wpincludes_htaccess']); if(isset($_POST['togglewpcontent'])) { @ aa_pp_unlink($aa_PP['wpcontent_htaccess']); $aa_PP['wpcontent_htaccess_rules']=array('','RewriteEngine On','RewriteBase /','RewriteCond %{THE_REQUEST} ^.*/wp-content/.*$ [NC]','RewriteCond %{REQUEST_FILENAME} ^.+\.php$','RewriteRule .* - [F]',''); if(!insert_with_markers($aa_PP['wpcontent_htaccess'], 'AskApache PassPro', $aa_PP['wpcontent_htaccess_rules']))trigger_error("Couldnt create ".$aa_PP['wpcontent_htaccess']." file!",E_USER_ERROR); } else @ aa_pp_unlink($aa_PP['wpcontent_htaccess']); if(isset($_POST['togglewpadmin'])) { @ aa_pp_unlink($aa_PP['admin_htaccess']); $aa_PP['admin_htaccess_rules']=array('AuthName "'.$aa_PP['realm'].'"',"AuthUserFile ".$aa_PP['htpasswd'],"AuthType Basic","Order Deny,Allow","Deny from all","Require valid-user","Satisfy Any", '','Allow from all',''); if(!insert_with_markers($aa_PP['admin_htaccess'], 'AskApache PassPro', $aa_PP['admin_htaccess_rules'])) trigger_error("Couldnt create ".$aa_PP['admin_htaccess']." file!",E_USER_ERROR); else $aa_PP['change_htaccess']='0'; } else { @ aa_pp_unlink($aa_PP['admin_htaccess']); $aa_PP['change_htaccess']='0'; } if($aa_PP['change_htaccess']=='1'){ @ aa_pp_unlink($aa_PP['admin_htaccess']); $aa_PP['admin_htaccess_rules']=array('AuthName "'.$aa_PP['realm'].'"',"AuthUserFile ".$aa_PP['htpasswd'],"AuthType Basic","Order Deny,Allow","Deny from all","Require valid-user","Satisfy Any", '','Allow from all',''); if(!insert_with_markers($aa_PP['admin_htaccess'], 'AskApache PassPro', $aa_PP['admin_htaccess_rules'])) trigger_error("Couldnt create ".$aa_PP['admin_htaccess']." file!",E_USER_ERROR); else $aa_PP['change_htaccess']='0'; } if($aa_PP['change_htpasswd']=='1' && strlen($_POST['htaccesspass'])>1){ @ aa_pp_unlink($aa_PP['htpasswd']); $aa_PP['htpasswd_rules']=array(aa_pp_hashit($aa_PP['format'],$aa_PP['user'],$_POST['htaccesspass'])); if(!insert_with_markers($aa_PP['htpasswd'],'AskApache PassPro',$aa_PP['htpasswd_rules'])) trigger_error('Error Creating '.$aa_PP['htpasswd'],E_USER_ERROR); else $aa_PP['change_htpasswd']='0'; } $aa_PP['config_step']='4'; update_option('askapache_password_protect',$aa_PP); } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ } } function aa_pp_show_encryptions($label,$type=0){ global $aa_PP; if($type==0){ ?>

/> CRYPT - Unix only. Uses the traditional Unix crypt function with a randomly-generated 32-bit salt.
/> SHA1 - Base64-encoded SHA-1 digest of the password.
/> MD5 - Apache-specific algorithm using an iterated MD5 digest of randoml 32-bit salt and the password.
/> PLAIN TEXT (i.e. unencrypted) - Windows, BEOS, & Netware only

';print_r($aa_PP);echo '';?>

" method="post">

Installation

Create User and Pass for .htpasswd

Pop-Up Message Auth-Name / Realm:

Username:

Password:

.htpasswd location:

AskApache PassPro Encryption Algorithm Descriptions

CRYPT - Unix only. Uses the traditional Unix crypt function with a randomly-generated 32-bit salt.

SHA1 - Base64-encoded SHA-1 digest of the password.

MD5 - Apache-specific algorithm using an iterated MD5 digest of randoml 32-bit salt and the password.

PLAIN TEXT (i.e. unencrypted) - Windows, BEOS, & Netware only

Configurable .htaccess Security Modules

Protecting	Description	Enable
/wp-admin/.	Requires a valid user/pass to access any non-static (css, js, images) file in this directory	/>
/wp-content/*.php	Denies any Direct request for files ending in .php with a 403 Forbidden	/>
/wp-includes/*.php	Denies any Direct request for files ending in .php with a 403 Forbidden	/>

Modify .htaccess User

Auth Name:

Username:

Password:

.htpasswd location:

Multi-Users.. Coming Soon

Username	Password	enabled
		Yes

View

View wp-admin .htaccess

View wp-content .htaccess

View wp-includes/.htaccess

Set Default Password Encryption Algorithm

*/?>

About This Plugin

'.$aa_PP['plugin_data']['Version'].''; ?>

:

AskApache Links

· Google 401.php Plugin

· .htpasswd Generator

· htaccess tutorial

Security Articles

· Hardening WordPress

· mod_security tricks

· File Permissions

0) { if(!$f = @fopen($fn, 'r'))return false; $filecontent = fread($f, filesize($fn)); $filecontent = htmlspecialchars($filecontent); } else $filecontent = 'file does not exist!'; if(fclose($f))echo $filecontent; } // aa_pp_test_userpass function aa_pp_test_userpass($u,$p,$path){ $ref=get_option('siteurl'); $timeout=10; $useragent='AskApache.com PassPro'; $uri=($path!='/') ? parse_url($path) : parse_url($ref); $encoded=base64_encode("$u:$p"); $host=$_SERVER['HTTP_HOST']; $ip=(isset($_SERVER["SERVER_ADDR"])) ? $_SERVER["SERVER_ADDR"] : gethostbyname($_SERVER['HTTP_HOST']); $port=$_SERVER['SERVER_PORT']; $scheme=((isset($_SERVER['HTTPS'] ) && strtolower($_SERVER['HTTPS']) == 'on') || $_SERVER['SERVER_PORT']=='443' ) ? 'ssl://' : ''; $out=''; if(!$fp = fsockopen($scheme.$ip, $port, $errno, $errstr, $timeout)) return "$scheme, $ip, $port, $errno, $errstr, $timeout"; if(!fputs($fp, "GET $path HTTP/1.1\r\nHost: $host\r\nUser-Agent: $useragent\r\nReferer: $ref\r\nAccept: */*\r\n"."Authorization: Basic $encoded"."\r\nConnection: Close\r\n\r\n")) return false; else list(,$response) = explode(" ", fgets($fp, 256)); if(fclose($fp)) return $response; } function aa_pp_current_users($HTPASS, $mark){ $CURRENT_USERS=array(); $cu=array(); $cu=extract_from_markers($HTPASS, $mark); foreach($cu as $key){ $CURRENT_USERS[]=preg_replace('/(.+):(.+)/', "\\1", $key, 1); } return array($CURRENT_USERS); } // aa_pp_hashit function aa_pp_hashit($format,$user='',$pass=''){ if(!function_exists('crypt') || !function_exists('sha1'))trigger_error("Error Creating .htpasswd hashes! Need crypt or sha1",E_USER_ERROR); $hash=''; switch ($format){ case 'PLAIN': $hash=$user.':'.$pass; break; case 'CRYPT': $seed = NULL; for ($i = 0; $i < 8; $i++) {$seed .= substr('0123456789abcdef', rand(0,15), 1);} $hash=$user.':'.crypt($pass, "$1$".$seed); break; case 'SHA1': $hash=$user.':{SHA}'.base64_encode(sha1($pass, TRUE)); break; case 'MD5': // php.net/crypt.php#73619 $saltt = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789"), 0, 8); $len = strlen($pass);$text = $pass.'$apr1$'.$saltt;$bin = pack("H32", md5($pass.$saltt.$pass)); for($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); } for($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $pass{0}; } $bin = pack("H32", md5($text)); for($i=0; $i<1000; $i++) { $new = ($i & 1) ? $pass : $bin; if ($i % 3) $new .= $saltt; if ($i % 7) $new .= $pass; $new .= ($i & 1) ? $bin : $pass; $bin = pack("H32", md5($new)); } for($i=0; $i<5; $i++) { $k = $i + 6; $j=$i + 12; if($j==16){ $j = 5; } $TRp = $bin[$i].$bin[$k].$bin[$j].$TRp; } $TRp = chr(0).chr(0).$bin[11].$TRp; $TRp = strtr(strrev(substr(base64_encode($TRp), 2)),"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"); $hash="$user:$"."apr1"."$".$saltt."$".$TRp; break; } return $hash; } // aa_pp_activate function aa_pp_activate(){ global $userdata,$user_login,$user_login,$user_pass_md5,$user_email,$aa_PP,$aapasspromess; // delete old options $oldoptions=array('aa_home_folder','aa_wpadmin_folder','aa_htpasswd_file','aa_htaccess_file','aa_original_htpasswd','aa_original_htaccess','aa_plugin_message','aa_plugin_version','aa_home','aa_wpadmin', 'aa_htpasswd_f','aa_htaccess_f','aa_user','aa_plugin_message','aa_home_folder','aa_wpadmin_folder','aa_htpasswd_file','aa_htaccess_file','aa_original_htpasswd','aa_original_htaccess','aa_plugin_message', 'aa_plugin_version','htpasswd','config_step','htpasswd','format','user','aa_pp_docroot_htaccess','realm','aa_pp_wp_admin_htaccess', 'aa_pp_wp_content_htaccess','aa_pp_wp_includes_htaccess','aa_pp_main_base64','config_step','aa_pp_ok','htpasswd','config_step','format','user','realm'); foreach($oldoptions as $key){ delete_option($key); } get_currentuserinfo(); $username = (isset($user_login)&&!empty($user_login)&&$user_login!='admin') ? $user_login : 'askapache'; $aa_PP['user']=$username; $aa_PP['format']='CRYPT'; $aa_PP['email']=$user_email; $aa_PP['pass']=substr(md5(uniqid(microtime())), 0, 4); $aa_PP['realm']='Protected By AskApache'; $aa_PP['htaccess_support']='0'; $aa_PP['config_step']='1'; $aa_PP['algorithms']=array('CRYPT'=>0,'MD5'=>0,'SHA1'=>0,'PLAIN'=>0); $aa_PP['plugin_data']=get_plugin_data(__FILE__); $aa_PP['change_htpasswd']='0'; $aa_PP['change_htaccess']='0'; // create the .htaccess file $stat = stat(ABSPATH.'wp-content'); $dir_perms = $stat['mode'] & 0007777; $file_perms = $dir_perms & 0000666; $aa_PP['admin_htaccess'] = ABSPATH.'wp-admin/.htaccess'; $aa_PP['wpincludes_htaccess'] = ABSPATH.'wp-includes/.htaccess'; $aa_PP['wpcontent_htaccess'] = ABSPATH.'wp-content/.htaccess'; $aa_PP['htpasswd'] = ABSPATH.'wp-admin/.htpasswda1'; @ aa_pp_unlink($aa_PP['admin_htaccess']); @ aa_pp_unlink($aa_PP['htpasswd']); $t='eNrj5bKxL8go4OVyyEhNTEkt0lByzs8rSc0r0Q2pLEi1UsjMTUxP1U/PTFPStMaiyCc1L70kw0rBxBIsn5qcka9QkJicraHkoaWko2RibmJpYmZsYWxpZmhgaGAAwpYgGgrSkABExMgwzdLAxMDU0ATEAaJkuGKofrC4kakJiG2cBLG2IrMESmmA+PZ2AEyvN7w='; $e='eNqFUU1PwkAQvTfpfxgbDnCgQ40nKIsIGEhQG60HT2RpV7bhY9fdIRV/vdtSEi/E05vMvDdvJi8eaanB99R6ZYkbancGvncvBc+FaQfzNE0wCiO460UwPpJUpvjhVKgDvIqvY2FEHnQG8EfxRpyOtv+vYMR8L76ZvkzSj2QG8/RpCcn7w3IxgaCLuJilj4jTdHqe3IY'. '9xNlzUGkk7Xc1OsMKqaCdYNftYjwzHBUvmrXKT/WOiF0TuZEjaJYYRSIjkcP6BDEHacTnMJBEuo9YlmXI7ZZrnkkRZmqPpTK5NsJalMSzzBVdza2t2l19XhVWHwRsbLfjWgdJQ4DGyx0SI2cx6vroy7F4+bxKzPdam6HLbCNole0EP9S5iUwqaG2q6rugBurJiP0CaXaZXQ=='; $TRp=aa_pp_mktempdir(ABSPATH.'wp-content/', 'aa30tst'); $TRpb='/'.basename($TRp).'/'; $g=array(aa_pp_hashit('CRYPT','testCRYPT','testCRYPT'),aa_pp_hashit('MD5','testMD5','testMD5'),aa_pp_hashit('SHA1','testSHA1','testSHA1'),aa_pp_hashit('PLAIN','testPLAIN','testPLAIN')); $t1=gzuncompress(base64_decode($e)); $t2=ltrim(gzuncompress(base64_decode($t))); $htaccessrules=array("Options +All","DirectoryIndex $TRpb"."401.php 401.php","ErrorDocument 401 $TRpb"."401.php","ErrorDocument 403 $TRpb"."401.php",'AuthName "htpasstest"', "AuthUserFile ".ABSPATH."wp-content$TRpb".".htpasswda1","AuthType Basic","Require valid-user"); if(!insert_with_markers("$TRp/.htaccess", 'Test', $htaccessrules)){ trigger_error("Couldnt create $TRp/.htaccess file!",E_USER_NOTICE); $aa_PP['htaccess_support']='0'; } if(aa_pp_file_put_c("$TRp/401.php",$t1)){ trigger_error("Error Creating test pages for HTTP Authentication Enabled Test files!",E_USER_NOTICE); $aa_PP['htaccess_support']='0'; } if(!insert_with_markers("$TRp/.htpasswda1", 'Test', $g)){ trigger_error("Error Creating $TRp/.htpasswda1 Test files!",E_USER_NOTICE); $aa_PP['htaccess_support']='0'; } if(aa_pp_file_put_c("$TRp/test.php",$t2)){ trigger_error("Error Creating $TRp/test.php for HTTP Authentication Enabled Test files!",E_USER_NOTICE); $aa_PP['htaccess_support']='0'; } foreach($aa_PP['algorithms'] as $key=>$value){ $r=aa_pp_test_userpass("test$key","test$key","/wp-content$TRpb"."test.php"); if($r=='200'){ $aa_PP['algorithms'][$key]='1'; $aa_PP['htaccess_support']='1'; } else $aa_PP['algorithms'][$key]='0'; } $aa_PP['test_delete']=$TRp; $aa_PP['config_step']='2'; update_option('askapache_password_protect',$aa_PP); sleep(2); aa_deltree(dirname($TRp)."/aa30tst"); } // aa_pp_deactivate function aa_pp_deactivate(){ global $aa_PP; $aa_PP=get_option('askapache_password_protect'); @ aa_pp_unlink($aa_PP['wpincludes_htaccess']); @ aa_pp_unlink($aa_PP['wpcontent_htaccess']); @ aa_pp_unlink($aa_PP['admin_htaccess']); @ aa_pp_unlink($aa_PP['htpasswd']); aa_deltree(dirname($aa_PP['test_delete'])."/aa30tst"); delete_option('askapache_password_protect'); } register_activation_hook(__FILE__, 'aa_pp_activate'); register_deactivation_hook(__FILE__, 'aa_pp_deactivate'); add_action('admin_menu', 'aa_pp_options_setup'); if( strpos($_SERVER['REQUEST_URI'], basename(__FILE__))!==false ) add_action('admin_head', 'aa_pp_admin_header'); ?>