Options configuration panel Version: 3.6.6 Author: AskApache Author URI: http://www.askapache.com == Installation == 1. Extract zip in plugins directory 2. Activate the Plugin 3. Setup plugin options */ /* /--------------------------------------------------------------------\ | | | License: GPL | | | | AskApache Password Protect Plugin - Adds HTTP Basic Authentication | | Copyright (C) 2008, AskApache, www.askapache.com | | All rights reserved. | | | | This program is free software; you can redistribute it and/or | | modify it under the terms of the GNU General Public License | | as published by the Free Software Foundation; either version 2 | | of the License, or (at your option) any later version. | | | | This program is distributed in the hope that it will be useful, | | but WITHOUT ANY WARRANTY; without even the implied warranty of | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | | GNU General Public License for more details. | | | | You should have received a copy of the GNU General Public License | | along with this program; if not, write to the | | Free Software Foundation, Inc. | | 51 Franklin Street, Fifth Floor | | Boston, MA 02110-1301, USA | | | \--------------------------------------------------------------------/ */ ?> 10)$aa_PP['realm']=substr($aa_PP['realm'], 0, 10); $aa_PP['change_htaccess']='1'; } if(isset($_POST['htaccessuser']) && $_POST['htaccessuser']!=$aa_PP['user']){ $aa_PP['user']=$_POST['htaccessuser']; $aa_PP['change_htpasswd']='1'; } if(isset($_POST['htaccesspass'])||isset($_POST['modifyuser'])) { $aa_PP['change_htpasswd']='1'; $aa_PP['change_htaccess']='1'; } if(isset($_POST['htpasswdfile']) && $_POST['htpasswdfile']!=$aa_PP['htpasswd']) { if(is_writable(dirname($_POST['htpasswdfile'])) && touch($_POST['htpasswdfile'])){ $aa_PP['htpasswd']=$_POST['htpasswdfile']; $aa_PP['change_htpasswd']='1'; } else trigger_error($_POST['htpasswdfile'].' location is not writable!',E_USER_ERROR); } if(isset($_POST['aapassformat1']) && $_POST['aapassformat1']!=$aa_PP['format']){ $aa_PP['format']=$_POST['aapassformat1']; $aa_PP['change_htpasswd']='1'; } if(isset($_POST['aapassformat']) && $_POST['aapassformat']!=$aa_PP['format']){ $aa_PP['format']=$_POST['aapassformat']; $aa_PP['change_htpasswd']='1'; } update_option('askapache_password_protect',$aa_PP); } // aa_pp_admin_header function aa_pp_admin_header(){ global $aa_PP; if (function_exists('current_user_can')&&!current_user_can(8)||!current_user_can('upload_files')) die(__("You are not allowed to be here")); $aa_PP=get_option('askapache_password_protect'); $aa_PP['htaccessusers']=aa_pp_current_users($aa_PP['htpasswd'],'AskApache PassPro'); if($_SERVER['REQUEST_METHOD']==='POST') { check_admin_referer('askapache-password-protect-update_modify'); /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ if($aa_PP['config_step']=='2'){ aa_pp_get_post_values(); @ aa_pp_unlink($aa_PP['htpasswd']); @ aa_pp_unlink($aa_PP['admin_htaccess']); $aa_PP['admin_htaccess_rules']=array( 'AuthName "'.$aa_PP['realm'].'"', 'AuthUserFile '.$aa_PP['htpasswd'], 'AuthType Basic', 'Require valid-user', '', 'Allow from All', '', '', 'Allow from All', '', 'Satisfy Any'); if(!insert_with_markers($aa_PP['admin_htaccess'], 'AskApache PassPro', $aa_PP['admin_htaccess_rules'])) trigger_error("Couldnt create wp-admin/.htaccess file!",E_USER_ERROR); $aa_PP['htpasswd_rules']=array(aa_pp_hashit($aa_PP['format'],$aa_PP['user'],$_POST['htaccesspass'])); if(!insert_with_markers($aa_PP['htpasswd'],'AskApache PassPro',$aa_PP['htpasswd_rules'])) trigger_error('Error Creating '.$aa_PP['htpasswd'].'',E_USER_ERROR); $aa_PP['config_step']='3'; update_option('askapache_password_protect',$aa_PP); } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ if($aa_PP['config_step']=='3' || $aa_PP['config_step']=='4'){ aa_pp_get_post_values(); if(isset($_POST['togglewplogin'])) { $aa_PP['wp_login_htaccess_rules']=array( '', 'AuthName "'.$aa_PP['realm'].'"', 'AuthUserFile '.$aa_PP['htpasswd'], 'AuthType Basic', 'Require valid-user', ''); $aa_PP['wp_login_htaccess_enabled']='true'; if(!insert_with_markers($aa_PP['wp_login_htaccess'], 'AskApache PassPro', $aa_PP['wp_login_htaccess_rules'])) trigger_error("Couldnt create ".$aa_PP['wp_login_htaccess']." file!",E_USER_ERROR); } else { insert_with_markers($aa_PP['wp_login_htaccess'], 'AskApache PassPro', array('')); $aa_PP['wp_login_htaccess_enabled']= 'false'; } if(isset($_POST['togglewpincludes'])) { @ aa_pp_unlink($aa_PP['wpincludes_htaccess']); $aa_PP['wpincludes_htaccess_rules']=array( '', 'RewriteEngine On', 'RewriteBase /', 'RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ '.$aa_PP['root_path'].'wp-includes/.*$ [NC]', 'RewriteCond %{REQUEST_URI} !^'.$aa_PP['root_path'].'wp-includes/js/tinymce/.*$ [NC]', 'RewriteCond %{REQUEST_FILENAME} ^.+\.php$', 'RewriteRule .* - [F,NS]', ''); if(!insert_with_markers($aa_PP['wpincludes_htaccess'], 'AskApache PassPro', $aa_PP['wpincludes_htaccess_rules']))trigger_error("Couldnt create ".$aa_PP['wpincludes_htaccess']." file!",E_USER_ERROR); } else @ aa_pp_unlink($aa_PP['wpincludes_htaccess']); if(isset($_POST['togglewpcontent'])) { @ aa_pp_unlink($aa_PP['wpcontent_htaccess']); $aa_PP['wpcontent_htaccess_rules']=array( '', 'RewriteEngine On', 'RewriteBase /', 'RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ '.$aa_PP['root_path'].'wp-content/.*$ [NC]', 'RewriteCond %{REQUEST_FILENAME} ^.+\.php$', 'RewriteRule .* - [F,NS]', ''); if(!insert_with_markers($aa_PP['wpcontent_htaccess'], 'AskApache PassPro', $aa_PP['wpcontent_htaccess_rules']))trigger_error("Couldnt create ".$aa_PP['wpcontent_htaccess']." file!",E_USER_ERROR); } else @ aa_pp_unlink($aa_PP['wpcontent_htaccess']); if(isset($_POST['togglewpadmin'])) { @ aa_pp_unlink($aa_PP['admin_htaccess']); $aa_PP['admin_htaccess_rules']=array( 'AuthName "'.$aa_PP['realm'].'"', 'AuthUserFile '.$aa_PP['htpasswd'], 'AuthType Basic', 'Require valid-user', '', 'Allow from All', '', '', 'Allow from All', '', 'Satisfy Any'); if(!insert_with_markers($aa_PP['admin_htaccess'], 'AskApache PassPro', $aa_PP['admin_htaccess_rules'])) trigger_error("Couldnt create ".$aa_PP['admin_htaccess']." file!",E_USER_ERROR); else $aa_PP['change_htaccess']='0'; } else { @ aa_pp_unlink($aa_PP['admin_htaccess']); $aa_PP['change_htaccess']='0'; } if($aa_PP['change_htaccess']=='1'){ @ aa_pp_unlink($aa_PP['admin_htaccess']); $aa_PP['admin_htaccess_rules']=array( 'AuthName "'.$aa_PP['realm'].'"', 'AuthUserFile '.$aa_PP['htpasswd'], 'AuthType Basic', 'Require valid-user', '', 'Allow from All', '', '', 'Allow from All', '', 'Satisfy Any'); if(!insert_with_markers($aa_PP['admin_htaccess'], 'AskApache PassPro', $aa_PP['admin_htaccess_rules'])) trigger_error("Couldnt create ".$aa_PP['admin_htaccess']." file!",E_USER_ERROR); else $aa_PP['change_htaccess']='0'; } if($aa_PP['change_htpasswd']=='1' && strlen($_POST['htaccesspass'])>1){ @ aa_pp_unlink($aa_PP['htpasswd']); $aa_PP['htpasswd_rules']=array(aa_pp_hashit($aa_PP['format'],$aa_PP['user'],$_POST['htaccesspass'])); if(!insert_with_markers($aa_PP['htpasswd'],'AskApache PassPro',$aa_PP['htpasswd_rules'])) trigger_error('Error Creating '.$aa_PP['htpasswd'],E_USER_ERROR); else $aa_PP['change_htpasswd']='0'; } $aa_PP['config_step']='4'; update_option('askapache_password_protect',$aa_PP); } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ } } // aa_pp_main_page function aa_pp_main_page() { global $aa_PP; if (! user_can_access_admin_page()) die( __('You do not have sufficient permissions to access this page.') ); if (function_exists('current_user_can')&&!current_user_can(8)||!current_user_can('upload_files'))die(__("You are not allowed to be here")); ?>

" method="post"> SUCCESS

'; } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ if($aa_PP['config_step']=='2'){?> SUCCESS

';?>

Installation

Create User and Pass for .htpasswd

Pop-Up Message Auth-Name / Realm:

Username:

Password:

.htpasswd location:

AskApache PassPro Encryption Algorithm Descriptions

CRYPT - Unix only. Uses the traditional Unix crypt function with a randomly-generated 32-bit salt.

SHA1 - Base64-encoded SHA-1 digest of the password.

MD5 - Apache-specific algorithm using an iterated MD5 digest of randoml 32-bit salt and the password.

PLAIN TEXT (i.e. unencrypted) - Windows, BEOS, & Netware only

Configurable .htaccess Security Modules

Protecting	Description	Enable
wp-admin/.	Requires a valid user/pass to access any non-static (css, js, images) file in this directory	/>
wp-content/*.php	Denies any Direct request for files ending in .php with a 403 Forbidden	/>
wp-includes/*.php	Denies any Direct request for files ending in .php with a 403 Forbidden	/>
wp-login.php	Requires a valid user/pass to access the login page	/>

Modify .htaccess User

Auth Name:

Username:

Password:

.htpasswd location:

Multi-Users.. Coming Soon

Username	Password	enabled
		Yes

View

View wp-admin .htaccess

View wp-content .htaccess

View wp-includes/.htaccess

Set Default Password Encryption Algorithm

*/?>

About This Plugin

'.$aa_PP['plugin_data']['Version'].''; ?>

:

AskApache Links

· Google 401.php Plugin

· .htpasswd Generator

· htaccess tutorial

Security Articles

· Hardening WordPress

· mod_security tricks

· WordPress File Permissions

/> CRYPT - Unix only. Uses the traditional Unix crypt function with a randomly-generated 32-bit salt.
/> SHA1 - Base64-encoded SHA-1 digest of the password.
/> MD5 - Apache-specific algorithm using an iterated MD5 digest of randoml 32-bit salt and the password.
/> PLAIN TEXT (i.e. unencrypted) - Windows, BEOS, & Netware only

0) { if(!$f = @fopen($fn, 'r'))return false; $filecontent = fread($f, filesize($fn)); $filecontent = htmlspecialchars($filecontent); } else $filecontent = 'file does not exist!'; if(fclose($f))echo $filecontent; } // aa_pp_test_userpass function aa_pp_test_userpass($u,$p,$path){ global $aa_PP; $timeout=10; $useragent='Mozilla/5.0 (compatible; AskApache/'.$aa_PP['plugin_data']['Version'].'; +http://www.askapache.com/wordpress/htaccess-password-protect.html)'; $encoded=base64_encode("$u:$p"); $host=$_SERVER['HTTP_HOST']; $ip=(isset($_SERVER["SERVER_ADDR"])) ? $_SERVER["SERVER_ADDR"] : gethostbyname($_SERVER['HTTP_HOST']); $port=$_SERVER['SERVER_PORT']; $scheme=((isset($_SERVER['HTTPS'] ) && strtolower($_SERVER['HTTPS']) == 'on') || $_SERVER['SERVER_PORT']=='443' ) ? 'ssl://' : ''; if(!$fp = fsockopen($scheme.$ip, $port, $errno, $errstr, $timeout)) return "$scheme, $ip, $port, $errno, $errstr, $timeout"; if(!fputs($fp, "GET $path HTTP/1.1\r\nHost: $host\r\nUser-Agent: $useragent\r\nReferer: http://www.askapache.com". "\r\nAccept: */*\r\n"."Authorization: Basic $encoded"."\r\nConnection: Close\r\n\r\n")) return false; else list(,$response) = explode(" ", fgets($fp, 256)); if(fclose($fp)) return $response; } function aa_pp_current_users($HTPASS, $mark){ $CURRENT_USERS=array(); $cu=array(); $cu=extract_from_markers($HTPASS, $mark); foreach($cu as $key){ $CURRENT_USERS[]=preg_replace('/(.+):(.+)/', "\\1", $key, 1); } return array($CURRENT_USERS); } // aa_pp_hashit function aa_pp_hashit($format,$user='',$pass=''){ if(!function_exists('crypt') || !function_exists('sha1'))trigger_error("Error Creating .htpasswd hashes! Need crypt or sha1",E_USER_ERROR); $hash=''; switch ($format){ case 'PLAIN': $hash=$user.':'.$pass; break; case 'CRYPT': $seed = NULL; for ($i = 0; $i < 8; $i++) {$seed .= substr('0123456789abcdef', rand(0,15), 1);} $hash=$user.':'.crypt($pass, "$1$".$seed); break; case 'SHA1': $hash=$user.':{SHA}'.base64_encode(sha1($pass, TRUE)); break; case 'MD5': // php.net/crypt.php#73619 $saltt = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789"), 0, 8); $len = strlen($pass);$text = $pass.'$apr1$'.$saltt;$bin = pack("H32", md5($pass.$saltt.$pass)); for($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); } for($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $pass{0}; } $bin = pack("H32", md5($text)); for($i=0; $i<1000; $i++) { $new = ($i & 1) ? $pass : $bin; if ($i % 3) $new .= $saltt; if ($i % 7) $new .= $pass; $new .= ($i & 1) ? $bin : $pass; $bin = pack("H32", md5($new)); } for($i=0; $i<5; $i++) { $k = $i + 6; $j=$i + 12; if($j==16){ $j = 5; } $TRp = $bin[$i].$bin[$k].$bin[$j].$TRp; } $TRp = chr(0).chr(0).$bin[11].$TRp; $TRp = strtr(strrev(substr(base64_encode($TRp), 2)),"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"); $hash="$user:$"."apr1"."$".$saltt."$".$TRp; break; } return $hash; } function aa_pp_test_algorithms(){ global $aa_PP; $e='eNqFUU1PwkAQvTfpfxgbDnCgQ40nKIsIGEhQG60HT2RpV7bhY9fdIRV/vdtSEi/E05vMvDdvJi8'. 'eaanB99R6ZYkbancGvncvBc+FaQfzNE0wCiO460UwPpJUpvjhVKgDvIqvY2FEHnQG8EfxRpyOtv+vYMR'. '8L76ZvkzSj2QG8/RpCcn7w3IxgaCLuJilj4jTdHqe3IY9xNlzUGkk7Xc1OsMKqaCdYNftYjwzHBUvmrX'. 'KT/WOiF0TuZEjaJYYRSIjkcP6BDEHacTnMJBEuo9YlmXI7ZZrnkkRZmqPpTK5NsJalMSzzBVdza2t2l1'. '9XhVWHwRsbLfjWgdJQ4DGyx0SI2cx6vroy7F4+bxKzPdam6HLbCNole0EP9S5iUwqaG2q6rugBurJiP0CaXaZXQ=='; $t='eNrj5bKxL8go4OVyyEhNTEkt0lByzs8rSc0r0Q2pLEi1UsjMTUxP1U/PTFPStMaiyCc1L70kw0rBxBIsn5qcka9'. 'QkJicraHkoaWko2RibmJpYmZsYWxpZmhgaGAAwpYgGgrSkABExMgwzdLAxMDU0ATEAaJkuGKofrC4kakJiG2cBLG2IrMESmmA+PZ2AEyvN7w='; $TRp=aa_pp_mktempdir(ABSPATH.'wp-content/', 'askapache'); $TRpb=$aa_PP['root_path'].basename($TRp).'/'; $g=array(aa_pp_hashit('CRYPT','testCRYPT','testCRYPT'),aa_pp_hashit('MD5','testMD5','testMD5'),aa_pp_hashit('SHA1','testSHA1','testSHA1'),aa_pp_hashit('PLAIN','testPLAIN','testPLAIN')); if(!insert_with_markers("$TRp/.htpasswda1", 'Test', $g)) die("Error Creating $TRp/.htpasswda1 Test files!"); $t1=gzuncompress(base64_decode($e)); if(!aa_pp_file_put_c("$TRp/401.php",$t1)) die("Error Creating test pages for HTTP Authentication Enabled Test files!"); $t2=ltrim(gzuncompress(base64_decode($t))); if(!aa_pp_file_put_c("$TRp/test.php",$t2)) die("Error Creating $TRp/test.php for HTTP Authentication Enabled Test files!"); $htaccessrules=array("DirectoryIndex $TRpb401.php 401.php", "ErrorDocument 401 $TRpb401.php","ErrorDocument 403 $TRpb401.php",'AuthName "askapache test"', "AuthUserFile $TRp/.htpasswda1","AuthType Basic","Require valid-user"); if(!insert_with_markers("$TRp/.htaccess", 'Test', $htaccessrules)) die("Couldnt create $TRp/.htaccess file!"); else sleep(2); $td=$aa_PP['root_path'].'wp-content/'.basename($TRp).'/test.php'; foreach($aa_PP['algorithms'] as $key=>$value){ $rg=aa_pp_test_userpass("test$key","test$key",$td); usleep(100); $rb=aa_pp_test_userpass("fail$key","fail$key",$td); if($rb=='401'){ $aa_PP['algorithms'][$key]='1'; $aa_PP['htaccess_support']='1'; } else $aa_PP['algorithms'][$key]='0'; if($rg=='200'){ $aa_PP['algorithms'][$key]='1'; $aa_PP['htaccess_support']='1'; } else $aa_PP['algorithms'][$key]='0'; if($rg=='500' || $rb=='500')$aa_PP['htaccess_support']='0'; } sleep(4); aa_deltree(dirname($TRp)."/askapache"); $aa_PP['config_step']='2'; update_option('askapache_password_protect',$aa_PP); if($aa_PP['htaccess_support']=='0')return false; return true; } // aa_pp_activate function aa_pp_activate(){ global $aa_PP; $oldoptions=array('aa_home_folder','aa_wpadmin_folder','aa_htpasswd_file','aa_htaccess_file','aa_original_htpasswd','aa_original_htaccess','aa_plugin_message','aa_plugin_version','aa_home','aa_wpadmin', 'aa_htpasswd_f','aa_htaccess_f','aa_user','aa_plugin_message','aa_home_folder','aa_wpadmin_folder','aa_htpasswd_file','aa_htaccess_file','aa_original_htpasswd','aa_original_htaccess','aa_plugin_message', 'aa_plugin_version','aa_pp_docroot_htaccess','aa_pp_wp_admin_htaccess','aa_pp_wp_content_htaccess','aa_pp_wp_includes_htaccess','aa_pp_main_base64','aa_pp_ok'); foreach($oldoptions as $key){ delete_option($key); } $aa_PP['user']='user'; $aa_PP['format']='CRYPT'; $aa_PP['pass']=substr(md5(uniqid(microtime())), 0, 4); $aa_PP['realm']='Protected By AskApache'; $aa_PP['htaccess_support']='0'; $aa_PP['config_step']='1'; $aa_PP['algorithms']=array('CRYPT'=>0,'MD5'=>0,'SHA1'=>0,'PLAIN'=>0); $aa_PP['plugin_data']=get_plugin_data(__FILE__); $aa_PP['change_htpasswd']='0'; $aa_PP['change_htaccess']='0'; $aa_PP['wp_login_htaccess_enabled']='false'; $stat = stat(ABSPATH.'wp-content'); $dir_perms = $stat['mode'] & 0007777; $file_perms = $dir_perms & 0000666; $aa_PP['wp_login_htaccess'] = ABSPATH.'.htaccess'; $aa_PP['admin_htaccess'] = ABSPATH.'wp-admin/.htaccess'; $aa_PP['wpincludes_htaccess'] = ABSPATH.'wp-includes/.htaccess'; $aa_PP['wpcontent_htaccess'] = ABSPATH.'wp-content/.htaccess'; $aa_PP['htpasswd'] = ABSPATH.'wp-admin/.htpasswda1'; @ aa_pp_unlink($aa_PP['admin_htaccess']); @ aa_pp_unlink($aa_PP['htpasswd']); $t=get_option('site_url'); $u=parse_url($t); if(!isset($u['path']))$u['path']='/'; $u['path']='/'.$u['path'].'/'; $aa_PP['root_path']=preg_replace('/(\/{2,4})/i','/',$u['path']); $aa_PP['config_step']='1'; update_option('askapache_password_protect',$aa_PP); } // aa_pp_deactivate function aa_pp_deactivate(){ global $aa_PP; $aa_PP=get_option('askapache_password_protect'); aa_pp_unlink($aa_PP['wpincludes_htaccess']); aa_pp_unlink($aa_PP['wpcontent_htaccess']); aa_pp_unlink($aa_PP['admin_htaccess']); aa_pp_unlink($aa_PP['htpasswd']); insert_with_markers($aa_PP['wp_login_htaccess'], 'AskApache PassPro', array('')); delete_option('askapache_password_protect'); } register_activation_hook(__FILE__, 'aa_pp_activate'); register_deactivation_hook(__FILE__, 'aa_pp_deactivate'); if( strpos($_SERVER['REQUEST_URI'], basename(__FILE__))!==false ) add_action('admin_head', 'aa_pp_admin_header'); add_action('admin_menu', 'aa_pp_options_setup1'); ?>