'; $aa_PLUGIN=aa_pp_get_plugin_data(); $aa_PP = get_option( 'askapache_password_protect' ); $aa_PP['scheme'] = ( isset($_SERVER['HTTPS']) && ( 'on' == strtolower($_SERVER['HTTPS']) || '1' == $_SERVER['HTTPS'] ) || ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) )) ? 'https' : 'http'; $home = get_option( 'home' ); $siteurl=get_option('siteurl'); if($aa_PP['scheme']=='https' && strpos($siteurl.$home,'https://')!==FALSE)$aa_PP['scheme']='http'; $aa_SIDS = get_option( 'askapache_password_protect_sids' ); if (!current_user_can("edit_files"))wp_die("edit_files cap required"); $errors = aa_pp_get_post_values( $aa_PP ); aa_pp_errors( $errors ); if ( (int)$aa_PP['setup_complete'] != 1 || in_array($aa_PP['step'],array('welcome','setup','sid')) ) { if(!isset($_GET['activate-sid']))aa_pp_show_warning(); } ?>

.htaccess Tutorial | AskApache Debug Viewer Plugin | HTTP Header Tool

' . $_POST['notice'] . '

Still waiting for that 4.7 version update

2013-03-07 - I've completely re-written this plugin, its' 100x better. Still not finished with it. Wait for the 4.7 release!!!!!!!!!!!

ErrorDocument Improvement

Note: To prevent 404 Errors or Login Looping due to a host misconfiguration, you can use my best plugin AskApache Google 404, trust me it's good. Otherwise you can search my blog for information about how to fix:

ErrorDocument 401 /error.html
ErrorDocument 403 /error.html

Bug Fixes

10/17/2008 - Fixed known bugs.. Improved Testing with debug output automatically for failed tests.

Backups and Revisioning

8/19/2008 - Ok so version 4.6 has some nice automatic revisioning/backup features... the next release will let us compare the new .htaccess file with the old .htaccess files just like wikis. (based once again on wordpress core)..

So now that the SID module system is pretty stable and there is now decent backups going on, the next thing I'll be adding is multi-user and group management. And much more access control by IP address and other ids.

The point of doing all that is so the plugin will be stable enough code-wise so we can focus in on developing custom SIDs for protecting wordpress blogs.. Mod_Security rules are on the way....

The SID Module Redesigned

8/14/2008 - I'm finally mostly happy with the system now used by this plugin to update/modify/and use the different modules. The old code just wasn't future-proofed enough. This new version is based very much off of the WordPress Plugins code, so it is future proofed.

This "Improvements" page is the start of whats to come, Basically each of the security modules (and there are a LOT of great mod_security ones coming) will have their own very Basic settings. So you can tweak the settings. If someone finds an improvement they can send it for review. New ideas and modules can be submitted here also.

Initial Test for Compatibility and Capability

If the following locations are not correct. Please correct them before hitting Initiate Tests.

Root .htaccess Location
Admin .htaccess Location

DEBUG INFO

Get WAYYY more debugging information by using my ultra-powerful AskApache Debug Viewer Plugin.

$v) { if(($vb||(!$vb&&$k=='WP_ADMIN'&&$vb=true)) && (strlen($v)>10||strpos($v,'/')!==FALSE))$c[$k]=$v; } echo '

';
            ksort($c);
            echo htmlspecialchars(print_r(array('Plugin Options'=>$aa_PP,'Active SIDS'=>aa_pp_active_sids(),'Constants'=>$c),1));
            echo '

'; aa_pp_pls(WP_CONTENT_DIR, 1); aa_pp_pls(dirname(__FILE__), 1); aa_pp_pls(ABSPATH, 1); ?>

.htaccess File Revisions

';
		echo htmlspecialchars( $content );
		echo '

';
		echo htmlspecialchars( $content );
		echo '

';
		echo htmlspecialchars( $content );
		echo '

';
	echo htmlspecialchars( $content );
	echo '

Manage Security Modules

Modules are inserted into your server .htaccess configuration files. Once a module is installed, you may activate it or deactivate it here.

$arr ) aa_pp_print_sids_table( $arr, $n );?>

";
		foreach( $rules as $line )@$_POST['notice'] .= htmlentities( $line );
		@$_POST['notice'] .= '

Why Test?

First we need to run a series of tests on your server to determine what capabilities your site has and also to locate any potential installation problems.

The tests will be run on temporary files I'll create in your folder. They will create .htaccess and .htpasswd files in that location and then use fsockopen networking functions to query those files. This tells us exactly how your server handles .htaccess configurations, HTTP authentication schemes, Apache Module capability, etc..

Several tests send specially crafted HTTP requests which are designed to elicit very specific HTTP Protocol Responses to accurately determine your servers capabilities.

Other important checks will run: file permissions, function availability, much more testing. You can re-run them whenever you want. If you'd like to see the action, define AA_PP_DEBUG to 1 in this file. Good Luck!

Test Results

Get WAYYY more debugging information by using my ultra-powerful AskApache Debug Viewer Plugin.

Required Checks

The tests performed by this page are currently required to determine your servers capabilities to make sure we don't crash your server. The utmost care was taken to make these tests work for everyone running Apache, which is crazy hard because we are testing server configuration settings programmatically from a php binary without access to server configuration settings.

So we achieve this by modifying your server's .htaccess configuration file and then making special HTTP requests to your server which result in specific HTTP responses which tell us if the configuration changes failed or succeeded. The most widely allowed (by web hosts) and compatible 4+5 php function that provides access to sockets is fsockopen, so it is required.

You can also test headers from an external location using my HTTP Raw Header Tool, which also has hexdumps ;)

'; if((bool)$atest) { $tester = new AskApacheNet; $atest = ( $tester->sockit( "{$siteurl}" ) == 200 ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; $tester->print_tcp_trace(); } ?>

File Permission Tests

If any of these (other than one of the .htpasswda3 writable checks) fail this plugin will not work. Both your /.htaccess and /wp-admin/.htaccess files must be writable for this plugin, those are the only 2 files this plugin absolutely must be able to modify. However note that changing these files (or the parent dir) permissions to 777 is not advised and may cause your site to be unreachable.

       · ".join("
       · ",explode(':',$open_basedir.':')); echo $m_s . $msg . " open_basedir on/off {$open_basedir}" . $m_e; $htaccess_test1 = $atest = ( @is_writable( $ap['admin_htaccess'] ) || @touch( $ap['admin_htaccess'] ) ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " {$ap['admin_htaccess'] } file writable" . $m_e; echo ( true ) ? aa_pp_writable_error($ap['admin_htaccess']) : ''; $htaccess_test2 = $atest = ( @is_writable( $ap['root_htaccess'] ) || @touch( $ap['root_htaccess'] ) ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " {$ap['root_htaccess']} file writable" . $m_e; echo ( true ) ? aa_pp_writable_error($ap['root_htaccess']) : ''; $atest = ( @is_writable( dirname( dirname( $ap['root_htaccess'] ) ) . '/.htpasswda3' ) || @touch( dirname( dirname( $ap['root_htaccess'] ) ) . '/.htpasswda3' ) ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . dirname( dirname( $ap['root_htaccess'] ) ) . '/.htpasswda3' . " file writable" . $m_e; echo ( true ) ? aa_pp_writable_error(dirname( dirname( $ap['root_htaccess'] ) ) . '/.htpasswda3') : ''; if ( !$atest ) { $atest = ( @is_writable( $ap['authuserfile'] ) || @touch( $ap['authuserfile'] ) ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . $ap['authuserfile'] . " file writable" . $m_e; echo ( true ) ? aa_pp_writable_error($ap['authuserfile']) : ''; } else $ap['authuserfile'] = dirname( dirname( $ap['root_htaccess'] ) ) . '/.htpasswda3'; if(@is_file($ap['authuserfile']) && @filesize($ap['authuserfile']) == 0) aa_pp_unlink($ap['authuserfile']); $atest = ( aa_pp_mkdir( $ap['test_dir'] ) ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " Creating test folder" . $m_e; if( (bool)$atest ===false ) wp_die("Couldnt create test folder {$ap['test_dir']}!"); echo ( true ) ? aa_pp_writable_error($ap['test_dir']) : ''; $atest = ( @is_writable( $ap['test_dir'] ) || @chmod( $ap['test_dir'], 777 ) ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " Test folder writable" . $m_e; echo ( true ) ? aa_pp_writable_error( $ap['test_dir']) : ''; $atest = ( aa_pp_insert_mark( $ap['test_dir'] . '/.htpasswd-basic', 'AskApache PassPro', array() ) ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " Basic Auth htpasswd file writable" . $m_e; echo ( true ) ? aa_pp_writable_error($ap['test_dir'] . '/.htpasswd-basic') : ''; $msg = ( $atest ) ? $aok : $fail; $atest = ( aa_pp_insert_mark( $ap['test_dir'] . '/.htpasswd-digest', 'AskApache PassPro', array() ) ) ? 1 : 0; echo $m_s . $msg . " Digest Auth htpasswd file writable" . $m_e; echo ( true ) ? aa_pp_writable_error($ap['test_dir'] . '/.htpasswd-digest') : ''; aa_pp_htaccess_file_init( $ap['test_dir'] . '/.htaccess' ); $atest = ( aa_pp_insert_sids( $ap['test_dir'] . '/.htaccess', 'Test', $test_htaccess_rules ) ) ? 1 : 0; echo $m_s . $msg . " .htaccess test file writable" . $m_e; echo ( true ) ? aa_pp_writable_error($ap['test_dir'] . '/.htaccess') : ''; ?>

Compatibility Checks

Checks different software to make sure its compatible with this plugin.

PHP.ini Information

Some information about your php.ini settings. The following settings may need to be tweaked. Likely they are fine.

Encryption Function Tests

Your php installation should have all of these. The md5 is the only one absolutely required, otherwise I can't create the neccessary password files for you.

Revision Tests

This checks for the neccessary file permissions and functions needed to utilize the .htaccess file revision support.

Decompressed MD5: " . $data_decompress_md5 . "
Compressed MD5: " . $data_md5 . "

"; } ?>

.htaccess Capabilities

These tests determine with a high degree of accuracy whether or not your server is able to handle .htaccess files, and also checks for various Apache modules that extend the functionality of this plugin. The 2 modules you really want to have are mod_rewrite and mod_auth_digest. In future versions of this plugin, we will be utilizing the advanced security features of mod_security more and more, so if you don't have it, bug your web host about it non-stop ;)

'; foreach ( $test_htaccess_rules as $l ) echo htmlentities($l)."\n"; echo ''; } $tester = new AskApacheNet; $ap['htaccess_support'] = $atest = ( $tester->sockit( "{$test_url_base}err.php" ) == 200 ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " .htaccess files allowed [200]" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$atest )$tester->print_tcp_trace(); $tester = new AskApacheNet; $ap['mod_alias_support'] = $atest = ( $tester->sockit( "{$test_url_base}modaliastest" ) == 305 ) ? 1 : 0; $msg = ( $atest ) ? $aok : $warn; echo $m_s . $msg . " mod_alias detection [305]" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$atest )$tester->print_tcp_trace(); $tester = new AskApacheNet; $ap['mod_rewrite_support'] = $atest = ( $tester->sockit( "{$test_url_base}err.php?modrewritetest=1" ) == 307 ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " mod_rewrite detection [307]" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$atest )$tester->print_tcp_trace(); $tester = new AskApacheNet; $ap['mod_security_support'] = $atest = ( $tester->sockit( "{$test_url_base}modsec_check.gif?modsecuritytest" ) == 403 ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " mod_security detection [!403]" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$atest )$tester->print_tcp_trace(); $tester = new AskApacheNet; $ap['mod_auth_digest_support'] = $atest = ( $tester->sockit( "{$test_url_base}digest_check.gif" ) == 401 ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " mod_auth_digest detection [401]" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$atest )$tester->print_tcp_trace(); ?>

HTTP Digest Authentication

Now we know the encryption and apache module capabilities of your site. This test literally logs in to your server using Digest Authenticationts, providing the ultimate answer as to if your server supports this scheme.

authtype = ''; $rb = ( $tester->sockit( $test_url_base . 'authdigestfile_test.gif' ) == 401 ) ? 1 : 0; $tester->sockit( str_replace( '://', '://testDIGEST:testDIGEST@', $test_url_base ) . 'authdigestfile_test.gif' ); $tester->authtype = 'Digest'; $rg = ( $tester->sockit( str_replace( '://', '://testDIGEST:testDIGEST@', $test_url_base ) . 'authdigestfile_test.gif' ) == 200 ) ? 1 : 0; $ap['digest_support'] = $atest = ( $rb && $rg ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " Digest Authentication Attempt" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$atest )$tester->print_tcp_trace(); if ( !$atest ) { $tester = new AskApacheNet; $tester->authtype = ''; $rb = ( $tester->sockit( $test_url_base . 'authuserfile_test.gif' ) == 401 ) ? 1 : 0; $tester->sockit( str_replace( '://', '://testDIGEST:testDIGEST@', $test_url_base ) . 'authuserfile_test.gif' ); $tester->authtype = 'Digest'; $rg = ( $tester->sockit( str_replace( '://', '://testDIGEST:testDIGEST@', $test_url_base ) . 'authuserfile_test.gif' ) == 200 ) ? 1 : 0; $ap['digest_support'] = $a1test = ( $rb && $rg ) ? 1 : 0; $msg = ( $a1test ) ? $aok : $fail; echo $m_s . $msg . "2nd Digest Authentication Attempt" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$a1test )$tester->print_tcp_trace(); } if ( (bool)$ap['digest_support'] !== false ) $ap['authuserdigest'] = ( $atest ) ? 'AuthUserFile' : 'AuthUserFile'; } else echo $m_s . $msg . $fail . " Bummer... you don't have digest capabilities." . $m_e;?>

Basic Authentication Encryption Algorithms

Basic Authentication uses the .htpasswd file to store your encrypted password. These checks perform actual logins to your server using a different .htpasswd encryption each time.

sockit( $test_url_base . 'basic_auth_test.gif' ) == 401 ) ? 1 : 0; if ( $ap['crypt_support'] != 0 ) { $tester = new AskApacheNet; $rg = ( $tester->sockit( str_replace( '://', '://testCRYPT:testCRYPT@', $test_url_base ) . 'basic_auth_test.gif' ) == 200 ) ? 1 : 0; $ap['crypt_support'] = $atest = ( $rb && $rg ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " Basic Authentication Attempt using Crypt Encryption" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$atest )$tester->print_tcp_trace(); } if ( $ap['md5_support'] != 0 ) { $tester = new AskApacheNet; $rg = ( $tester->sockit( str_replace( '://', '://testMD5:testMD5@', $test_url_base ) . 'basic_auth_test.gif' ) == 200 ) ? 1 : 0; $ap['md5_support'] = $atest = ( $rb && $rg ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " Basic Authentication Attempt using MD5 Encryption" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$atest )$tester->print_tcp_trace(); } if ( $ap['sha1_support'] != 0 ) { $tester = new AskApacheNet; $rg = ( $tester->sockit( str_replace( '://', '://testSHA1:testSHA1@', $test_url_base ) . 'basic_auth_test.gif' ) == 200 ) ? 1 : 0; $ap['sha1_support'] = $atest = ( $rb && $rg ) ? 1 : 0; $msg = ( $atest ) ? $aok : $fail; echo $m_s . $msg . " Basic Authentication Attempt using SHA1 Encryption" . $m_e; if ( (bool)AA_PP_DEBUG === true || !$atest )$tester->print_tcp_trace(); } $ap['basic_support'] = $atest = ( $ap['sha1_support'] != 0 || $ap['md5_support'] != 0 || $ap['crypt_support'] != 0 ) ? 1 : 0; $msg = ( $atest ) ? $aok : $warn; echo $m_s . $msg . " Basic Authentication Access Scheme Supported" . $m_e; foreach( array( 'htaccess_support', 'mod_alias_support', 'mod_rewrite_support', 'mod_security_support', 'mod_auth_digest_support', 'digest_support', 'basic_support' ) as $k ) { if ( $aa_PP[$k] == 1 && $ap[$k] != 1 ) { aa_pp_notify( __FUNCTION__ . ":" . __LINE__ . ' ' . "You preset {$k} to on even though it failed the test." ); $ap[$k] = 1; } } $aa_PP = $ap; update_option( 'askapache_password_protect', $aa_PP ); echo '

'; wp_nonce_field( 'askapache-passpro-form' ); echo ''; echo '

'; echo '

'; echo '

---

DEBUGGING INFO

'; echo '

Get WAYYY more debugging information by using my ultra-powerful AskApache Debug Viewer Plugin.

'; aa_pp_show_htaccess_files(); $c=array(); $vb=false; foreach ((array)(aa_pp_checkfunction('get_defined_constants')?@get_defined_constants():array())as $k=>$v) { if(($vb||(!$vb&&$k=='WP_ADMIN'&&$vb=true)) && (strlen($v)>10||strpos($v,'/')!==FALSE))$c[$k]=$v; } echo '

';
	ksort($c);
	echo htmlspecialchars(print_r(array('Plugin Options'=>$aa_PP,'Plugin Data'=>$aa_PLUGIN,'Active SIDS'=>aa_pp_active_sids(),'Constants'=>$c),1));
	echo '

'; aa_pp_pls(WP_CONTENT_DIR, 1); aa_pp_pls(dirname(__FILE__), 1); aa_pp_pls(ABSPATH, 1); echo '

';
	
	$dir=dirname($file);
	if(($ss=@stat($dir))!==false) {
		$fs = aa_ppnew_stat( $dir );
		printf( "%10s %04s %06s %'	8s %s %' 15s %s\n", $fs['human'], $fs['octal'], $fs['decimal'], $fs['owner_name'], $fs['group_name'], $fs['size'] . ' bytes', $dir.'/' );
	}
	
	if(($ss=@stat($file))!==false) {
		$fs = aa_ppnew_stat( $file );
		printf( "%10s %04s %06s %'	8s %s %' 15s %s", $fs['human'], $fs['octal'], $fs['decimal'], $fs['owner_name'], $fs['group_name'], $fs['size'] . ' bytes', $file.(is_dir($file) ? '/':'') );
	}
	
	echo '