Changeset 738058
- Timestamp:
- 07/09/2013 02:38:46 AM (11 years ago)
- Location:
- lockdown-wp-admin/trunk
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
lockdown-wp-admin/trunk/README.md
r700782 r738058 88 88 89 89 2.0.1 90 90 91 91 Tiny bug fix. 92 2.0.2 93 * Query string detection bug fix by [James Bonham](http://wordpress.org/support/profile/jamesbonham) 94 * Issues with WordPress in a sub-directory -
lockdown-wp-admin/trunk/admin.php
r694254 r738058 34 34 <br /> 35 35 <em>This will change it from <?php echo wp_guess_url(); ?>/wp-login.php to whatever you put in this box. If you leave it <strong>black</strong>, it will be disabled.<br /> 36 Say if you put "login" into the box, your new login URL will be <?php echo wp_guess_url(); ?>/login/.</em></label>36 Say if you put "login" into the box, your new login URL will be <?php echo _url(); ?>/login/.</em></label> 37 37 <?php 38 38 global $auth_obj; 39 $url = wp_guess_url() . '/'. $this->login_base;39 $url = _url() . '/'. $this->login_base; 40 40 ?> 41 41 <p>Your current login URL is <code><a href="<?php echo $url; ?>"><?php echo $url; ?></a></code>.</p> -
lockdown-wp-admin/trunk/lockdown-wp-admin.php
r700782 r738058 5 5 Donate link: http://seanfisher.co/donate/ 6 6 Description: Securing the WordPress Administration interface by concealing the administration dashboard and changing the login page URL. 7 Version: 2.0. 17 Version: 2.0. 8 8 Author: Sean Fisher 9 9 Author URI: http://seanfisher.co/ … … 18 18 * 19 19 * @author Sean Fisher <me@seanfisher.co> 20 * @version 1.920 * @version 21 21 * @license GPL 22 22 **/ … … 29 29 * @access private 30 30 **/ 31 p rivate $ld_admin_version = 2.0;31 p; 32 32 33 33 /** … … 45 45 * @access private 46 46 **/ 47 pr ivate$current_user = FALSE;47 pr $current_user = FALSE; 48 48 49 49 /** … … 52 52 * @access private 53 53 **/ 54 pr ivate$login_base = FALSE;54 pr $login_base = FALSE; 55 55 56 56 public function __construct() … … 78 78 { 79 79 // Since PHP saves the HTTP Password in a bunch of places, we have to be able to test for all of them 80 $username = NULL; 81 $password = NULL; 80 $username = $password = NULL; 82 81 83 82 // mod_php … … 153 152 if ( isset( $_GET['delete'] ) ) 154 153 { 155 // 154 //Delete the user. 156 155 unset( $users ); 157 156 $users = $this->get_private_users(); … … 165 164 if( $this->current_user !== '' && $to_delete === $this->current_user ) 166 165 { 167 // 166 //They can't delete themselves! 168 167 define('LD_ERROR', 'delete-self'); 169 168 return; … … 198 197 return; 199 198 200 // 199 //Nonce 201 200 $nonce = $_POST['_wpnonce']; 202 201 if (! wp_verify_nonce($nonce, 'lockdown-wp-admin') ) 203 202 wp_die('Security error, please try again.'); 204 203 205 // 206 // 207 // 204 //--------------------------------------------------- 205 //They're updating. 206 //--------------------------------------------------- 208 207 if ( isset( $_POST['http_auth'] ) ) 209 208 update_option('ld_http_auth', trim( strtolower( $_POST['http_auth'] ) ) ); … … 245 244 } 246 245 247 // 246 //Redirect 248 247 define('LD_WP_ADMIN', TRUE); 249 248 return; … … 259 258 private function inauth_headers() 260 259 { 261 // 260 //Disable if there is a text file there. 262 261 if ( file_exists(dirname(__FILE__).DIRECTORY_SEPARATOR.'disable_auth.txt')) 263 262 return; … … 292 291 $opt = get_option('ld_hide_wp_admin'); 293 292 294 // 293 //Nope, they didn't enable it. 295 294 if ( $opt !== 'yep' ) 296 295 return $this->setup_http_area(); … … 300 299 $no_check_files = apply_filters('no_check_files', $no_check_files); 301 300 302 $explode = explode('/', $_SERVER['SCRIPT_FILENAME'] ); 301 $script_filename = empty($_SERVER['SCRIPT_FILENAME']) 302 ? $_SERVER['PATH_TRANSLATED'] 303 : $_SERVER['SCRIPT_FILENAME']; 304 $explode = explode('/', $script_filename); 303 305 $file = end( $explode ); 304 306 305 307 if ( in_array( $file, $no_check_files ) ) 306 308 { 309 310 311 312 313 314 315 307 316 define('INTERNAL_AUTH_PASSED', TRUE); 308 317 return; … … 328 337 public function get_file() 329 338 { 330 // 339 //We're gonna hide it. 331 340 $no_check_files = array('async-upload.php'); 332 341 $no_check_files = apply_filters('no_check_files', $no_check_files); 333 342 334 $explode = explode('/', $_SERVER['SCRIPT_FILENAME'] ); 343 $script_filename = empty($_SERVER['SCRIPT_FILENAME']) 344 ? $_SERVER['PATH_TRANSLATED'] 345 : $_SERVER['SCRIPT_FILENAME']; 346 $explode = explode('/', $script_filename ); 335 347 return end( $explode ); 336 348 } … … 345 357 protected function setup_http_area() 346 358 { 347 // 359 //We save what type of auth we're doing here. 348 360 $opt = get_option('ld_http_auth'); 349 361 … … 351 363 switch( $opt ) 352 364 { 353 // 365 //HTTP auth is going to ask for their WordPress creds. 354 366 case 'wp_creds' : 355 367 $creds = $this->get_http_auth_creds(); … … 357 369 $this->inauth_headers(); // Invalid credentials 358 370 359 // 371 //Are they already logged in as this? 360 372 $current_uid = get_current_user_id(); 361 373 362 // 374 //We fixed this for use with non WP-MS sites 363 375 $requested_user = get_user_by('login', $creds['username']); 364 376 365 // 377 //Not a valid user. 366 378 if (! $requested_user ) 367 379 $this->inauth_headers(); 368 380 369 // 381 //The correct User ID. 370 382 $requested_uid = (int) $requested_user->ID; 371 383 372 // 384 //Already logged in? 373 385 if ( $current_uid === $requested_uid ) 374 386 { … … 377 389 } 378 390 379 // 391 //Attempt to sign them in if they aren't already 380 392 if (! is_user_logged_in() ) : 381 // 393 //Try it via wp_signon 382 394 $creds = array(); 383 395 $creds['user_login'] = $creds['username']; … … 386 398 $user = wp_signon( $creds, false ); 387 399 388 // In error :(400 // 389 401 if ( is_wp_error($user) ) 390 402 $this->inauth_headers(); 391 403 endif; 392 404 393 // 405 //They passed! 394 406 define('INTERNAL_AUTH_PASSED', TRUE); 395 407 break; … … 404 416 return; 405 417 406 // 418 //Let's NOT lock everybody out 407 419 if ( count( $users ) < 1 ) 408 420 return; … … 415 427 $this->inauth_headers(); 416 428 417 // 429 //Did they enter a valid user? 418 430 if ( $this->user_array_check( $users, $creds['username'], $creds['password'] ) ) 419 431 { … … 483 495 * @param integer 484 496 **/ 485 pr ivatefunction set_current_user( $array, $user )497 pr function set_current_user( $array, $user ) 486 498 { 487 499 foreach( $array as $key => $val ) … … 510 522 public function admin_callback() 511 523 { 512 // 524 //Update the options 513 525 $this->update_options(); 514 526 515 // 527 //The UI 516 528 require_once( dirname( __FILE__ ) . '/admin.php' ); 517 529 } … … 541 553 $login_base = get_option('ld_login_base'); 542 554 543 // 555 //It's not enabled. 544 556 if ( $login_base == NULL || ! $login_base || $login_base == '' ) 545 557 return; … … 548 560 unset( $login_base ); 549 561 550 // 562 //Setup the filters for the new login form 551 563 add_filter('wp_redirect', array( &$this, 'filter_wp_login')); 552 564 add_filter('network_site_url', array( &$this, 'filter_wp_login')); 553 565 add_filter('site_url', array( &$this, 'filter_wp_login')); 554 566 555 // 556 // 557 // 558 // 559 // 560 561 // 567 //We need to get the URL 568 //This means we need to take the current URL, 569 //strip it of an WordPress path (if the blog is located @ /blog/) 570 //And then remove the query string 571 //We also need to remove the index.php from the URL if it exists 572 573 //The blog's URL 562 574 $blog_url = trailingslashit( get_bloginfo('url') ); 563 575 564 // 576 //The Current URL 565 577 $schema = is_ssl() ? 'https://' : 'http://'; 566 578 $current_url = $schema . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; … … 569 581 $request_url = str_replace('index.php/', '', $request_url); 570 582 571 list( $base, $query ) = explode( '?', $request_url, 2 ); 572 573 // Remove trailing slash 583 $url_parts = explode( '?', $request_url, 2 ); 584 $base = $url_parts[0]; 585 586 // Remove trailing slash 574 587 $base = rtrim($base,"/"); 575 588 $exp = explode( '/', $base, 2 ); 576 $super_base = reset( $exp );577 578 // 589 $super_base = ( $exp ); 590 591 //Are they visiting wp-login.php? 579 592 if ( $super_base == 'wp-login.php') 580 593 $this->throw_404(); 581 594 582 // 595 //Is this the "login" url? 583 596 if ( $base !== $this->login_base ) 584 597 return FALSE; … … 592 605 do_action('ld_login_page'); 593 606 594 include ABSPATH . "/wp-login.php";607 include ABSPATH . ; 595 608 exit; 596 609 } … … 609 622 * Launch and display the 404 page depending upon the template 610 623 * 611 * @param 612 * @return 624 * @paramvoid 625 * @returnvoid 613 626 **/ 614 627 public function throw_404() … … 626 639 wp_dequeue_script( 'admin-bar' ); 627 640 wp_dequeue_style( 'admin-bar' ); 628 641 629 642 // Template 630 $four_tpl = get_404_template();643 $four_tpl = ); 631 644 632 645 // Handle the admin bar … … 637 650 { 638 651 // We're gonna try and get TwentyTen's one 639 $twenty_ten_tpl = apply_filters('LD_404_FALLBACK', WP_CONTENT_DIR . '/themes/twentyt welve/404.php');652 $twenty_ten_tpl = apply_filters('LD_404_FALLBACK', WP_CONTENT_DIR . '/themes/twentyt/404.php'); 640 653 641 654 if (file_exists($twenty_ten_tpl)) -
lockdown-wp-admin/trunk/no-wpmu.php
r406374 r738058 32 32 } 33 33 34 // 34 //Default options 35 35 update_option('ld_http_auth', 'none'); 36 36 update_option('ld_hide_wp_admin', 'no'); … … 44 44 function network_activate_error() 45 45 { 46 // 46 //De-activate the plugin 47 47 $active_plugins = (array) get_option('active_plugins'); 48 48 $active_plugins_network = (array) get_site_option('active_sitewide_plugins'); … … 104 104 } 105 105 106 // 106 //The object. 107 107 $setup_no_wpmu = new Disable_WPMS_Plugin_LD(); 108 108 -
lockdown-wp-admin/trunk/readme.txt
r700782 r738058 6 6 Requires at least: 3.3 7 7 Tested up to: 3.5.1 8 Stable tag: 2.0. 18 Stable tag: 2.0. 9 9 10 10 Lockdown WP Admin conceals the administration and login screen from intruders. It can hide WordPress Admin (/wp-admin/) and and login (/wp-login.php) as well as add HTTP authentication to the login system. We can also change the login URL from wp-login.php to whatever you'd like: /login, /log-in-here, etc. … … 93 93 94 94 = 2.0.1 = 95 * Tiny bug fix 95 * Bug fix by [Michal Krause](https://github.com/michal-krause) 96 97 = 2.0.2 = 98 * Query string detection bug fix by [James Bonham](http://wordpress.org/support/profile/jamesbonham) 99 * Issues with WordPress in a sub-directory
Note: See TracChangeset
for help on using the changeset viewer.