/wp-content/plugins/bulletproof-security/admin/options.php
PHP | 2318 lines | 2024 code | 150 blank | 144 comment | 274 complexity | a2bd079aa25cc7afa3ded71f8a352628 MD5 | raw file
Possible License(s): AGPL-1.0, GPL-2.0, LGPL-2.1, GPL-3.0, LGPL-2.0, AGPL-3.0
Large files files are truncated, but you can click here to view the full file
- <?php
- // Direct calls to this file are Forbidden when core files are not present
- if ( !function_exists('add_action') ){
- header('Status: 403 Forbidden');
- header('HTTP/1.1 403 Forbidden');
- exit();
- }
-
- if ( !current_user_can('manage_options') ){
- header('Status: 403 Forbidden');
- header('HTTP/1.1 403 Forbidden');
- exit();
- }
- ?>
-
- <div id="message" class="updated" style="border:1px solid #999999; margin-left:70px; margin-top:9px;">
- <?php
- // HUD - Heads Up Display - Warnings and Error messages
- echo bps_check_php_version_error();
- echo bps_check_permalinks_error();
- echo bps_check_iis_supports_permalinks();
- echo bps_hud_check_bpsbackup();
- echo bps_check_safemode();
- echo @bps_w3tc_htaccess_check($plugin_var);
- echo @bps_wpsc_htaccess_check($plugin_var);
-
- // Form - copy and rename htaccess file to root folder
- // BulletProof Security and Default Mode
- $bpsecureroot = 'unchecked';
- $bpdefaultroot = 'unchecked';
- if (isset($_POST['submit12']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_root_copy' );
-
- $old = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/default.htaccess';
- $new = ABSPATH . '/.htaccess';
- $old1 = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess';
- $new1 = ABSPATH . '/.htaccess';
-
- $selected_radio = $_POST['selection12'];
- if ($selected_radio == 'bpsecureroot') {
- $bpsecureroot = 'checked';
- @copy($old1, $new1);
- chmod($new1, 0644);
- if (!copy($old1, $new1)) {
- _e('<font color="red"><strong>Failed to Activate BulletProof Security Root Folder Protection! Your Website is NOT protected with BulletProof Security!</strong></font><br>');
- } else {
- _e('<font color="green"><strong>BulletProof Security Root Folder Protection Activated. Your website Root folder is now protected with BulletProof Security.</strong></font><br><font color="red"><strong>IMPORTANT!</strong></font><strong> BulletProof Mode for the wp-admin folder MUST also be activated when you have BulletProof Mode activated for the Root folder.</strong><br>');
- }
- }
- elseif ($selected_radio == 'bpdefaultroot') {
- $bpdefaultroot = 'checked';
- copy($old, $new);
- chmod($new, 0644);
- if (!copy($old, $new)) {
- _e('<font color="red"><strong>Failed to Activate Default .htaccess Mode!</strong></font><br>');
- } else {
- _e('<font color="red"><strong>Warning: Default .htaccess Mode Is Activated In Your Website Root Folder. Your Website Is Not Protected With BulletProof Security.</strong></font>');
- }
- }
- }
-
- // Form - copy and rename htaccess file to wp-admin folder
- // BulletProof Security wp-admin
- $bpsecurewpadmin = 'unchecked';
- $Removebpsecurewpadmin = 'unchecked';
- if (isset($_POST['submit13']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_wpadmin_copy' );
-
- $oldadmin1 = ABSPATH . 'wp-content/plugins/bulletproof-security/admin/htaccess/wpadmin-secure.htaccess';
- $newadmin1 = ABSPATH . 'wp-admin/.htaccess';
- $deleteWpadminHtaccess = ABSPATH . 'wp-admin/.htaccess';
-
- $selected_radio = $_POST['selection13'];
- if ($selected_radio == 'bpsecurewpadmin') {
- $bpsecurewpadmin = 'checked';
- copy($oldadmin1, $newadmin1);
- chmod($newadmin1, 0644);
- if (!copy($oldadmin1, $newadmin1)) {
- _e('<font color="red"><strong>Failed to Activate BulletProof Security wp-admin Folder Protection! Your wp-admin folder is NOT protected with BulletProof Security!</strong></font><br>');
- } else {
- _e('<font color="green"><strong>BulletProof Security wp-admin Folder Protection Activated. Your wp-admin folder is now protected with BulletProof Security.</strong></font>');
- }
- }
- elseif ($selected_radio == 'Removebpsecurewpadmin') {
- $Removebpsecurewpadmin = 'checked';
- $fh = fopen($deleteWpadminHtaccess, 'a');
- fwrite($fh, 'delete');
- fclose($fh);
- unlink($deleteWpadminHtaccess);
- if (file_exists($deleteWpadminHtaccess)) {
- _e('<font color="red"><strong>Failed to Delete the wp-admin .htaccess file! The file does not exist. It may have been deleted or renamed already.</strong></font><br>');
- } else {
- _e('<font color="green"><strong>The wp-admin .htaccess file has been Deleted. </strong></font><font color="red"><strong>Your wp-admin folder is no longer .htaccess protected.</strong></font> If you are testing then be sure to reactivate BulletProof Mode for your wp-admin folder when you are done testing. If you are removing BPS from your website then be sure to also Activate Default Mode for your Root folder. The Root and wp-admin BulletProof Modes must be activated together or removed togeher.</strong></font><br>');
- }
- }
- }
-
- // Form rename Deny All htaccess file to .htaccess for the BPS Master htaccess folder
- $bps_rename_htaccess_files = 'unchecked';
- if (isset($_POST['submit8']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_denyall_master' );
-
- $bps_rename_htaccess = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/deny-all.htaccess';
- $bps_rename_htaccess_renamed = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/.htaccess';
-
- $selected_radio = $_POST['selection8'];
- if ($selected_radio == 'bps_rename_htaccess_files') {
- $bps_rename_htaccess_files = 'checked';
- copy($bps_rename_htaccess, $bps_rename_htaccess_renamed);
- if (!copy($bps_rename_htaccess, $bps_rename_htaccess_renamed)) {
- _e('<font color="red"><strong>Failed to Activate BulletProof Security Deny All Folder Protection! Your BPS Master htaccess folder is NOT Protected with Deny All htaccess folder protection!</strong></font><br>');
- } else {
- _e('BulletProof Security Deny All Folder Protection <font color="green"><strong>Activated.</strong></font> Your BPS Master htaccess folder is Now Protected with Deny All htaccess folder protection.');
- }
- }
- }
-
- // Form copy and rename the Deny All htaccess file to the BPS backup folder
- // /wp-content/bps-backup
- $bps_rename_htaccess_files_backup = 'unchecked';
- if (isset($_POST['submit14']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_denyall_bpsbackup' );
-
- $bps_rename_htaccess_backup = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/deny-all.htaccess';
- $bps_rename_htaccess_backup_online = ABSPATH . '/wp-content/bps-backup/.htaccess';
-
- $selected_radio = $_POST['selection14'];
- if ($selected_radio == 'bps_rename_htaccess_files_backup') {
- $bps_rename_htaccess_files_backup = 'checked';
- copy($bps_rename_htaccess_backup, $bps_rename_htaccess_backup_online);
- if (!copy($bps_rename_htaccess_backup, $bps_rename_htaccess_backup_online)) {
- _e('<font color="red"><strong>Failed to Activate BulletProof Security Deny All Folder Protection! Your BPS /wp-content/bps-backup folder is NOT Protected with Deny All htaccess folder protection!</strong></font><br>');
- } else {
- _e('BulletProof Security Deny All Folder Protection <font color="green"><strong>Activated.</strong></font> Your BPS /wp-content/bps-backup folder is Now Protected with Deny All htaccess folder protection.');
- }
- }
- }
-
- // Form - Backup and rename existing and / or currently active htaccess files from
- // the root and wpadmin folders to /wp-content/bps-backup
- $backup_htaccess = 'unchecked';
- if (isset($_POST['submit9']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_backup_active_htaccess_files' );
-
- $old_backroot = ABSPATH . '/.htaccess';
- $new_backroot = ABSPATH . '/wp-content/bps-backup/root.htaccess';
- $old_backwpadmin = ABSPATH . '/wp-admin/.htaccess';
- $new_backwpadmin = ABSPATH . '/wp-content/bps-backup/wpadmin.htaccess';
-
- $selected_radio = $_POST['selection9'];
- if ($selected_radio == 'backup_htaccess') {
- $backup_htaccess = 'checked';
- if ( !file_exists($old_backroot)) {
- _e('<font color="red"><strong>You do not currently have an .htaccess file in your Root folder to backup.</strong></font><br>');
- } else {
- if (file_exists($old_backroot)) {
- copy($old_backroot, $new_backroot);
- if (!copy($old_backroot, $new_backroot)) {
- _e('<font color="red"><strong>Failed to Backup Your Root .htaccess File! File copy function failed. Check the folder permissions for the /wp-content/bps-backup folder. Folder permissions should be set to 755.</strong></font><br><br>');
- } else {
- _e('<font color="green"><strong>Your currently active Root .htaccess file has been backed up successfully!</strong></font><br>Use the Restore feature to restore your .htaccess files if you run into a problem at any time. If you make additional changes or install a plugin that writes to the htaccess files then back them up again. This will overwrite the currently backed up htaccess files. Please read the <font color="red"><strong>CAUTION:</strong></font> Read Me ToolTip on the Backup & Restore Page for more detailed information.<br><br>');
-
- if ( !file_exists($old_backwpadmin)) {
- _e('<font color="red"><strong>You do not currently have an .htaccess file in your wp-admin folder to backup.</strong></font><br>');
- } else {
- if (file_exists($old_backwpadmin)) {
- copy($old_backwpadmin, $new_backwpadmin);
- if (!copy($old_backwpadmin, $new_backwpadmin)) {
- _e('<font color="red"><strong>Failed to Backup Your wp-admin .htaccess File! File copy function failed. Check the folder permissions for the /wp-content/bps-backup folder. Folder permissions should be set to 755.</strong></font><br>');
- } else {
- _e('<font color="green"><strong>Your currently active wp-admin .htaccess file has been backed up successfully!</strong></font><br>');
- }
- }}}}}}}
-
- // Form - Restore backed up htaccess files
- $restore_htaccess = 'unchecked';
- if (isset($_POST['submit10']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_restore_active_htaccess_files' );
-
- $old_restoreroot = ABSPATH . '/wp-content/bps-backup/root.htaccess';
- $new_restoreroot = ABSPATH . '/.htaccess';
- $old_restorewpadmin = ABSPATH . '/wp-content/bps-backup/wpadmin.htaccess';
- $new_restorewpadmin = ABSPATH . '/wp-admin/.htaccess';
-
- $selected_radio = $_POST['selection10'];
- if ($selected_radio == 'restore_htaccess') {
- $restore_htaccess = 'checked';
- if (file_exists($old_restoreroot)) {
- copy($old_restoreroot, $new_restoreroot);
- if (!copy($old_restoreroot, $new_restoreroot)) {
- _e('<font color="red"><strong>Failed to Restore Your Root .htaccess File! This is most likely because you DO NOT currently have a Backed up Root .htaccess file.</strong></font><br>');
- } else {
- _e('<font color="green"><strong>Your Root .htaccess file has been Restored successfully!</strong></font><br>');
- if (file_exists($old_restorewpadmin)) {
- copy($old_restorewpadmin, $new_restorewpadmin);
- if (!copy($old_restorewpadmin, $new_restorewpadmin)) {
- _e('<font color="red"><strong>Failed to Restore Your wp-admin .htaccess File! This is most likely because you DO NOT currently have a Backed up wp-admin .htaccess file.</strong></font><br>');
- } else {
- _e('<font color="green"><strong>Your wp-admin .htaccess file has been Restored successfully!</strong></font><br>');
- }
- }}}}}
-
- // Form - Backup the BPS Master Files to /wp-content/bps-backup/master-backups
- $backup_master_htaccess_files = 'unchecked';
- if (isset($_POST['submit11']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_backup_master_htaccess_files' );
-
- $default_master = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/default.htaccess';
- $default_master_backup = ABSPATH . '/wp-content/bps-backup/master-backups/backup_default.htaccess';
- $secure_master = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess';
- $secure_master_backup = ABSPATH . '/wp-content/bps-backup/master-backups/backup_secure.htaccess';
- $wpadmin_master = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/wpadmin-secure.htaccess';
- $wpadmin_master_backup = ABSPATH . '/wp-content/bps-backup/master-backups/backup_wpadmin-secure.htaccess';
- $maintenance_master = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/maintenance.htaccess';
- $maintenance_master_backup = ABSPATH . '/wp-content/bps-backup/master-backups/backup_maintenance.htaccess';
- $bp_maintenance_master = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/bp-maintenance.php';
- $bp_maintenance_master_backup = ABSPATH . '/wp-content/bps-backup/master-backups/backup_bp-maintenance.php';
- $bps_maintenance_values = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/bps-maintenance-values.php';
- $bps_maintenance_values_backup = ABSPATH . '/wp-content/bps-backup/master-backups/backup_bps-maintenance-values.php';
-
- $selected_radio = $_POST['selection11'];
- if ($selected_radio == 'backup_master_htaccess_files') {
- $backup_master_htaccess_files = 'checked';
- if (file_exists($default_master)) {
- copy($default_master, $default_master_backup);
- if (!copy($default_master, $default_master_backup)) {
- _e('<font color="red"><strong>Failed to Backup Your default.htaccess File!</strong></font><br>');
- } else {
- _e('<font color="green"><strong>The default.htaccess file has been backed up successfully!</strong></font><br>');
- }
- if (file_exists($secure_master)) {
- copy($secure_master, $secure_master_backup);
- if (!copy($secure_master, $secure_master_backup)) {
- _e('<font color="red"><strong>Failed to Backup Your secure.htaccess File!</strong></font><br>');
- } else {
- _e('<font color="green"><strong>The secure.htaccess file has been backed up successfully!</strong></font><br>');
- }
- if (file_exists($wpadmin_master)) {
- copy($wpadmin_master, $wpadmin_master_backup);
- if (!copy($wpadmin_master, $wpadmin_master_backup)) {
- _e('<font color="red"><strong>Failed to Backup Your wpadmin-secure.htaccess File!</strong></font><br>');
- } else {
- _e('<font color="green"><strong>The wpadmin-secure.htaccess file has been backed up successfully!</strong></font><br>');
- }
- if (file_exists($maintenance_master)) {
- copy($maintenance_master, $maintenance_master_backup);
- if (!copy($maintenance_master, $maintenance_master_backup)) {
- _e('<font color="red"><strong>Failed to Backup Your maintenance.htaccess File!</strong></font><br>');
- } else {
- _e('<font color="green"><strong>The maintenance.htaccess file has been backed up successfully!</strong></font><br>');
- }
- if (file_exists($bp_maintenance_master)) {
- copy($bp_maintenance_master, $bp_maintenance_master_backup);
- if (!copy($bp_maintenance_master, $bp_maintenance_master_backup)) {
- _e('<font color="red"><strong>Failed to Backup Your bp-maintenance.php File!</strong></font><br>');
- } else {
- _e('<font color="green"><strong>The bp-maintenance.php file has been backed up successfully!</strong></font><br>');
- }
- if (file_exists($bps_maintenance_values)) {
- copy($bps_maintenance_values, $bps_maintenance_values_backup);
- if (!copy($bps_maintenance_values, $bps_maintenance_values_backup)) {
- _e('<font color="red"><strong>Failed to Backup Your bps-maintenance-values.php File!</strong></font><br>');
- } else {
- _e('<font color="green"><strong>The bps-maintenance-values.php file has been backed up successfully!</strong></font><br>');
- }
- }}}}}}}}
-
- // Form - Activate Maintenance Mode copy and rename maintenance htaccess, bp-maintenance.php and bps-maintenance-values.php to root
- $bpmaintenance = 'unchecked';
- if (isset($_POST['submit15']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_maintenance_copy' );
-
- $oldmaint = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/maintenance.htaccess';
- $newmaint = ABSPATH . '/.htaccess';
- $oldmaint1 = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/bp-maintenance.php';
- $newmaint1 = ABSPATH . '/bp-maintenance.php';
- $oldmaint_values = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/bps-maintenance-values.php';
- $newmaint_values = ABSPATH . '/bps-maintenance-values.php';
-
- $selected_radio = $_POST['selection15'];
- if ($selected_radio == 'bpmaintenance') {
- $bpmaintenance = 'checked';
- copy($oldmaint, $newmaint);
- copy($oldmaint1, $newmaint1);
- copy($oldmaint_values, $newmaint_values);
- if (!copy($oldmaint, $newmaint)) {
- _e('<p><font color="red"><strong>Failed to Activate Maintenance Mode! Your Website is NOT in Maintenance Mode!<br>If your Root .htaccess file is locked you must unlock it first before activating Maintenance Mode.</strong></font></p>');
- } else {
- _e('<font color="red"><strong>Warning: </strong></font>Maintenance Mode Is Activated. Your website is now displaying the Website Under Maintenance page to everyone except you. To switch out of Maintenance mode activate BulletProof Security Mode. You can log in and out of your Dashboard / WordPress website in Maintenance Mode as long as your current IP address does not change. If your current IP address changes you will have to FTP to your website and delete the .htaccess file in your website root folder (or download the .htaccess file and add your new IP address and upload it back to your root website folder) to be able to log back into your WordPress Dashboard. Your ISP provides your current Public IP address. If you reboot your computer or disconnect from the Internet there is a good chance that you will get a new Public IP address from your ISP.');
- }
- }
- }
-
- // Create maintenance htaccess file
- if (isset($_POST['bps-auto-write-maint']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_auto_write_maint' );
-
- $bps_string_replace_maint = array(".");
- $bps_get_IP_maint = str_replace($bps_string_replace_maint, "\.", $_SERVER['REMOTE_ADDR']) . "$";
- $bps_get_wp_root_maint = bps_wp_get_root_folder();
- $bps_auto_write_maint_file = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/maintenance.htaccess';
- $bps_maint_content = "# BULLETPROOF .46.6 MAINTENANCE .HTACCESS \n
- RewriteEngine On
- RewriteBase $bps_get_wp_root_maint\n
- RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
- RewriteRule ^(.*)$ - [F,L]\n
- # ALLOW THUMBNAILER SCRIPTS TO DISPLAY IMAGES
- RewriteCond %{REQUEST_FILENAME} thumb.php [NC,OR]
- RewriteCond %{REQUEST_FILENAME} thumbs.php [NC,OR]
- RewriteCond %{REQUEST_FILENAME} timthumb.php [NC,OR]
- RewriteCond %{REQUEST_FILENAME} phpthumb.php [NC]
- RewriteRule . - [F,L]\n
- # BPSQSE BPS QUERY STRING EXPLOITS
- RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|".'"'."|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
- RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
- RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
- RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
- RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
- RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
- RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
- RewriteCond %{HTTP_REFERER} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
- RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
- RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
- RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
- RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
- RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
- RewriteCond %{QUERY_STRING} http\: [NC,OR]
- RewriteCond %{QUERY_STRING} https\: [NC,OR]
- RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
- RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
- RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
- RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
- RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
- RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
- RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
- RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
- RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
- RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
- RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
- RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
- RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
- RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
- RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
- RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
- RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
- RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
- RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
- RewriteCond %{QUERY_STRING} (;|<|>|'|".'"'."|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
- RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
- RewriteRule ^(.*)$ - [F,L]\n
- RewriteCond %{REMOTE_ADDR} !^$bps_get_IP_maint
- RewriteCond %{REQUEST_URI} !^$bps_get_wp_root_maint"."bp-maintenance\.php$
- RewriteCond %{REQUEST_URI} !^$bps_get_wp_root_maint"."wp-content/plugins/bulletproof-security/abstract-blue-bg\.png$
- RewriteRule ^(.*)$ $bps_get_wp_root_maint"."bp-maintenance.php [L]
- RewriteCond %{REQUEST_FILENAME} !-f
- RewriteCond %{REQUEST_FILENAME} !-d
- RewriteRule . $bps_get_wp_root_maint"."index.php [L]";
- if (is_writable($bps_auto_write_maint_file)) {
- if (!$handle = fopen($bps_auto_write_maint_file, 'w+b')) {
- _e('<font color="red"><strong>Cannot open file' . "$bps_auto_write_maint_file" . '</strong></font>');
- exit;
- }
- if (fwrite($handle, $bps_maint_content) === FALSE) {
- _e('<font color="red"><strong>Cannot write to file' . "$bps_auto_write_maint_file" . '</strong></font>');
- exit;
- }
- _e('<font color="green"><strong>Success! Your Maintenance Mode htaccess file was created successfully! Select the Maintenance Mode radio button and click Activate to put your website in Maintenance Mode.</strong></font>');
- fclose($handle);
- } else {
- _e('<font color="red"><strong>The file ' . "$bps_auto_write_maint_file" . ' is not writable or does not exist.</strong></font><br><strong>Check that the file is named maintenance.htaccess and that the file exists in the /bulletproof-security/admin/htaccess master folder. If this is not the problem click <a href="http://www.ait-pro.com/aitpro-blog/2566/bulletproof-security-plugin-support/bulletproof-security-error-messages" target="_blank">here</a> for more help info.</strong><br>');
- }
- }
-
- // default.htaccess and secure.htaccess fwrite content for all WP site types
- $bps_get_wp_root_default = bps_wp_get_root_folder();
- $bps_auto_write_default_file = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/default.htaccess';
-
- $bpsSuccessMessageDef = '<font color="green"><strong>Success! Your Default Mode Master htaccess file was created successfully!</strong></font><br><font color="red"><strong>CAUTION: Default Mode should only be activated for testing or troubleshooting purposes. Default Mode does not protect your website with any security protection.</strong></font><br><font color="black"><strong>To activate Default Mode select the Default Mode radio button and click Activate to put your website in Default Mode.</strong></font>';
-
- $bpsFailMessageDef = '<font color="red"><strong>The file ' . "$bps_auto_write_default_file" . ' is not writable or does not exist.</strong></font><br><strong>Check that the file is named default.htaccess and that the file exists in the /bulletproof-security/admin/htaccess master folder. If this is not the problem click <a href="http://www.ait-pro.com/aitpro-blog/2566/bulletproof-security-plugin-support/bulletproof-security-error-messages" target="_blank">here</a> for more help info.</strong><br>';
-
- $bpsTopMU = "\nRewriteEngine On
- RewriteBase $bps_get_wp_root_default
- RewriteRule ^index\.php$ - [L]\n\n";
-
- $bps_default_content_top = "# BULLETPROOF .46.D >>>>>>> DEFAULT .HTACCESS \n
- # If you edit the line of code above you will see error messages on the BPS status page
- # WARNING!!! THE default.htaccess FILE DOES NOT PROTECT YOUR WEBSITE AGAINST HACKERS
- # This is a standard generic htaccess file that does NOT provide any website security
- # The DEFAULT .HTACCESS file should be used for testing and troubleshooting purposes only\n
- # BEGIN WordPress";
-
- $bps_default_content_bottom = "\n<IfModule mod_rewrite.c>
- RewriteEngine On
- RewriteBase $bps_get_wp_root_default
- RewriteRule ^index\.php$ - [L]
- RewriteCond %{REQUEST_FILENAME} !-f
- RewriteCond %{REQUEST_FILENAME} !-d
- RewriteRule . $bps_get_wp_root_default"."index.php [L]
- </IfModule>\n
- # END WordPress";
-
- $bpsMUEndWP = "# END WordPress";
-
- $bpsMUSDirTop = "# uploaded files
- RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]\n
- # add a trailing slash to /wp-admin
- RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]\n\n";
-
- $bpsMUSDomTop = "# uploaded files
- RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]\n\n";
-
- $bpsMUSDirBottom = "RewriteCond %{REQUEST_FILENAME} -f [OR]
- RewriteCond %{REQUEST_FILENAME} -d
- RewriteRule ^ - [L]
- RewriteRule ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L]
- RewriteRule ^[_0-9a-zA-Z-]+/(.*\.php)$ $1 [L]
- RewriteRule . index.php [L]\n\n";
-
- $bpsMUSDomBottom = "RewriteCond %{REQUEST_FILENAME} -f [OR]
- RewriteCond %{REQUEST_FILENAME} -d
- RewriteRule ^ - [L]
- RewriteRule . index.php [L]\n\n";
-
- // Create Default htaccess file - Single Site
- if (isset($_POST['bps-auto-write-default']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_auto_write_default' );
-
- if (is_writable($bps_auto_write_default_file)) {
- if (!$handle = fopen($bps_auto_write_default_file, 'w+b')) {
- _e('<font color="red"><strong>Cannot open file' . "$bps_auto_write_default_file" . '</strong></font>');
- exit;
- }
- if (fwrite($handle, $bps_default_content_top.$bps_default_content_bottom) === FALSE) {
- _e('<font color="red"><strong>Cannot write to file' . "$bps_auto_write_default_file" . '</strong></font>');
- exit;
- }
- _e($bpsSuccessMessageDef);
- fclose($handle);
- } else {
- _e($bpsFailMessageDef);
- }
- }
-
- // Create Default htaccess file - MU Subdirectory
- if (isset($_POST['bps-auto-write-default-MUSDir']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_auto_write_default_MUSDir' );
-
- if (is_writable($bps_auto_write_default_file)) {
- if (!$handle = fopen($bps_auto_write_default_file, 'w+b')) {
- _e('<font color="red"><strong>Cannot open file' . "$bps_auto_write_default_file" . '</strong></font>');
- exit;
- }
- if (fwrite($handle, $bps_default_content_top.$bpsTopMU.$bpsMUSDirTop.$bpsMUSDirBottom.$bpsMUEndWP) === FALSE) {
- _e('<font color="red"><strong>Cannot write to file' . "$bps_auto_write_default_file" . '</strong></font>');
- exit;
- }
- _e($bpsSuccessMessageDef);
- fclose($handle);
- } else {
- _e($bpsFailMessageDef);
- }
- }
-
- // Create Default htaccess file - MU Subdomain
- if (isset($_POST['bps-auto-write-default-MUSDom']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_auto_write_default_MUSDom' );
-
- if (is_writable($bps_auto_write_default_file)) {
- if (!$handle = fopen($bps_auto_write_default_file, 'w+b')) {
- _e('<font color="red"><strong>Cannot open file' . "$bps_auto_write_default_file" . '</strong></font>');
- exit;
- }
- if (fwrite($handle, $bps_default_content_top.$bpsTopMU.$bpsMUSDomTop.$bpsMUSDomBottom.$bpsMUEndWP) === FALSE) {
- _e('<font color="red"><strong>Cannot write to file' . "$bps_auto_write_default_file" . '</strong></font>');
- exit;
- }
- _e($bpsSuccessMessageDef);
- fclose($handle);
- } else {
- _e($bpsFailMessageDef);
- }
- }
-
- // secure.htaccess fwrite content for all WP site types
- $bps_get_wp_root_secure = bps_wp_get_root_folder();
- $bps_auto_write_secure_file = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess';
-
- $bpsSuccessMessageSec = '<font color="green"><strong>Success! Your BulletProof Security Root Master htaccess file was created successfully!</strong></font><br><font color="black"><strong>You can now Activate BulletProof Mode for your Root folder. Select the BulletProof Mode radio button and click Activate to put your website in BulletProof Mode.</strong></font>';
-
- $bpsFailMessageSec = '<font color="red"><strong>The file ' . "$bps_auto_write_secure_file" . ' is not writable or does not exist.</strong></font><br><strong>Check that the file is named secure.htaccess and that the file exists in the /bulletproof-security/admin/htaccess master folder. If this is not the problem click <a href="http://www.ait-pro.com/aitpro-blog/2566/bulletproof-security-plugin-support/bulletproof-security-error-messages" target="_blank">here</a> for more help info.</strong><br>';
-
- $bps_secure_content_top = "# BULLETPROOF .46.6 >>>>>>> SECURE .HTACCESS \n
- # If you edit the BULLETPROOF .46.6 >>>>>>> SECURE .HTACCESS text above
- # you will see error messages on the BPS status page
- # BPS is reading the version number in the htaccess file to validate checks
- # If you would like to change what is displayed above you
- # will need to edit the BPS /includes/functions.php file to match your changes
- # If you update your WordPress Permalinks the code between BEGIN WordPress and
- # END WordPress is replaced by WP htaccess code.
- # This removes all of the BPS security code and replaces it with just the default WP htaccess code
- # To restore this file use BPS Restore or activate BulletProof Mode for your Root folder again.\n
- # BEGIN WordPress
- # IMPORTANT!!! DO NOT DELETE!!! - BEGIN Wordpress above or END WordPress - text in this file
- # They are reference points for WP, BPS and other plugins to write to this htaccess file.
- # IMPORTANT!!! DO NOT DELETE!!! - BPSQSE BPS QUERY STRING EXPLOITS - text
- # BPS needs to find the - BPSQSE - text string in this file to validate that your security filters exist\n
- # TURN OFF YOUR SERVER SIGNATURE
- ServerSignature Off\n
- # ADD PHP HANDLER - Add your hosts php Handler below if you are using a php handler
- # Example GoDaddy PHP 5.2.x php handler is shown commented out directly below
- #AddHandler x-httpd-php5 .php\n
- # CUSTOM PHP.INI FILES - handlers and mod_suphp htaccess code for Web Hosts
- # If you are using either a BPS Pro custom php.ini file or one that you created yourself
- # If your host is GoDaddy and you have a custom php.ini file
- # uncomment the 1 line of code directly below
- #AddHandler x-httpd-php5 .php
- # If your host is BlueHost, HostMonster FastDomain and you have a custom php.ini file
- # uncomment the 1 line of code directly below
- #AddHandler application/x-httpd-php5s .php
- # If your host is HostGator and you have a custom php.ini file
- # uncomment the 3 lines of code below and replace xxxxx with your account/username
- #<IfModule mod_suphp.c>
- #suPHP_ConfigPath /home/xxxxx/public_html/php.ini
- #</IfModule>\n
- # DO NOT SHOW DIRECTORY LISTING
- # If you are getting 500 Errors when activating BPS then comment out Options -Indexes
- # by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
- Options -Indexes\n
- # DIRECTORY INDEX FORCE INDEX.PHP
- # Use index.php as default directory index file
- # index.html will be ignored will not load.
- DirectoryIndex index.php index.html /index.php\n
- # BPS PRO ERROR LOGGING AND TRACKING - Available in BPS Pro only
- # BPS Pro has premade 403 Forbidden, 400 Bad Request and 404 Not Found files that are used
- # to track and log 403, 400 and 404 errors that occur on your website. When a hacker attempts to
- # hack your website the hackers IP address, Host name, Request Method, Referering link, the file name or
- # requested resource, the user agent of the hacker and the query string used in the hack attempt are logged.
- # BPS Pro Log files are added to the P-Security All Purpose File Manager to view them.
- # All BPS Pro log files are htaccess protected so that only you can view them.
- # The 400.php, 403.php and 404.php files are located in /wp-content/plugins/bulletproof-security/
- # The 400 and 403 Error logging files are already set up and will automatically start logging errors
- # after you install BPS Pro and have activated BulletProof Mode for your Root folder.
- # If you would like to log 404 errors you will need to copy the logging code in the BPS Pro 404.php file
- # to your Theme's 404.php template file. Simple instructions are included in the BPS Pro 404.php file.
- # You can open the BPS Pro 404.php file using the WP Plugins Editor or by using the BPS Pro File Manager.
- # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php template file.\n
- #ErrorDocument 400 $bps_get_wp_root_secure"."wp-content/plugins/bulletproof-security/400.php
- #ErrorDocument 403 $bps_get_wp_root_secure"."wp-content/plugins/bulletproof-security/403.php
- ErrorDocument 404 $bps_get_wp_root_secure"."404.php\n
- # DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot
- RedirectMatch 403 /\..*$\n
- RewriteEngine On
- RewriteBase $bps_get_wp_root_secure
- RewriteRule ^wp-admin/includes/ - [F,L]
- RewriteRule !^wp-includes/ - [S=3]
- RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
- RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
- RewriteRule ^wp-includes/theme-compat/ - [F,L]\n
- RewriteEngine On
- RewriteBase $bps_get_wp_root_secure
- RewriteRule ^index\.php$ - [L]\n\n";
-
- $bps_secure_content_mid_top = "# REQUEST METHODS FILTERED
- # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
- # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
- # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
- # all bots to make a HEAD request then remove HEAD from the Request Method filter.
- # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
- RewriteEngine On
- RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
- RewriteRule ^(.*)$ - [F,L]\n
- # PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES
- # IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
- # Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.
- # Adminer MySQL management tool data populate
- RewriteCond %{REQUEST_URI} ^$bps_get_wp_root_secure"."wp-content/plugins/adminer/ [NC]
- RewriteRule . - [S=11]
- # Comment Spam Pack MU Plugin - CAPTCHA images not displaying
- RewriteCond %{REQUEST_URI} ^$bps_get_wp_root_secure"."wp-content/mu-plugins/custom-anti-spam/ [NC]
- RewriteRule . - [S=10]
- # Peters Custom Anti-Spam display CAPTCHA Image
- RewriteCond %{REQUEST_URI} ^$bps_get_wp_root_secure"."wp-content/plugins/peters-custom-anti-spam-image/ [NC]
- RewriteRule . - [S=9]
- # Status Updater plugin fb connect
- RewriteCond %{REQUEST_URI} ^$bps_get_wp_root_secure"."wp-content/plugins/fb-status-updater/ [NC]
- RewriteRule . - [S=8]
- # Stream Video Player - Adding FLV Videos Blocked
- RewriteCond %{REQUEST_URI} ^$bps_get_wp_root_secure"."wp-content/plugins/stream-video-player/ [NC]
- RewriteRule . - [S=7]
- # XCloner 404 or 403 error when updating settings
- RewriteCond %{REQUEST_URI} ^$bps_get_wp_root_secure"."wp-content/plugins/xcloner-backup-and-restore/ [NC]
- RewriteRule . - [S=6]
- # BuddyPress Logout Redirect
- RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
- RewriteRule . - [S=5]
- # redirect_to=
- RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
- RewriteRule . - [S=4]
- # Login Plugins Password Reset And Redirect 1
- RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
- RewriteRule . - [S=3]
- # Login Plugins Password Reset And Redirect 2
- RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
- RewriteRule . - [S=2]\n
- # ALLOW THUMBNAILER SCRIPTS TO DISPLAY IMAGES
- # By default BPS is forbidding allowing these thumbnailer scripts filename requests
- # This will Log lots of hacking attempts on your website in your BPS Pro Error Log
- # If you are using one of these thumbnailer scripts on your website and you want to allow
- # your thumbnailer script images to display then change [F,L] to [S=1]
- # Make sure that you have a security patched version or recent versions of these scripts
- # before changing [F,L] to [S=1] and allowing these files to be requested on your website
- # If you delete or remove the RewriteRule below you will need to change the above skip rules
- # Example: RewriteRule S=2 above will need to be changed to S=1, change S=3 to S=2, etc.
- RewriteCond %{REQUEST_FILENAME} thumb.php [NC,OR]
- RewriteCond %{REQUEST_FILENAME} thumbs.php [NC,OR]
- RewriteCond %{REQUEST_FILENAME} timthumb.php [NC,OR]
- RewriteCond %{REQUEST_FILENAME} phpthumb.php [NC]
- RewriteRule . - [F,L]\n
- # BPSQSE BPS QUERY STRING EXPLOITS
- # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
- # Good sites such as W3C use it for their W3C-LinkChecker.
- # Add or remove user agents temporarily or permanently from the first User Agent filter below.
- # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
- RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|".'"'."|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
- RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
- RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
- RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
- RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
- RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
- RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
- RewriteCond %{HTTP_REFERER} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
- RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
- RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
- RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
- RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
- RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
- RewriteCond %{QUERY_STRING} http\: [NC,OR]
- RewriteCond %{QUERY_STRING} https\: [NC,OR]
- RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
- RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
- RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
- RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
- RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
- RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
- RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
- RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
- RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
- RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
- RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
- RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
- RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
- RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
- RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
- RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
- RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
- RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
- RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
- RewriteCond %{QUERY_STRING} (;|<|>|'|".'"'."|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
- RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
- RewriteRule ^(.*)$ - [F,L]\n";
-
- $bps_secure_content_mid_bottom = "RewriteCond %{REQUEST_FILENAME} !-f
- RewriteCond %{REQUEST_FILENAME} !-d
- RewriteRule . $bps_get_wp_root_secure"."index.php [L]\n\n";
-
- $bps_secure_content_bottom = "# DENY BROWSER ACCESS TO THESE FILES
- # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
- # Replace Allow from 88.77.66.55 with your current IP address and remove the
- # pound sign # from in front of the Allow from line of code below to access these
- # files directly from your browser.\n
- <FilesMatch ".'"'."^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)".'"'.">
- Order allow,deny
- Deny from all
- #Allow from 88.77.66.55
- </FilesMatch>\n
- # IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
- # END WordPress\n
- # BLOCK HOTLINKING TO IMAGES
- # To Test that your Hotlinking protection is working visit http://altlab.com/htaccess_tutorial.html
- #RewriteEngine On
- #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?add-your-domain-here\.com [NC]
- #RewriteCond %{HTTP_REFERER} !^$
- #RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]\n
- # BLOCK MORE BAD BOTS RIPPERS AND OFFLINE BROWSERS
- # If you would like to block more bad bots you can get a blacklist from
- # http://perishablepress.com/press/2007/06/28/ultimate-htaccess-blacklist/
- # You should monitor your site very closely for at least a week if you add a bad bots list
- # to see if any website traffic problems or other problems occur.
- # Copy and paste your bad bots user agent code list directly below.";
-
- // Create Secure htaccess master Root file - Single Site
- if (isset($_POST['bps-auto-write-secure-root']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_auto_write_secure_root' );
-
- if (is_writable($bps_auto_write_secure_file)) {
- if (!$handle = fopen($bps_auto_write_secure_file, 'w+b')) {
- _e('<font color="red"><strong>Cannot open file' . "$bps_auto_write_secure_file" . '</strong></font>');
- exit;
- }
- if (fwrite($handle, $bps_secure_content_top.$bps_secure_content_mid_top.$bps_secure_content_mid_bottom.$bps_secure_content_bottom) === FALSE) {
- _e('<font color="red"><strong>Cannot write to file' . "$bps_auto_write_secure_file" . '</strong></font>');
- exit;
- }
- _e($bpsSuccessMessageSec);
- fclose($handle);
- } else {
- _e($bpsFailMessageSec);
- }
- }
-
- // Create Secure htaccess master Root file - MU Subdirectory
- if (isset($_POST['bps-auto-write-secure-root-MUSDir']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_auto_write_secure_root_MUSDir' );
-
- if (is_writable($bps_auto_write_secure_file)) {
- if (!$handle = fopen($bps_auto_write_secure_file, 'w+b')) {
- _e('<font color="red"><strong>Cannot open file' . "$bps_auto_write_secure_file" . '</strong></font>');
- exit;
- }
- if (fwrite($handle, $bps_secure_content_top.$bpsMUSDirTop.$bps_secure_content_mid_top.$bpsMUSDirBottom.$bps_secure_content_bottom) === FALSE) {
- _e('<font color="red"><strong>Cannot write to file' . "$bps_auto_write_secure_file" . '</strong></font>');
- exit;
- }
- _e($bpsSuccessMessageSec);
- fclose($handle);
- } else {
- _e($bpsFailMessageSec);
- }
- }
-
- // Create Secure htaccess master Root file - MU Subdomain
- if (isset($_POST['bps-auto-write-secure-root-MUSDom']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_auto_write_secure_MUSDom' );
-
- if (is_writable($bps_auto_write_secure_file)) {
- if (!$handle = fopen($bps_auto_write_secure_file, 'w+b')) {
- _e('<font color="red"><strong>Cannot open file' . "$bps_auto_write_secure_file" . '</strong></font>');
- exit;
- }
- if (fwrite($handle, $bps_secure_content_top.$bpsMUSDomTop.$bps_secure_content_mid_top.$bpsMUSDomBottom.$bps_secure_content_bottom) === FALSE) {
- _e('<font color="red"><strong>Cannot write to file' . "$bps_auto_write_secure_file" . '</strong></font>');
- exit;
- }
- _e($bpsSuccessMessageSec);
- fclose($handle);
- } else {
- _e($bpsFailMessageSec);
- }
- }
-
- // Create the Maintenance Mode Settings Values Form File - values from DB
- if (isset($_POST['bps-maintenance-create-values_submit']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_create_values_form' );
-
- $options = get_option('bulletproof_security_options_maint');
- $bps_retry_after_write = $options['bps-retry-after'];
- $bps_site_title_write = $options['bps-site-title'];
- $bps_message1_write = $options['bps-message-1'];
- $bps_message2_write = $options['bps-message-2'];
- $bps_body_background_image_write = $options['bps-background-image'];
- $bps_auto_write_maint_file_form = ABSPATH . 'wp-content/plugins/bulletproof-security/admin/htaccess/bps-maintenance-values.php';
- $bps_maint_content_form = "<?php".'
- $bps_retry_after'." = '$bps_retry_after_write';\n"
- .'$bps_site_title'." = '$bps_site_title_write';\n"
- .'$bps_message1'." = '$bps_message1_write';\n"
- .'$bps_message2'." = '$bps_message2_write';\n"
- .'$bps_body_background_image'." = '$bps_body_background_image_write';
- ?>";
- if (is_writable($bps_auto_write_maint_file_form)) {
- if (!$handle = fopen($bps_auto_write_maint_file_form, 'w+b')) {
- _e('<font color="red"><strong>Cannot open file' . "$bps_auto_write_maint_file_form" . '</strong></font>');
- exit;
- }
- if (fwrite($handle, $bps_maint_content_form) === FALSE) {
- _e('<font color="red"><strong>Cannot write to file' . "$bps_auto_write_maint_file_form" . '</strong></font>');
- exit;
- }
- _e('<font color="green"><strong>Success! Your Maintenance Mode Form has been created successfully! Click the Preview button to preview your Website Under Maintenance page.</strong></font>');
- fclose($handle);
- } else {
- _e('<font color="red"><strong>The file ' . "$bps_auto_write_maint_file_form" . ' is not writable or does not exist.</strong></font><br><strong>Check that the bps-maintenance-values.php file exists in the /bulletproof-security/admin/htaccess master folder. If this is not the problem click <a href="http://www.ait-pro.com/aitpro-blog/2566/bulletproof-security-plugin-support/bulletproof-security-error-messages" target="_blank">here</a> for more help info.</strong><br>');
- }
- }
-
- // Simple Secure Old School PHP file upload
- if (isset($_POST['submit-bps-upload']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_upload' );
-
- $tmp_file = $_FILES['bps_file_upload']['tmp_name'];
- $folder_path = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/';
- $bps_uploaded_file = str_replace('//','/',$folder_path) . $_FILES['bps_file_upload']['name'];
- if (!empty($_FILES)) {
- move_uploaded_file($tmp_file,$bps_uploaded_file);
- _e('<font color="black"><strong>File Upload Path and File Name: </strong></font><br>');
- echo "$bps_uploaded_file";
- } else {
- _e('<font color="red"><strong>File upload error. File was not successfully uploaded.</strong></font><br>');
- }
- }
-
- // Enable File Downloading for Master Files - writes a new denyall htaccess file with the current IP address
- if (isset($_POST['bps-enable-download']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_enable_download' );
-
- $bps_get_IP = $_SERVER['REMOTE_ADDR'];
- $denyall_htaccess_file = ABSPATH . '/wp-content/plugins/bulletproof-security/admin/htaccess/.htaccess';
- $bps_denyall_content = "order deny,allow\ndeny from all\nallow from $bps_get_IP";
-
- if (is_writable($denyall_htaccess_file)) {
- if (!$handle = fopen($denyall_htaccess_file, 'w+b')) {
- _e('<font color="red"><strong>Cannot open file' . "$denyall_htaccess_file" . '</strong></font>');
- exit;
- }
- if (fwrite($handle, $bps_denyall_content) === FALSE) {
- _e('<font color="red"><strong>Cannot write to file' . "$denyall_htaccess_file" . '</strong></font>');
- exit;
- }
- _e('<font color="green"><strong>Success! File open, preview and downloading for your BPS Master Files is enabled for your IP address only ===' . "$bps_get_IP." .'</strong></font>');
- fclose($handle);
- } else {
- _e('<font color="red"><strong>The file ' . "$denyall_htaccess_file" . ' is not writable or does not exist yet.</strong></font><br><strong>Check the BPS Status page to see if Deny All protection has been activated. Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder on the BPS Security Modes page. If this is not the problem click <a href="http://www.ait-pro.com/aitpro-blog/2566/bulletproof-security-plugin-support/bulletproof-security-error-messages" target="_blank">here</a> for more help info.</strong><br>');
- }
- }
-
- // Enable File Downloading for BPS Backup Folder - writes a new denyall htaccess file with the current IP address
- if (isset($_POST['bps-enable-download-backup']) && current_user_can('manage_options')) {
- check_admin_referer( 'bulletproof_security_enable_download-backup' );
-
- $bps_get_IP2 = $_SERVER['REMOTE_ADDR'];
- $denyall_htaccess_file_backup = ABSPATH . '/wp-content/b…
Large files files are truncated, but you can click here to view the full file