';
echo '.')
';
echo '
';
?>
';
}
}
} elseif ( esc_html($_SERVER['QUERY_STRING']) == 'page=bulletproof-security/admin/system-info/system-info.php' ) {
$bps_status_display = get_option('bulletproof_security_options_status_display');
if ( $bps_status_display['bps_status_display'] != 'Off' ) {
echo '';
echo 'Processing...
';
echo ''.__('The BPS Status Display is set to Off by default on the System Info page', 'bulletproof-security').'
';
echo '';
}
} else {
$options = get_option('bulletproof_security_options_autolock');
$HFiles_options = get_option('bulletproof_security_options_htaccess_files');
$filename = ABSPATH . '.htaccess';
if ( file_exists($filename) ) {
$permsHtaccess = @substr(sprintf('%o', fileperms($filename)), -4);
$sapi_type = @php_sapi_name();
$check_string = @file_get_contents($filename);
$section = @file_get_contents($filename, NULL, NULL, 3, 38);
$bps_get_domain_root = bpsGetDomainRoot();
$bps_get_wp_root_secure = bps_wp_get_root_folder();
$bps_plugin_dir = str_replace( ABSPATH, '', WP_PLUGIN_DIR );
$bps_root_upgrade = '';
$hostaddress = esc_html( @gethostbyaddr( $_SERVER['SERVER_ADDR'] ) );
$patterna = '/RedirectMatch\s403\s\/\\\.\.\*\$/';
//$pattern0 = '/ErrorDocument\s404\s(.*)\/404\.php\s*ErrorDocument\s410\s(.*)410\.php/s';
$pattern0 = '/#{1,}(\s|){1,}ErrorDocument\s405(.*)\/bulletproof-security\/405\.php/';
$pattern1 = '/#\sFORBID\sEMPTY\sREFFERER\sSPAMBOTS(.*)RewriteCond\s%{HTTP_USER_AGENT}\s\^\$\sRewriteRule\s\.\*\s\-\s\[F\]/s';
// Only match 2 or more identical duplicate referer lines: 1 will not match and 2, 3, 4... will match
$pattern2 = '/AnotherWebsite\.com\)\.\*\s*(RewriteCond\s%\{HTTP_REFERER\}\s\^\.\*'.$bps_get_domain_root.'\.\*\s*){2,}\s*RewriteRule\s\.\s\-\s\[S=1\]/s';
$pattern4 = '/\.\*\(allow_url_include\|allow_url_fopen\|safe_mode\|disable_functions\|auto_prepend_file\) \[NC,OR\]/s';
$pattern6 = '/(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d)/s';
$pattern7 = '/RewriteCond %{QUERY_STRING} \^\.\*(.*)[3](.*)[5](.*)[5](.*)[7](.*)\)/';
$pattern8 = '/\[NC\]\s*RewriteCond\s%{HTTP_REFERER}\s\^\.\*(.*)\.\*\s*(.*)\s*(.*)\s*(.*)\s*(.*)\s*(.*)\s*RewriteRule\s\.\s\-\s\[S=1\]/';
$pattern9 = '/RewriteCond\s%{QUERY_STRING}\s\(sp_executesql\)\s\[NC\]\s*(.*)\s*(.*)END\sBPSQSE(.*)\s*RewriteCond\s%{REQUEST_FILENAME}\s!-f\s*RewriteCond\s%{REQUEST_FILENAME}\s!-d\s*RewriteRule\s\.(.*)\/index\.php\s\[L\]\s*(.*)LOOP\sEND/';
$pattern10 = '/#\sBEGIN\sBPSQSE\sBPS\sQUERY\sSTRING\sEXPLOITS\s*#\sThe\slibwww-perl\sUser\sAgent\sis\sforbidden/';
$pattern10a = '/RewriteCond\s%\{THE_REQUEST\}\s(.*)\?(.*)\sHTTP\/\s\[NC,OR\]\s*RewriteCond\s%\{THE_REQUEST\}\s(.*)\*(.*)\sHTTP\/\s\[NC,OR\]/';
$pattern10b = '/RewriteCond\s%\{THE_REQUEST\}\s.*\?\+\(%20\{1,\}.*\s*RewriteCond\s%\{THE_REQUEST\}\s.*\+\(.*\*\|%2a.*\s\[NC,OR\]/';
$pattern10c = '/RewriteCond\s%\{THE_REQUEST\}\s\(\\\\?.*%2a\)\+\(%20\+\|\\\\s\+.*HTTP\(:\/.*\[NC,OR\]/';
$pattern11 = '/RewriteCond\s%\{QUERY_STRING\}\s\[a-zA-Z0-9_\]\=http:\/\/\s\[OR\]/';
$pattern12 = '/RewriteCond\s%\{QUERY_STRING\}\s\[a-zA-Z0-9_\]\=\(\\\.\\\.\/\/\?\)\+\s\[OR\]/';
$pattern13 = '/RewriteCond\s%\{QUERY_STRING\}\s\(\\\.\\\.\/\|\\\.\\\.\)\s\[OR\]/';
$pattern14 = '/RewriteCond\s%{QUERY_STRING}\s\(\\\.\/\|\\\.\.\/\|\\\.\.\.\/\)\+\(motd\|etc\|bin\)\s\[NC,OR\]/';
$pattern_amod = '/#\sDENY\sBROWSER\sACCESS\sTO\sTHESE\sFILES(.*\s*){6,8}'.__('BPS ', 'bulletproof-security').$bps_version.'
';
} elseif ( $HFiles_options['bps_htaccess_files'] != 'disabled' ) {
if ( ! get_option('bulletproof_security_options_wizard_free') ) {
$text = ''.__('BPS Setup Wizard Notification', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin.', 'bulletproof-security').'
';
echo $text;
} else {
$text = ''.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin.', 'bulletproof-security').'
'.__('BPS Alert! An htaccess file was NOT found in your WordPress root folder', 'bulletproof-security').'
'.__('If you have deleted the root htaccess file for troubleshooting purposes you can disregard this Alert.', 'bulletproof-security').'
'.__('Go to the ', 'bulletproof-security').''.esc_attr__('Security Modes page', 'bulletproof-security').''.__(' and click the Root Folder BulletProof Mode Activate button.', 'bulletproof-security').'
';
echo $text;
}
}
} else {
if ( file_exists($filename) ) {
switch ( $bps_version ) {
case $bps_last_version: // for testing
if ( strpos( $check_string, "BULLETPROOF $bps_last_version" ) && strpos( $check_string, "BPSQSE" ) ) {
print($section);
}
break;
case ! strpos( $check_string, "BULLETPROOF" ) && ! strpos( $check_string, "DEFAULT" ):
// Setup Wizard Notice
if ( ! get_option('bulletproof_security_options_wizard_free') ) {
$text = ''.__('If you have deleted the root htaccess file for troubleshooting purposes you can disregard this Alert.', 'bulletproof-security').'
'.__('Go to the ', 'bulletproof-security').''.esc_attr__('Security Modes page', 'bulletproof-security').''.__(' and click the Root Folder BulletProof Mode Activate button.', 'bulletproof-security').'
'.__('BPS Setup Wizard Notification', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin.', 'bulletproof-security').'
';
echo $text;
} else {
global $current_user;
$user_id = $current_user->ID;
if ( ! get_user_meta($user_id, 'bps_ignore_root_version_check_notice') ) {
if ( esc_html($_SERVER['QUERY_STRING']) == '' && basename(esc_html($_SERVER['REQUEST_URI'])) != 'wp-admin' ) {
$bps_base = basename(esc_html($_SERVER['REQUEST_URI'])) . '?';
} elseif ( esc_html($_SERVER['QUERY_STRING']) == '' && basename(esc_html($_SERVER['REQUEST_URI'])) == 'wp-admin' ) {
$bps_base = basename( str_replace( 'wp-admin', 'index.php?', esc_html($_SERVER['REQUEST_URI'])));
} else {
$bps_base = str_replace( admin_url(), '', esc_html($_SERVER['REQUEST_URI']) ) . '&';
}
$text = ''.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin.', 'bulletproof-security').'
'.__('BPS Alert! Your site may not be protected by BulletProof Security', 'bulletproof-security').'
'.__('The BPS version: BULLETPROOF x.x SECURE .HTACCESS line of code was not found at the top of your Root htaccess file.', 'bulletproof-security').'
'.__('The BPS version line of code MUST be at the very top of your Root htaccess file.', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin again.', 'bulletproof-security').'
'.__('Important Note: If you manually added other htaccess code above the BPS version line of code in your root htaccess file, you can copy that code to BPS Root Custom Code so that your code is saved in the correct place in the BPS root htaccess file. ', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Custom Code page, add your Root custom htaccess code in an appropriate Root Custom Code text box and click the Save Root Custom Code button before running the Setup Wizard again.', 'bulletproof-security').'
'.__('To Dismiss this Notice click the Dismiss Notice button below. To Reset Dismiss Notices click the Reset|Recheck Dismiss Notices button on the Custom Code page.', 'bulletproof-security').'
';
echo $text;
}
}
break;
case ! strpos( $check_string, "BULLETPROOF $bps_version" ) && strpos( $check_string, "BPSQSE" ):
// Update/Add/Save any New DB options/features on upgrade
bpsPro_new_feature_autoupdate();
// mod_authz_core forward/backward compatibility: create new htaccess files if needed
bpsPro_apache_mod_directive_check();
$Apache_Mod_options = get_option('bulletproof_security_options_apache_modules');
$BPSCustomCodeOptions = get_option('bulletproof_security_options_customcode');
// Recreate the User Agent filters in the 403.php file on BPS upgrade
bpsPro_autoupdate_useragent_filters();
if ( @substr($sapi_type, 0, 6) != 'apache' || @$permsHtaccess != '0666' || @$permsHtaccess != '0777') { // Windows IIS, XAMPP, etc
@chmod($filename, 0644);
}
$stringReplace = @file_get_contents($filename);
if ( preg_match($BPSVpattern, $stringReplace) ) {
$stringReplace = preg_replace($BPSVpattern, $BPSVreplace, $stringReplace);
} elseif ( preg_match($BPSVpattern2, $stringReplace) ) {
$stringReplace = preg_replace($BPSVpattern2, $BPSVreplace, $stringReplace);
} elseif ( preg_match($BPSVpattern3, $stringReplace) ) {
$stringReplace = preg_replace($BPSVpattern3, $BPSVreplace, $stringReplace);
}
$stringReplace = str_replace("RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]", "RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]", $stringReplace);
if ( preg_match($patterna, $stringReplace, $matches) ) {
$stringReplace = preg_replace('/#\sDENY\sACCESS\sTO\sPROTECTED\sSERVER\sFILES(.*)RedirectMatch\s403\s\/\\\.\.\*\$/s', "# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS\n# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs\nRedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$", $stringReplace);
}
// .53.1: Create new block of Error Logging and Tracking code & help text if Custom Code is blank & New ErrorDocument 405 code does not exist.
if ( $BPSCustomCodeOptions['bps_customcode_error_logging'] == '' && ! preg_match( $pattern0, $stringReplace, $matches ) ) {
$stringReplace = preg_replace('/#\sBPS\sERROR\sLOGGING\sAND\sTRACKING.*(ErrorDocument\s404(.*)\/404\.php|ErrorDocument\s410(.*)\/bulletproof-security\/410\.php)/s', "# BPS ERROR LOGGING AND TRACKING\n# Use BPS Custom Code to modify/edit/change this code and to save it permanently.\n# BPS has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and\n# 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors\n# that occur on your website. When a hacker attempts to hack your website the hackers IP address,\n# Host name, Request Method, Referering link, the file name or requested resource, the user agent\n# of the hacker and the query string used in the hack attempt are logged.\n# All BPS log files are htaccess protected so that only you can view them.\n# The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /$bps_plugin_dir/bulletproof-security/\n# The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors\n# after you install BPS and have activated BulletProof Mode for your Root folder.\n# If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file\n# to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.\n# You can open the BPS 404.php file using the WP Plugins Editor or manually editing the file.\n# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.\n\nErrorDocument 400 $bps_get_wp_root_secure"."$bps_plugin_dir/bulletproof-security/400.php\nErrorDocument 401 default\nErrorDocument 403 $bps_get_wp_root_secure"."$bps_plugin_dir/bulletproof-security/403.php\nErrorDocument 404 $bps_get_wp_root_secure"."404.php\nErrorDocument 405 $bps_get_wp_root_secure"."$bps_plugin_dir/bulletproof-security/405.php\nErrorDocument 410 $bps_get_wp_root_secure"."$bps_plugin_dir/bulletproof-security/410.php", $stringReplace);
}
// .53: Create new block of Request Methods Filtered code & help text.
// .53.1: Old RMF Code exists: Conditional host check added to create either R=405 for Go Daddy or dumbed down code for all other hosts.
// 3.9: removing this RMF cleanup code. Only dumbed down RMF code is created now.
/*
if ( preg_match( $pattern18, $stringReplace, $matches ) && preg_match( '/secureserver\.net/', $hostaddress, $matches ) ) {
$stringReplace = preg_replace( $pattern18, "# REQUEST METHODS FILTERED\n# If you want to allow HEAD Requests use BPS Custom Code and copy\n# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code\n# text box: CUSTOM CODE REQUEST METHODS FILTERED.\n# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.\nRewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]\nRewriteRule ^(.*)$ - [F]\nRewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]\nRewriteRule ^(.*)$ - [R=405,L]", $stringReplace);
} elseif ( preg_match( $pattern18, $stringReplace, $matches ) && ! preg_match( '/secureserver\.net/', $hostaddress, $matches ) ) {
$stringReplace = preg_replace( $pattern18, "# REQUEST METHODS FILTERED\n# If you want to allow HEAD Requests use BPS Custom Code and copy\n# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code\n# text box: CUSTOM CODE REQUEST METHODS FILTERED.\n# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.\nRewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]\nRewriteRule ^(.*)$ - [F]\nRewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]\nRewriteRule ^(.*)$ " . $bps_get_wp_root_secure . $bps_plugin_dir . "/bulletproof-security/405.php [L]", $stringReplace);
}
// .53.1: New RMF R=405 Code exists: Replace the R=405 code if the host is Not Go Daddy & the R=405 code does not exist in Custom Code.
if ( preg_match( $pattern19, $stringReplace, $matches ) && ! preg_match( '/secureserver\.net/', $hostaddress ) && ! preg_match( '/R=405/', $BPSCustomCodeOptions['bps_customcode_request_methods'] ) ) {
$stringReplace = preg_replace( $pattern19, "RewriteRule ^(.*)$ " . $bps_get_wp_root_secure . $bps_plugin_dir . "/bulletproof-security/405.php [L]", $stringReplace);
}
// 2.0: Add R to the dumb downed Request Methods Filtered 405 htaccess code in the Root htaccess file.
// 2.3: Reverted: Remove R due to duplicate security log entries
if ( preg_match( $pattern20, $stringReplace, $matches ) ) {
$stringReplace = preg_replace( $pattern20, "RewriteRule ^(.*)$ " . $bps_get_wp_root_secure . $bps_plugin_dir . "/bulletproof-security/405.php [L]", $stringReplace);
}
*/
// 2.0: Add additional https scheme conditions to 3 htaccess security rules and combine 2 rules into 1 rule.
if ( preg_match( $pattern21, $stringReplace, $matches ) ) {
$stringReplace = preg_replace( $pattern21, "RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\\\\s+|%20+\\\\\s+|\\\\\s+%20+|\\\\\s+%20+\\\\\s+)(http|https)(:/|/) [NC,OR]", $stringReplace);
}
if ( preg_match( $pattern22, $stringReplace, $matches ) ) {
$stringReplace = preg_replace( $pattern22, "RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]", $stringReplace);
}
if ( preg_match( $pattern23, $stringReplace, $matches ) ) {
$stringReplace = preg_replace( $pattern23, "RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]", $stringReplace);
}
if ( preg_match( $pattern24, $stringReplace, $matches ) ) {
$stringReplace = preg_replace( $pattern24, "RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]", $stringReplace);
}
if ( preg_match($pattern1, $stringReplace, $matches) ) {
$stringReplace = preg_replace('/#\sFORBID\sEMPTY\sREFFERER\sSPAMBOTS(.*)RewriteCond\s%{HTTP_USER_AGENT}\s\^\$\sRewriteRule\s\.\*\s\-\s\[F\]/s', '', $stringReplace);
}
if ( preg_match($pattern2, $stringReplace, $matches) ) {
$stringReplace = preg_replace('/AnotherWebsite\.com\)\.\*\s*(RewriteCond\s%\{HTTP_REFERER\}\s\^\.\*'.$bps_get_domain_root.'\.\*\s*){2,}\s*RewriteRule\s\.\s\-\s\[S=1\]/s', "AnotherWebsite.com).*\nRewriteCond %{HTTP_REFERER} ^.*$bps_get_domain_root.*\nRewriteRule . - [S=1]", $stringReplace);
}
if ( ! preg_match($pattern10, $stringReplace, $matches) ) {
$stringReplace = preg_replace('/#\sBPSQSE\sBPS\sQUERY\sSTRING\sEXPLOITS\s*#\sThe\slibwww-perl\sUser\sAgent\sis\sforbidden/', "# BEGIN BPSQSE BPS QUERY STRING EXPLOITS\n# The libwww-perl User Agent is forbidden", $stringReplace);
}
if ( preg_match($pattern10a, $stringReplace, $matches) ) {
$stringReplace = preg_replace( $pattern10a, "RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\\\\s+|%20+\\\\\s+|\\\\\s+%20+|\\\\\s+%20+\\\\\s+)HTTP(:/|/) [NC,OR]", $stringReplace);
}
if ( preg_match($pattern10b, $stringReplace, $matches) ) {
$stringReplace = preg_replace( $pattern10b, "RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\\\\s+|%20+\\\\\s+|\\\\\s+%20+|\\\\\s+%20+\\\\\s+)HTTP(:/|/) [NC,OR]", $stringReplace);
}
if ( preg_match($pattern10c, $stringReplace, $matches) ) {
$stringReplace = preg_replace( $pattern10c, "RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\\\\s+|%20+\\\\\s+|\\\\\s+%20+|\\\\\s+%20+\\\\\s+)HTTP(:/|/) [NC,OR]", $stringReplace);
}
if ( preg_match($pattern11, $stringReplace, $matches) ) {
$stringReplace = preg_replace('/RewriteCond\s%\{QUERY_STRING\}\s\[a-zA-Z0-9_\]\=http:\/\/\s\[OR\]/s', "RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]", $stringReplace);
}
if ( preg_match($pattern12, $stringReplace, $matches) ) {
$stringReplace = preg_replace('/RewriteCond\s%\{QUERY_STRING\}\s\[a-zA-Z0-9_\]\=\(\\\.\\\.\/\/\?\)\+\s\[OR\]/s', "RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]", $stringReplace);
}
if ( preg_match($pattern13, $stringReplace, $matches) ) {
$stringReplace = preg_replace('/RewriteCond\s%\{QUERY_STRING\}\s\(\\\.\\\.\/\|\\\.\\\.\)\s\[OR\]/s', "RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]", $stringReplace);
}
if ( preg_match($pattern6, $stringReplace, $matches)) {
$stringReplace = str_replace("RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]", "RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]", $stringReplace);
$stringReplace = str_replace("RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]", "RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]", $stringReplace);
}
if ( preg_match($pattern7, $stringReplace, $matches)) {
$stringReplace = preg_replace('/RewriteCond %{QUERY_STRING} \^\.\*(.*)[5](.*)[5](.*)\)/', 'RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f)', $stringReplace);
}
if ( preg_match($pattern14, $stringReplace, $matches) ) {
$stringReplace = preg_replace('/RewriteCond\s%{QUERY_STRING}\s\(\\\.\/\|\\\.\.\/\|\\\.\.\.\/\)\+\(motd\|etc\|bin\)\s\[NC,OR\]/s', "RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]", $stringReplace);
}
if ( ! preg_match($pattern4, $stringReplace, $matches) ) {
$stringReplace = str_replace("RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]", "RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]\nRewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]", $stringReplace);
}
if ( ! is_multisite() && ! preg_match($pattern9, $stringReplace, $matches) ) {
$stringReplace = preg_replace('/RewriteCond\s%{QUERY_STRING}\s\(sp_executesql\)\s\[NC\]\s*(.*)\s*RewriteCond\s%{REQUEST_FILENAME}\s!-f\s*RewriteCond\s%{REQUEST_FILENAME}\s!-d\s*RewriteRule\s\.(.*)\/index\.php\s\[L\]/', "RewriteCond %{QUERY_STRING} (sp_executesql) [NC]\nRewriteRule ^(.*)$ - [F,L]\n# END BPSQSE BPS QUERY STRING EXPLOITS\nRewriteCond %{REQUEST_FILENAME} !-f\nRewriteCond %{REQUEST_FILENAME} !-d\nRewriteRule . ".$bps_get_wp_root_secure."index.php [L]\n# WP REWRITE LOOP END", $stringReplace);
}
if ( preg_match( $pattern_amod, $stringReplace, $matches ) && $BPSCustomCodeOptions['bps_customcode_deny_files'] == '' && $Apache_Mod_options['bps_apache_mod_ifmodule'] == 'Yes' ) {
$stringReplace = preg_replace( $pattern_amod, "# DENY BROWSER ACCESS TO THESE FILES\n# Use BPS Custom Code to modify/edit/change this code and to save it permanently.\n# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html\n# To be able to view these files from a Browser, replace 127.0.0.1 with your actual\n# current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1\n# Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1\n# Note: The BPS System Info page displays which modules are loaded on your server.\n\n'.__('The BPS version: BULLETPROOF x.x SECURE .HTACCESS line of code was not found at the top of your Root htaccess file.', 'bulletproof-security').'
'.__('The BPS version line of code MUST be at the very top of your Root htaccess file.', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin again.', 'bulletproof-security').'
'.__('Important Note: If you manually added other htaccess code above the BPS version line of code in your root htaccess file, you can copy that code to BPS Root Custom Code so that your code is saved in the correct place in the BPS root htaccess file. ', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Custom Code page, add your Root custom htaccess code in an appropriate Root Custom Code text box and click the Save Root Custom Code button before running the Setup Wizard again.', 'bulletproof-security').'
'.__('To Dismiss this Notice click the Dismiss Notice button below. To Reset Dismiss Notices click the Reset|Recheck Dismiss Notices button on the Custom Code page.', 'bulletproof-security').'
'.__("The BPS Automatic htaccess File Update Completed Successfully!", 'bulletproof-security').'
';
print($updateText);
}
} // end up upgrade processing
break;
case strpos( $check_string, "BULLETPROOF $bps_version" ) && strpos( $check_string, "BPSQSE" ):
$bps_status_display = get_option('bulletproof_security_options_status_display');
if ( $bps_status_display['bps_status_display'] != 'Off' ) {
if ( preg_match( '/page=bulletproof-security/', esc_html($_SERVER['REQUEST_URI']), $matches ) ) {
$RBM = $aitpro_bullet . ''.__('RBM', 'bulletproof-security').': '.__('On', 'bulletproof-security').'';
$RBM_str = str_replace( "BULLETPROOF $bps_version SECURE .HTACCESS", "BPS $bps_version", $section );
echo ''.$RBM_str.''.$RBM.'
';
}
}
break;
default:
if ( $bps_root_upgrade != 'upgrade' ) {
$text = ''.__('BPS Alert! Your site does not appear to be protected by BulletProof Security', 'bulletproof-security').'
'.__('Go to the ', 'bulletproof-security').''.esc_attr__('Security Modes page', 'bulletproof-security').''.__(' and click the Root Folder BulletProof Mode Activate button.', 'bulletproof-security').'
';
echo $text;
}
}
}
}
}
}
}
// 3.7: Changed the BPS version check in the root htaccess file to a Dismiss Notice
add_action('admin_init', 'bps_root_version_check_nag_ignore');
function bps_root_version_check_nag_ignore() {
global $current_user;
$user_id = $current_user->ID;
if ( isset($_GET['bps_root_version_check_nag_ignore']) && '0' == $_GET['bps_root_version_check_nag_ignore'] ) {
add_user_meta($user_id, 'bps_ignore_root_version_check_notice', 'true', true);
}
}
// BPS Update/Upgrade Status Alert in WP Dashboard|Status Display in BPS pages only
function bps_wpadmin_htaccess_status_dashboard() {
if ( current_user_can('manage_options') ) {
global $bps_version, $bps_last_version, $aitpro_bullet;
if ( esc_html($_SERVER['REQUEST_METHOD']) != 'POST' && esc_html($_SERVER['QUERY_STRING']) != 'page=bulletproof-security/admin/system-info/system-info.php' ) {
$BPS_wpadmin_Options = get_option('bulletproof_security_options_htaccess_res');
$GDMW_options = get_option('bulletproof_security_options_GDMW');
if ( $BPS_wpadmin_Options['bps_wpadmin_restriction'] == 'disabled' || $GDMW_options['bps_gdmw_hosting'] == 'yes' ) {
return;
}
$HFiles_options = get_option('bulletproof_security_options_htaccess_files');
$filename = ABSPATH . 'wp-admin/.htaccess';
if ( file_exists($filename) ) {
$permsHtaccess = @substr(sprintf('%o', fileperms($filename)), -4);
$check_string = @file_get_contents($filename);
$section = @file_get_contents($filename, NULL, NULL, 3, 46);
$bps_wpadmin_upgrade = '';
$pattern10a = '/RewriteCond\s%\{THE_REQUEST\}\s(.*)\?(.*)\sHTTP\/\s\[NC,OR\]\s*RewriteCond\s%\{THE_REQUEST\}\s(.*)\*(.*)\sHTTP\/\s\[NC,OR\]/';
$pattern10b = '/RewriteCond\s%\{THE_REQUEST\}\s.*\?\+\(%20\{1,\}.*\s*RewriteCond\s%\{THE_REQUEST\}\s.*\+\(.*\*\|%2a.*\s\[NC,OR\]/';
$pattern10c = '/RewriteCond\s%\{THE_REQUEST\}\s\(\\\\?.*%2a\)\+\(%20\+\|\\\\s\+.*HTTP\(:\/.*\[NC,OR\]/';
$pattern1 = '/(\[|\]|\(|\)|<|>)/s';
$pattern_amod = '/#\sWPADMIN\sDENY\sBROWSER\sACCESS\sTO\sFILES(.*\s*){13,16}#\sEND\sBPS\sWPADMIN\sDENY\sACCESS\sTO\sFILES/';
$pattern21 = '/RewriteCond\s%\{THE_REQUEST\}\s\(\\\?.*%2a\)\+\(%20.*HTTP\(:\/.*\[NC,OR\]/';
$pattern22 = '/RewriteCond\s%\{QUERY_STRING\}\s\[a-zA-Z0-9_\]=http:\/\/\s\[NC,OR\]/';
$pattern23 = '/RewriteCond\s%\{QUERY_STRING\}\s\^\(\.\*\)cPath=http:\/\/\(\.\*\)\$\s\[NC,OR\]/';
$pattern24 = '/RewriteCond\s%\{QUERY_STRING\}\shttp\\\:\s\[NC,OR\](.*\s*){1}.*RewriteCond\s%\{QUERY_STRING\}\shttps\\\:\s\[NC,OR\]/';
$pattern25 = '/#\sREQUEST\sMETHODS\sFILTERED(.*\s*){1}RewriteEngine\sOn(.*\s*){1}RewriteCond(.*\s*){1}RewriteRule\s\^\(\.\*\)\$\s\-\s\[F\]/';
$BPSVpattern = '/BULLETPROOF\s\.[\d](.*)WP-ADMIN/';
$BPSVpattern2 = '/BULLETPROOF\s[\d]\.[\d]\sWP-ADMIN/';
$BPSVreplace = "BULLETPROOF $bps_version WP-ADMIN";
}
if ( ! file_exists($filename) && $HFiles_options['bps_htaccess_files'] != 'disabled' ) {
if ( get_option('bulletproof_security_options_wizard_free') ) {
$text = ''.__('Go to the ', 'bulletproof-security').''.esc_attr__('Security Modes page', 'bulletproof-security').''.__(' and click the Root Folder BulletProof Mode Activate button.', 'bulletproof-security').'
'.__('BPS Alert! An htaccess file was NOT found in your WordPress wp-admin folder', 'bulletproof-security').'
'.__('If you have deleted the wp-admin htaccess file for troubleshooting purposes you can disregard this Alert.', 'bulletproof-security').'
'.__('Go to the ', 'bulletproof-security').''.esc_attr__('Security Modes page', 'bulletproof-security').''.__(' and click the wp-admin Folder BulletProof Mode Activate button.', 'bulletproof-security').'
';
echo $text;
}
} else {
if ( file_exists($filename) ) {
switch ( $bps_version ) {
case $bps_last_version: // for Testing
if ( strpos( $check_string, "BULLETPROOF $bps_last_version" ) && strpos( $check_string, "BPSQSE-check" ) ) {
// echo or print for testing
}
break;
case ! strpos( $check_string, "BULLETPROOF" ):
// Setup Wizard Notice: not displayed. The Setup Wizard DB option is automatically saved in the root htaccess funcion on BPS plugin upgrades.
if ( ! get_option('bulletproof_security_options_wizard_free') ) {
// display nothing. Notice is already displayed in the root htaccess function.
} else {
$text = ''.__('If you have deleted the wp-admin htaccess file for troubleshooting purposes you can disregard this Alert.', 'bulletproof-security').'
'.__('Go to the ', 'bulletproof-security').''.esc_attr__('Security Modes page', 'bulletproof-security').''.__(' and click the wp-admin Folder BulletProof Mode Activate button.', 'bulletproof-security').'
'.__('BPS Alert! Your wp-admin folder may not be protected by BulletProof Security', 'bulletproof-security').'
'.__('The BPS version: BULLETPROOF .xx.x WP-ADMIN SECURE .HTACCESS line of code was not found at the top of your wp-admin htaccess file.', 'bulletproof-security').'
'.__('The BPS version line of code MUST be at the very top of your wp-admin htaccess file.', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin again.', 'bulletproof-security').'
'.__('Important Note: If you manually added other htaccess code above the BPS version line of code in your wp-admin htaccess file, you can copy that code to BPS wp-admin Custom Code so that your code is saved in the correct place in the BPS wp-admin htaccess file. ', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Custom Code page, add your wp-admin custom htaccess code in an appropriate wp-admin Custom Code text box and click the Save wp-admin Custom Code button before running the Setup Wizard again.', 'bulletproof-security').'
';
echo $text;
}
break;
case ! strpos( $check_string, "BULLETPROOF $bps_version" ) && strpos( $check_string, "BPSQSE-check" ):
// mod_authz_core forward/backward compatibility: create new htaccess files if needed
bpsPro_apache_mod_directive_check();
$CC_Options_wpadmin = get_option('bulletproof_security_options_customcode_WPA');
$Apache_Mod_options = get_option('bulletproof_security_options_apache_modules');
if ( @substr($sapi_type, 0, 6) != 'apache' || @$permsHtaccess != '0666' || @$permsHtaccess != '0777') { // Windows IIS, XAMPP, etc
@chmod($filename, 0644);
}
$stringReplace = @file_get_contents($filename);
if ( preg_match($BPSVpattern, $stringReplace) ) {
$stringReplace = preg_replace($BPSVpattern, $BPSVreplace, $stringReplace);
} elseif ( preg_match($BPSVpattern2, $stringReplace) ) {
$stringReplace = preg_replace($BPSVpattern2, $BPSVreplace, $stringReplace);
}
if ( preg_match( $pattern_amod, $stringReplace, $matches ) && $CC_Options_wpadmin['bps_customcode_deny_files_wpa'] == '' && $Apache_Mod_options['bps_apache_mod_ifmodule'] == 'Yes' ) {
$stringReplace = preg_replace( $pattern_amod, "# WPADMIN DENY BROWSER ACCESS TO FILES\n# Deny Browser access to /wp-admin/install.php\n# Use BPS Custom Code to modify/edit/change this code and to save it permanently.\n# To be able to view the install.php file from a Browser, replace 127.0.0.1 with your actual\n# current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1\n# Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1\n# Note: The BPS System Info page displays which modules are loaded on your server.\n\n# BEGIN BPS WPADMIN DENY ACCESS TO FILES\n'.__('The BPS version: BULLETPROOF .xx.x WP-ADMIN SECURE .HTACCESS line of code was not found at the top of your wp-admin htaccess file.', 'bulletproof-security').'
'.__('The BPS version line of code MUST be at the very top of your wp-admin htaccess file.', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin again.', 'bulletproof-security').'
'.__('Important Note: If you manually added other htaccess code above the BPS version line of code in your wp-admin htaccess file, you can copy that code to BPS wp-admin Custom Code so that your code is saved in the correct place in the BPS wp-admin htaccess file. ', 'bulletproof-security').'
'.esc_attr__('Click Here', 'bulletproof-security').''.__(' to go to the BPS Custom Code page, add your wp-admin custom htaccess code in an appropriate wp-admin Custom Code text box and click the Save wp-admin Custom Code button before running the Setup Wizard again.', 'bulletproof-security').'
'.$WBM_str.'
';
}
}
break;
default:
if ( $bps_wpadmin_upgrade != 'upgrade' ) {
$text = ''.__('BPS Alert! A valid BPS htaccess file was NOT found in your wp-admin folder', 'bulletproof-security').'
'.__('BulletProof Mode for the wp-admin folder should also be activated when you have BulletProof Mode activated for the Root folder.', 'bulletproof-security').'
';
echo $text;
}
}
}
}
}
}
}
// MScan Status display BPS pages only
// Displays the question mark hover icon if a scan has not been run or the Delete Scan Status Tool has been used.
// Displays last scan timestamp when scheduled scans are Off > MSCAN: August 3, 2017 8:45 am
// BPS Pro only (code removed): Displays next scheduled cron job when scheduled scan frequency is used > MSCAN: On : 60 Min : 9:30 am
function bpsProMScanStatus() {
if ( current_user_can('manage_options') ) {
global $aitpro_bullet;
if ( esc_html($_SERVER['REQUEST_METHOD']) != 'POST' && esc_html($_SERVER['QUERY_STRING']) != 'page=bulletproof-security/admin/system-info/system-info.php' ) {
$bps_status_display = get_option('bulletproof_security_options_status_display');
if ( $bps_status_display['bps_status_display'] == 'Off' ) {
return;
}
if ( $bps_status_display['bps_status_display'] != 'Off' && preg_match( '/page=bulletproof-security/', esc_html($_SERVER['REQUEST_URI']), $matches ) ) {
// New BPS installation - do not display status
if ( ! get_option('bulletproof_security_options_wizard_free') ) {
return;
}
$MScan_status = get_option('bulletproof_security_options_MScan_status');
?>
'.__('BulletProof Mode for the wp-admin folder should also be activated when you have BulletProof Mode activated for the Root folder.', 'bulletproof-security').'
.')
An MScan scan has not been run yet or the MScan Delete Scan Status Tool has been used to delete MScan Status values, which deletes the last MScan scan Timestamp for the last scan that was run.