From 80fb6cd4522bab2838ac2e333ddbce62b099c921 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20G=C3=BCnther?= Date: Wed, 21 Feb 2024 21:31:00 +0100 Subject: [PATCH] =?UTF-8?q?Security=20Settings:=20=20xmlrpc=20deaktivieren?= =?UTF-8?q?=20=20Autorenscan=20deaktivieren=20=20Scripting=20in=20/wp-cont?= =?UTF-8?q?ent/uploads/=20deaktivieren=20=20Zugriff=20auf=20potenziell=20s?= =?UTF-8?q?ensible=20Dateien=20blockieren=20=20Dateieditor=20im=20WP=20Das?= =?UTF-8?q?hboard=20deaktivieren=20=20Skriptverkettung=20deaktivieren=20?= =?UTF-8?q?=20Skriptausf=C3=BChrung=20im=20Include-Verzeichnis=20deaktivie?= =?UTF-8?q?ren=20=20Zugriff=20von=20ungewollten=20Bots=20verbieten=20=20Au?= =?UTF-8?q?flistung=20von=20Verzeichnissen=20deaktivieren=20=20Debug-Ausga?= =?UTF-8?q?ben=20deaktivieren=20=20Login-URL=20=C3=A4ndern?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- assets/wordpress-bdp.css | 208 +++++------------- bdp-kompass.php | 176 +-------------- core/VersionChecker.php | 0 core/fileloader.php | 14 -- core/filters.php | 0 includes/FileAccess.class.php | 56 +++++ includes/WpConfigEditor.class.php | 82 +++++++ includes/environment.php | 7 + includes/filters.php | 45 ++++ {core => includes}/frontend-functions.php | 10 +- includes/pre_requires.php | 5 + includes/setup.php | 36 +++ includes/update.class.php | 152 +++++++++++++ lang/bdp-kompass_de_DE.mo | Bin 0 -> 11120 bytes lang/bdp-kompass_de_DE.po | 111 ++++++++++ modules/security/classes/Security.class.php | 86 +++++++- modules/security/includes/settings_reader.php | 79 +++++++ modules/security/includes/settings_writer.php | 160 ++++++++++++++ modules/security/internal/botlist-tab.php | 22 ++ modules/security/internal/index.php | 19 +- modules/security/internal/site-health-tab.php | 118 ++++++++++ modules/security/security.php | 46 +++- 22 files changed, 1062 insertions(+), 370 deletions(-) delete mode 100644 core/VersionChecker.php delete mode 100644 core/fileloader.php delete mode 100644 core/filters.php create mode 100644 includes/FileAccess.class.php create mode 100644 includes/WpConfigEditor.class.php create mode 100644 includes/environment.php create mode 100644 includes/filters.php rename {core => includes}/frontend-functions.php (92%) create mode 100644 includes/pre_requires.php create mode 100644 includes/setup.php create mode 100644 includes/update.class.php create mode 100644 lang/bdp-kompass_de_DE.mo create mode 100644 lang/bdp-kompass_de_DE.po create mode 100644 modules/security/includes/settings_reader.php create mode 100644 modules/security/includes/settings_writer.php create mode 100644 modules/security/internal/botlist-tab.php create mode 100644 modules/security/internal/site-health-tab.php diff --git a/assets/wordpress-bdp.css b/assets/wordpress-bdp.css index cd7e056..4951607 100644 --- a/assets/wordpress-bdp.css +++ b/assets/wordpress-bdp.css @@ -21,6 +21,7 @@ body { color: #1d4899 !important; font-weight: bold !important; margin-left: 30px !important; + border-color: #f0f0f0; } @@ -54,7 +55,7 @@ body { #adminmenu div.wp-menu-image:before { - color: #f1f3f3; + color: rgba(29, 72, 153, 0.75); } #adminmenu a:hover, @@ -62,6 +63,8 @@ body { #adminmenu li.opensub > a.menu-top, #adminmenu li > a.menu-top:focus { color: #1d4899; + border-color: #f0f0f0; + font-weight: bold; background: linear-gradient(to right, #efefef, rgba(255, 203, 4, 0.45)); border-radius: 10px; @@ -74,12 +77,16 @@ body { font-weight: bold; background: linear-gradient(to right, #efefef, rgba(255, 203, 4, 0.45)); border-radius: 10px; - border-width: 0;} + border-width: 0; + border-color: #f0f0f0; + +} /* Active tabs use a bottom border color that matches the page background color. */ .about-wrap .nav-tab-active, .nav-tab-active, .nav-tab-active:hover { + border-style: none; background-color: #fff; border-bottom-color: #fff; } @@ -135,6 +142,7 @@ body { #adminmenu .wp-has-current-submenu.opensub .wp-submenu li.current a:hover, #adminmenu .wp-has-current-submenu.opensub .wp-submenu li.current a:focus { color: #e0e0e0; + border-style: none; } ul#adminmenu a.wp-has-current-submenu:after, @@ -163,10 +171,19 @@ ul#adminmenu > li.current > a.current:after { color: #f2fcff; } +.wp-menu-open .wp-submenu { + display: block; +} .wp-menu-open .wp-submenu li { padding-left: 30px !important; color: #1d4899 !important; font-weight: bold; + border-color: #f0f0f0; + +} + +.wp-submenu { + display: none; } /* Admin Menu: bubble */ @@ -180,8 +197,7 @@ ul#adminmenu > li.current > a.current:after { #adminmenu li a.wp-has-current-submenu .update-plugins, #adminmenu li:hover a .awaiting-mod, #adminmenu li.menu-top:hover > a .update-plugins { - color: #f2fcff; - background: #627c83; + #color: #f2fcff; } /* Admin Menu: collapse button */ @@ -191,6 +207,8 @@ ul#adminmenu > li.current > a.current:after { font-weight: bold; border-radius: 10px; border-width: 0; + border-color: #f0f0f0; + } #collapse-button:hover, @@ -201,7 +219,7 @@ ul#adminmenu > li.current > a.current:after { /* Admin Bar */ #wpadminbar { color: #f2fcff; - background: #738e96; + background: rgba(29, 72, 153, 0.7); } #wpadminbar .ab-item, @@ -223,14 +241,14 @@ ul#adminmenu > li.current > a.current:after { #wpadminbar.nojq .quicklinks .ab-top-menu > li > .ab-item:focus, #wpadminbar.nojs .ab-top-menu > li.menupop:hover > .ab-item, #wpadminbar .ab-top-menu > li.menupop.hover > .ab-item { - color: #9ebaa0; - background: #627c83; + color: #f2fcff; + background: rgba(29, 72, 153, 0.7); } #wpadminbar:not(.mobile) > #wp-toolbar li:hover span.ab-label, #wpadminbar:not(.mobile) > #wp-toolbar li.hover span.ab-label, #wpadminbar:not(.mobile) > #wp-toolbar a:focus span.ab-label { - color: #9ebaa0; + color: #ffffff; } #wpadminbar:not(.mobile) li:hover .ab-icon:before, @@ -242,7 +260,7 @@ ul#adminmenu > li.current > a.current:after { /* Admin Bar: submenu */ #wpadminbar .menupop .ab-sub-wrapper { - background: #627c83; + background: rgba(29, 72, 153, 0.78); } #wpadminbar .quicklinks .menupop ul.ab-sub-secondary, @@ -280,7 +298,7 @@ ul#adminmenu > li.current > a.current:after { #wpadminbar li.hover .ab-item:before, #wpadminbar li:hover #adminbarsearch:before, #wpadminbar li #adminbarsearch.adminbar-focused:before { - color: #9ebaa0; + color: #ffffff; } #wpadminbar .quicklinks li a:hover .blavatar, @@ -289,7 +307,7 @@ ul#adminmenu > li.current > a.current:after { #wpadminbar .menupop .menupop > .ab-item:hover:before, #wpadminbar.mobile .quicklinks .ab-icon:before, #wpadminbar.mobile .quicklinks .ab-item:before { - color: #9ebaa0; + color: #ffffff; } #wpadminbar.mobile .quicklinks .hover .ab-icon:before, @@ -302,156 +320,34 @@ ul#adminmenu > li.current > a.current:after { color: #f1f3f3; } -#wpadminbar > #wp-toolbar > #wp-admin-bar-top-secondary > #wp-admin-bar-search #adminbarsearch input.adminbar-input:focus { - color: #f2fcff; - background: #879ea5; +.button { + background: rgba(29, 72, 153, 0.62) !important; + color: #ffffff !important; + border-color: #071e4d; + box-shadow: 5px 5px 10px #d0d0d0; } -/* Admin Bar: recovery mode */ -#wpadminbar #wp-admin-bar-recovery-mode { - color: #f2fcff; - background-color: #aa9d88; + +.bdp_setting_box { + width: 100%; + background-color: #ffffff; + padding: 15px; + border-style: solid; + border-width: 1px; + border-top-width: 0 !important; + border-color: #1d94cf; } -#wpadminbar #wp-admin-bar-recovery-mode .ab-item, -#wpadminbar #wp-admin-bar-recovery-mode a.ab-item { - color: #f2fcff; +.bdp_setting_box:first-of-type { + border-top-width: 1px !important; } -#wpadminbar .ab-top-menu > #wp-admin-bar-recovery-mode.hover > .ab-item, -#wpadminbar.nojq .quicklinks .ab-top-menu > #wp-admin-bar-recovery-mode > .ab-item:focus, -#wpadminbar:not(.mobile) .ab-top-menu > #wp-admin-bar-recovery-mode:hover > .ab-item, -#wpadminbar:not(.mobile) .ab-top-menu > #wp-admin-bar-recovery-mode > .ab-item:focus { - color: #f2fcff; - background-color: #998d7a; +.bdp_setting_box label { + cursor: pointer; } -/* Admin Bar: my account */ -#wpadminbar .quicklinks li#wp-admin-bar-my-account.with-avatar > a img { - border-color: #879ea5; - background-color: #ff0000; - width: 250px; -} - -#wpadminbar #wp-admin-bar-user-info .display-name { - color: #f2fcff; -} - -#wpadminbar #wp-admin-bar-user-info a:hover .display-name { - color: #9ebaa0; -} - -#wpadminbar #wp-admin-bar-user-info .username { - color: #ccdbe0; -} - -/* Pointers */ -.wp-pointer .wp-pointer-content h3 { - background-color: #9ebaa0; - border-color: #8faf91; -} - -.wp-pointer .wp-pointer-content h3:before { - color: #9ebaa0; -} - -.wp-pointer.wp-pointer-top .wp-pointer-arrow, -.wp-pointer.wp-pointer-top .wp-pointer-arrow-inner, -.wp-pointer.wp-pointer-undefined .wp-pointer-arrow, -.wp-pointer.wp-pointer-undefined .wp-pointer-arrow-inner { - border-bottom-color: #9ebaa0; -} - -/* Media */ -.media-item .bar, -.media-progress-bar div { - background-color: #9ebaa0; -} - -.details.attachment { - box-shadow: inset 0 0 0 3px #fff, inset 0 0 0 7px #9ebaa0; -} - -.attachment.details .check { - background-color: #9ebaa0; - box-shadow: 0 0 0 1px #fff, 0 0 0 2px #9ebaa0; -} - -.media-selection .attachment.selection.details .thumbnail { - box-shadow: 0 0 0 1px #fff, 0 0 0 3px #9ebaa0; -} - -/* Themes */ -.theme-browser .theme.active .theme-name, -.theme-browser .theme.add-new-theme a:hover:after, -.theme-browser .theme.add-new-theme a:focus:after { - background: #9ebaa0; -} - -.theme-browser .theme.add-new-theme a:hover span:after, -.theme-browser .theme.add-new-theme a:focus span:after { - color: #9ebaa0; -} - -.theme-section.current, -.theme-filter.current { - border-bottom-color: #738e96; -} - -body.more-filters-opened .more-filters { - color: #f2fcff; - background-color: #738e96; -} - -body.more-filters-opened .more-filters:before { - color: #f2fcff; -} - -body.more-filters-opened .more-filters:hover, -body.more-filters-opened .more-filters:focus { - background-color: #9ebaa0; - color: #f2fcff; -} - -body.more-filters-opened .more-filters:hover:before, -body.more-filters-opened .more-filters:focus:before { - color: #f2fcff; -} - -/* Widgets */ -.widgets-chooser li.widgets-chooser-selected { - background-color: #9ebaa0; - color: #f2fcff; -} - -.widgets-chooser li.widgets-chooser-selected:before, -.widgets-chooser li.widgets-chooser-selected:focus:before { - color: #f2fcff; -} - -/* Responsive Component */ -div#wp-responsive-toggle a:before { - color: #f1f3f3; -} - -.wp-responsive-open div#wp-responsive-toggle a { - border-color: transparent; - background: #9ebaa0; -} - -.wp-responsive-open #wpadminbar #wp-admin-bar-menu-toggle a { - background: #627c83; -} - -.wp-responsive-open #wpadminbar #wp-admin-bar-menu-toggle .ab-icon:before { - color: #f1f3f3; -} - -/* TinyMCE */ -.mce-container.mce-menu .mce-menu-item:hover, -.mce-container.mce-menu .mce-menu-item.mce-selected, -.mce-container.mce-menu .mce-menu-item:focus, -.mce-container.mce-menu .mce-menu-item-normal.mce-active, -.mce-container.mce-menu .mce-menu-item-preview.mce-active { - background: #9ebaa0; -} +.bdp_setting_box label span { + cursor: pointer; + width: 10pt; + color: #a0a0a0; +} \ No newline at end of file diff --git a/bdp-kompass.php b/bdp-kompass.php index 8a91410..1089ef6 100644 --- a/bdp-kompass.php +++ b/bdp-kompass.php @@ -8,22 +8,14 @@ * Requires PHP: 8.2 * Author: Thomas Günther * Author URI: https://www.sachsen.pfadfinden.de - * Update URI: https://lv-sachsen-main.bdp.mein-verein.online/wordpress/ + * Update URI: http://lv-sachsen-main.bdp.mein-verein.online/wordpress/ * Text Domain: bdp-kompass */ use Bdp\Modules\Security\Security; use Bdp\Modules\Seo\Seo; - -define('BDP_LV_PLUGIN_DIR', ABSPATH . '/wp-content/plugins/bdp-kompass/'); -define('BDP_LV_PLUGIN_URL', plugin_dir_url(__FILE__)); -define('BDP_LV_PLUGIN_SLUG', 'bdp-kompass'); - -require_once BDP_LV_PLUGIN_DIR . 'core/fileloader.php'; - - -bdp_create_menu_structure(); +require_once dirname(__FILE__) . '/includes/setup.php'; function bdp_plugin_install() { Seo::setup(); @@ -32,18 +24,19 @@ function bdp_plugin_install() { update_option('kompass_installation', true); } -function bdp_plugin_init() -{ - remove_menu_page('admin.php?page=limit-login-attempts&tab=dashboard'); - if (get_option('kompass_installation') == true) { - delete_option('kompass_installation'); - wp_redirect('admin.php?page=bdp-kompass%2Fmodules%2Findex.php&loadmodule=firstusage'); - } + +function bdp_plugin_init() { + Security::ProhibitBots(); + Security::SetPageFilters(); + + remove_menu_page( 'admin.php?page=limit-login-attempts&tab=dashboard' ); + if ( get_option( 'kompass_installation' ) == true ) { + delete_option( 'kompass_installation' ); + wp_redirect( 'site-health.php?tab=bdp_enhanced_security'); + } } -register_activation_hook(__FILE__, 'bdp_plugin_install'); -add_action('init', 'bdp_plugin_init'); function register_custom_theme_directory() { $file = ABSPATH . '/wp-content/plugins/bdp-kompass/buena/' ; @@ -55,148 +48,3 @@ function register_custom_theme_directory() { } #add_action( 'after_setup_theme', 'register_custom_theme_directory' ); - -class BdpVersionChecker -{ - public $plugin_slug; - public $version; - public $cache_key; - public $cache_allowed; - public $updateUrl; - - public function __construct() - { - $plugin_data = get_plugin_data(__FILE__); - $this->plugin_slug = 'bdp-kompass'; - $this->updateUrl = $plugin_data['UpdateURI'] . '/info.json'; - $this->version = $plugin_data['Version']; - $this->cache_key = 'bdp_kompass_upd'; - $this->cache_allowed = true; - - add_filter('plugins_api', array($this, 'info'), 20, 3); - add_filter('site_transient_update_plugins', array($this, 'update')); - add_action('upgrader_process_complete', array($this, 'purge'), 10, 2); - } - - public function request() - { - $remote = get_transient($this->cache_key); - - if (false === $remote || !$this->cache_allowed) { - - $remote = wp_remote_get( - $this->updateUrl - , - array( - 'timeout' => 10, - 'headers' => array( - 'Accept' => 'application/json' - ) - ) - ); - - if ( - is_wp_error($remote) - || 200 !== wp_remote_retrieve_response_code($remote) - || empty(wp_remote_retrieve_body($remote)) - ) { - return false; - } - - set_transient($this->cache_key, $remote, 3600); - } - - $remote = json_decode(wp_remote_retrieve_body($remote)); - return $remote; - - } - - - function info($res = '', $action = '', $args = '') - { - if (!isset($args->slug) || $args->slug !== $this->plugin_slug) { - return $res; - } - - // get updates - $remote = $this->request(); - if (!$remote) { - return $res; - } - - $res = new stdClass(); - - $res->name = $remote->name; - $res->slug = $remote->slug; - $res->version = $remote->version; - $res->tested = $remote->tested; - $res->requires = $remote->requires; - $res->author = $remote->author; - $res->author_profile = $remote->author_profile; - $res->download_link = $remote->download_url; - $res->trunk = $remote->download_url; - $res->requires_php = $remote->requires_php; - $res->last_updated = $remote->last_updated; - - $res->sections = array( - 'description' => $remote->sections->description, - 'installation' => $remote->sections->installation, - 'changelog' => $remote->sections->changelog - ); - - if (!empty($remote->banners)) { - $res->banners = array( - 'low' => $remote->banners->low, - 'high' => $remote->banners->high - ); - } - - return $res; - } - - public function update($transient) - { - if (empty($transient->checked)) { - return $transient; - } - - $remote = $this->request(); - if( - $remote - && version_compare( $this->version, $remote->version, '<' ) - && version_compare( $remote->requires, get_bloginfo( 'version' ), '<=' ) - && version_compare( $remote->requires_php, PHP_VERSION, '<' ) - ) { - $res = new stdClass(); - $res->slug = $this->plugin_slug; - $res->plugin = plugin_basename( __FILE__ ); - $res->new_version = $remote->version; - $res->tested = $remote->tested; - $res->package = $remote->download_url; - - $transient->response[ $res->plugin ] = $res; - - } else { - $res = new stdClass(); - $res->slug = $this->plugin_slug; - $res->plugin = plugin_basename( __FILE__ ); - $transient->no_update[ $res->plugin ] = $res; - } - - return $transient; - } - - public function purge($upgrader, $options) - { - if ( - $this->cache_allowed - && 'update' === $options['action'] - && 'plugin' === $options['type'] - ) { - delete_transient($this->cache_key); - } - } -} -$class = new BdpVersionChecker(); - -add_filter( 'plugins_api', array( $class, 'info' ), 20, 3 ); diff --git a/core/VersionChecker.php b/core/VersionChecker.php deleted file mode 100644 index e69de29..0000000 diff --git a/core/fileloader.php b/core/fileloader.php deleted file mode 100644 index f20545b..0000000 --- a/core/fileloader.php +++ /dev/null @@ -1,14 +0,0 @@ -exists(ABSPATH . $file)) { + return ''; + } + + return $wfs->get_contents(ABSPATH . $file); + } + + public static function writeHtaccess(string $value, $file = self::HTACCESS_MAIN) : bool + { + $wfs = new self(); + $wfs->put_contents(ABSPATH . $file, $value); + return true; + } + + public static function insertInHtaccess(string $element, $file = self::HTACCESS_MAIN) : bool + { + if (FileAccess::htaccessContains($element, $file)) { + return true; + } + + $htaccessFile = FileAccess::readHtaccess($file); + $htaccessFile .= PHP_EOL . $element . PHP_EOL; + FileAccess::writeHtaccess($htaccessFile, $file); + return true; + } + + public static function deleteFromHtaccess(string $element, $file = self::HTACCESS_MAIN) : bool { + $htaccessFile = str_replace($element . PHP_EOL, '', FileAccess::readHtaccess($file)); + return FileAccess::writeHtaccess($htaccessFile, $file); + } +} diff --git a/includes/WpConfigEditor.class.php b/includes/WpConfigEditor.class.php new file mode 100644 index 0000000..928d561 --- /dev/null +++ b/includes/WpConfigEditor.class.php @@ -0,0 +1,82 @@ +exists(ABSPATH . self::WP_CONFIG_FILE)) { + return ''; + } + + return $this->get_contents(ABSPATH . self::WP_CONFIG_FILE); + } + + public function writeConfig($value): bool + { + $this->put_contents(ABSPATH . self::WP_CONFIG_FILE, $value); + return true; + } + + public static function updateConfig($key, $value): bool + { + $wfs = new self(); + $configContent = $wfs->readConfig(); + + if (null === self::getConfigValue($key)) { + $configContent .= "define( '$key', $value );"; + } + + preg_match("/define\([ ]?'($key)'\,[ ]?(.*)[ ]?\);/",$configContent, $matches); + $configContent = str_replace($matches[0], "define( '$key', $value );", $configContent); + return $wfs->writeConfig($configContent); + } + + public static function getConfigValue($key): ?string + { + $wfs = new self(); + $configContent = $wfs->readConfig(); + + preg_match("/define\([ ]?'($key)'\,[ ]?(.*)[ ]?\);/",$configContent, $matches); + if (count($matches) == 0) { + return null; + } + + return trim($matches[2]); + } + + public static function updateSiteKeys(string $newKeySet) + { + foreach (explode(PHP_EOL, trim($newKeySet)) as $currentKeyLine) { + preg_match("/define\([ ]?'(.*)'\,[ ]?(.*)[ ]?\);/", $currentKeyLine, $matches); + self::updateConfig($matches[1], trim($matches[2])); + } + + return true; + } + + public static function deleteConfigKey($key): bool + { + if (null === self::getConfigValue($key)) { + return true; + } + + $wfs = new self(); + $configContent = $wfs->readConfig(); + + preg_match("/define\([ ]?'($key)'\,[ ]?(.*)[ ]?\);/",$configContent, $matches); + $configContent = str_replace($matches[0], '', $configContent); + return $wfs->writeConfig($configContent); + } +} \ No newline at end of file diff --git a/includes/environment.php b/includes/environment.php new file mode 100644 index 0000000..984124a --- /dev/null +++ b/includes/environment.php @@ -0,0 +1,7 @@ + + Require all denied +"; +} + +function _protect_wp_disable_script_execution_string() { + return '' . " + deny from all +"; +} + +function _protect_wp_disable_special_files_string() { + return '' . " + deny from all +"; +} + +function _protect_wp_disable_directory_listing_string() { + return 'Options -Indexes'; +} + +function _protect_wp_secure_include_dir_string() { + return "RewriteEngine On +RewriteBase / +RewriteRule ^wp-admin/includes/ - [F,L] +RewriteRule !^wp-includes/ - [S=3] +RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] +RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] +RewriteRule ^wp-includes/theme-compat/ - [F,L]"; +} + +function _protect_wp_initial_bot_list_array() +{ + return explode(';', 'SemrushBot;AhrefsBot;DotBot;WhatCMS;Rogerbot;trendictionbot;BLEXBot;linkfluence;magpie-crawler;MJ12bot;Mediatoolkitbot;AspiegelBot;DomainStatsBot;Cincraw;Nimbostratus;HTTrack;serpstatbot;omgili;GrapeshotCrawler;MegaIndex;PetalBot;Semanticbot;Cocolyzebot;DomCopBot;Traackr;BomboraBot;Linguee;webtechbot;DomainStatsBot;Clickagy;sqlmap;Internet-structure-research-project-bot;Seekport;AwarioSmartBot;OnalyticaBot;Buck;Riddler;SBL-BOT;DF Bot 1.0;PubMatic Crawler Bot;BVBot;Sogou;Barkrowler;Yandex'); +} diff --git a/core/frontend-functions.php b/includes/frontend-functions.php similarity index 92% rename from core/frontend-functions.php rename to includes/frontend-functions.php index 36d072b..a3b79df 100644 --- a/core/frontend-functions.php +++ b/includes/frontend-functions.php @@ -20,21 +20,13 @@ function bdp_add_menu_security() { add_menu_page( 'Sicherheit', - 'Erweiterte
Sicherheit', + 'Webseiten-Sicherheit', 'manage_options', 'site-health.php', '', 'dashicons-admin-network', 5 ); - - https://wordpress.local.development.contelli.de/wp-admin/admin.php?page=limit-login-attempts - add_submenu_page('site-health.php', - 'Login-Kontrolle', - 'Login-Kontrolle', - 'manage_options', - get_admin_url() . 'admin.php?page=limit-login-attempts' - ); } function bdp_add_menu_contents() { diff --git a/includes/pre_requires.php b/includes/pre_requires.php new file mode 100644 index 0000000..1436eff --- /dev/null +++ b/includes/pre_requires.php @@ -0,0 +1,5 @@ +plugin_slug = BDP_LV_PLUGIN_SLUG; + $this->updateUrl = $plugin_data['UpdateURI'] . '/info_development.json'; + $this->version = $plugin_data['Version']; + $this->cache_key = 'bdp-kompass-upd'; + $this->cache_allowed = false; + + add_filter( 'plugins_api', array( $this, 'info' ), 20, 3 ); + add_filter( 'site_transient_update_plugins', array( $this, 'update' ) ); + add_action( 'upgrader_process_complete', array( $this, 'purge' ), 10, 2 ); + } + + public function request(){ + + $remote = get_transient( $this->cache_key ); + + if( false === $remote || ! $this->cache_allowed ) { + + $remote = wp_remote_get( + $this->updateUrl + , + array( + 'timeout' => 10, + 'headers' => array( + 'Accept' => 'application/json' + ) + ) + ); + + if( + is_wp_error( $remote ) + || 200 !== wp_remote_retrieve_response_code( $remote ) + || empty( wp_remote_retrieve_body( $remote ) ) + ) { + return false; + } + + set_transient( $this->cache_key, $remote, 3600 ); + + } + + $remote = json_decode( wp_remote_retrieve_body( $remote ) ); + + return $remote; + + } + + + function info( $res = '', $action = '', $args = '' ) + { + if (!isset($args->slug) || $args->slug !== $this->plugin_slug) { + return $res; + } + + // get updates + $remote = $this->request(); + + if( ! $remote ) { + return $res; + } + + $newVersion = $remote->version; + $res = new stdClass(); + + $res->name = $remote->name; + $res->slug = $remote->slug; + $res->version = $newVersion; + $res->tested = $remote->tested; + $res->requires = $remote->requires; + $res->author = $remote->author; + $res->author_profile = $remote->author_profile; + $res->download_link = $remote->download_url; + $res->trunk = $remote->download_url; + $res->requires_php = $remote->requires_php; + $res->last_updated = $remote->last_updated; + + $res->sections = array( + 'description' => $remote->sections->description, + 'installation' => $remote->sections->installation, + 'changelog' => $remote->sections->changelog + ); + + if( ! empty( $remote->banners ) ) { + $res->banners = array( + 'low' => $remote->banners->low, + 'high' => $remote->banners->high + ); + } + + return $res; + + } + + public function update( $transient ) { + if ( empty($transient->checked ) ) { + return $transient; + } + + $remote = $this->request(); + if( + $remote + && version_compare( $this->version, $remote->version, '<' ) + && version_compare( $remote->requires, get_bloginfo( 'version' ), '<=' ) + && version_compare( $remote->requires_php, PHP_VERSION, '<' ) + ) { + + $newVersion = $remote->version; + + $res = new stdClass(); + $res->slug = $this->plugin_slug; + $res->plugin = plugin_basename( BDP_LV_STARTUP_FILE ); + $res->new_version = $newVersion; + $res->tested = $remote->tested; + $res->package = $remote->download_url; + + $transient->response[ $res->plugin ] = $res; + + } else { + $res = new stdClass(); + $res->slug = $this->plugin_slug; + $res->plugin = plugin_basename( BDP_LV_STARTUP_FILE ); + $transient->no_update[ $res->plugin ] = $res; + } + + return $transient; + + } + + public function purge( $upgrader, $options ){ + + if ( + $this->cache_allowed + && 'update' === $options['action'] + && 'plugin' === $options[ 'type' ] + ) { + // just clean the cache when new plugin version is installed + delete_transient( $this->cache_key ); + } + } +} \ No newline at end of file diff --git a/lang/bdp-kompass_de_DE.mo b/lang/bdp-kompass_de_DE.mo new file mode 100644 index 0000000000000000000000000000000000000000..f4194171348d0ce3160d155b64a6bdd260a123af GIT binary patch literal 11120 zcmaKyON=DhRffaNjLpj!X3WzDt_Lt4yDA4+Sb)JmRaeb)i=LTMS9=<~K#I(~nHjFg zh$J4BUA3|h@(%Gv!kgJNh#f+LUiAVgVF7C-Bm{_scd%y7_n&*?k=4~xqng_pk9*Jg z&wrj-|Mlw2f0pp`GyHy<-;<9d$(LC3??{r5v;O)^N%F(2@3J1UE?B?7`lqZv#QG1c z2dw|b`Wo-P{Bn|fKc9c(m9W0S`afL%GVAZNe)eNY@(K3-yYEbrS9$IqzdK1jsrOlb zl=XjEe~R^^-xK8dJnPT$`EAxWSWDLLWBm)(kF(!jv%bpu^n3Yb{bz*!0q%d}6G`$D ztbfeuO^>ciF1z|tQ z=LzdEpYQx2y0U(gRTzH2`pc~U#QH_nj{wrASbv`N*I3V3e~I`1kd>p7e*s+S{U5Av zfy@7~{yF!*@?%Nzmwf(LUe^BC2&;Ymg!S{Rf5R$y{+;#5Szr3eV7Je(PWb$Y^)=RS zvL3VFw^(J{|8&UDzOTQYB#4;&!cT|&-(kJt{(|+(T>o#B`7GWSo;x2Zu=3}5HzpwBs z-J~~W?SI44Uiw zOpttxU-1o^*^fA(A7LxI9L?u$T~^*r%cf3_^4!(FX|iHjyOgVSdg;fh zvsqjDxto0qz;r*Ngka||G z*KLu_IM9`CQ)hG5#dx>vDx0nJ`gV1tQ^9L*ue7*wl}~FFW53*krOO(CG5tZat#x7I z9_rl%Ryc6{-xR1lKxfUBj=U<{%7GfUd7UGsm<)|p{N5j4^)q*NyKd?uWG7xxeVwnGIkYov$CpSzU(6s0LLsX+{))0 zx2bR%Zkg>PqHa-@Ya~nCW>r?%HAqA!lbEF#=+5|Q*{x+=&6yyU!q1z@;uK;MC z31PS+Cj|0%Y)3BPjq;ar?*3>j)~wuRnzzRH+o2!=F0y4?1&B~@w0i`lt~2?|4JfdN z$y8QXF3)OW>EL&XhSol{qvp_$hw|~4T ziF>zGt@GRNP!a}?V@xA__w=*eVJO$LD%&*NV^fKcj$E(@t;*_)i90dE>!IgSB6(e! z!T}a@w19`{CERWm_(0aFJOL@N$V337`5fAp@)XgKytx=m*oF8=Me!j7)+6)l8cz0? zjQ&bLo3YPq!kYO$yAas& z7XQE|H=dKWJfN`6c4Ew%?IthNdHrVpWJtO3qh7e}eC;Bd58)x?giTub+_De(Z@ob| z@!u~Nsu#$n+mysRq@#_mENT&nM>#&^%o#MI1kvL&LWGqL0zr8_q+AXlX3A9NCo{{S z2g)Msu;!#L>YJ!VyPgKa-hKG+j66@er~?s)Y9|enqP0*lDrH2i=g{~NAT1>ju5qX? z)vQT978oe4#%W?e?*+lNS&_9GLhD1YzQt-(AGy$g?QPv!y(X)4#X-EgwMu6=tcGpG zhG2O@t~uvHpMtZsV)TJij4fG5xeBJH;qggw`dBP8f>;P4aHu2=Iq$Z_5yLjtS?ix1 z+yjI=Qly4zuum=Ifaj7UaSA^5?J^nyBf1fP zf+dKr%QP$MMz4qnBFloJkC)~^6za)%k3?n}tqvtPL1>l{8g;iSb7Nu!g|b;djU(1n z1@Y;@3(im9bBFH*p+hCGsjuqBuVc!>7xb74 zz_bD~Bq^&#Xrfb08(nGHbN)_M*7f1JNOEp!>g3P;=K1*>UEz@xUsriIFmhHBVo7ji zhiyloNpgmnpoO}HJS%9`@M3CQ9>qX_yOu>29Ib~ttIAb2wLZfduvj#15g9Xek63X@ zemEQ;?Ha#?9lG0dYt49Xol(u8MDHuNJ-s4U_HQ(+6!y#^-fZlf-FsH2#a$=AGNt(c z)!!;xGj{0mEXwvz2SNz{kSXR}UYjHj{E}LSEF85vSDzK4cbzEGg?bq?(h%|b5V@MG zjd;MWv0%h|ttPW_m8zYh0)oJ`Q8^QLBM^*h^NIVaD&~gjT%L8{-Y!d(`)OX6gb^zJ zITk}0lR{24qL1xsJ+i0=gVPf;vPEPyw%~}y zw@(U8Q9OE-Oc(4Cs%+6U)W#TgY@Sg~sM<DHOq3KtDNzzf#+a<;rZFD}hDd`kj<%9_WN2Gg@D7dd48#6S7!6D#u z?J($pNOUx%F^e8x)X#4q#i-R8YHwQSpm*}f6Y4KdZA4$LnOch7fEYgkZBlKUDx9Wn}WyC+l>Rgu^}1-J9vGxo}Xz3{E>oN9K| zIOtHPYdgZ7lauH4IfuhOBGDc`abv^rcF`Y&*_HGLJldlC ziw+x&wFKkM!4}cd@VjeMEXpvmwjGL2fG_Q2rK7^wO{c?Q$2QD*OT(W?&0@T8wg? zRW8YSHvVE7VgBaVuJeCs00S&~Od*w~ZX8j#BO_h2dm>pl3^jMpjMC$=SefT=cA#j} z3yjb8!Q|dB6=SpAGj)K%B@8C;1%?%b14)U8?Vc`4&?JGuMQW(b;1aW$r}XSR9II&6 zY=9NWf8AVxZaP6TKm=+0EISbA|J@R#_^q3uG$F)qrB z-}e;)%~l0fD3|IFwbnjS%@k*vm^JlgwR=LAir5dXzVzGOla(AvCsJk^wEdK&8>MyO zD`M=c&cYT8YIp1{R^o`tZ~nGuFWvnz7N2u5baW2j-u0 z2J+^0w#cAyOm5JA=>ve#?CX|qV%$mZO)ucDV#*lVNM89}N9Znl%8=(58nvm$#5HqH zREoh=NHxm5c<_ks^3w}?zqB%|^IbDqVsoGFqNDPiSgW}Q z=_%CgeQFC)%JJF*18u)dWR$H-`KP7S~2b|lcG2G9}h#m{cG~#Jrm2{pOY0~h9G#PFMeCM1jR18 za7Ys20T0}78Px#(sHOC zOzN65hjdVF5mb#GVV7<0r*lPHg*vPxal}?-atnle5Q;OyK;cEEu?%Xg9(m$A-F;A` zE4mhfyxd@o)a)>z|H2e>?B{d^0i?YIihV2hUNu+IcMD0ZiYfFp62*E@+Bgs^HCkd` zRIEXg5e?jm0(j|ja3S2q2t=p>tK&@b$piPk%@PgUkn`O;bY={qLb1>AacC|=HmPys zJoD7fv;qujv-Mh|6Khz6s^B68BGZ|^D(>@fj1-1uPbz}ofUFdd{6p4usy{+ywO@T$ z6om_r1B2HV9Fd3ayj9IU)Er>~sVmAP4-m-4kcA|uQhm3nt;C*aw8OJu^o{nR#A%2z zRZKTE4^QhxWYw!D{V4KI7*nd&8`7Dn3yo8%ZEu|!^GLEj9laSuf?Uu*gu-#Ld#WK{ z=dYcM@+OnXIGFUI59+(42T^DFS?G1TDP^=u$SsTvuknnz;<8nyW+wR)f?1QJNhRQE z5C&AzEjWHRoz-*_md9joL6DB~RD9%>JxkI{uHF6EkWiE(N$7>l5sy8oq@Wc7g)Wfo zh1C(Uo~u~QC1tOHH=`JJ3x#CDC#E*<#KcP$CD$x{%!Yl1iUaXPV`2d384D|v@S)~HeQ`nVCwfffDYIF+}ssQP+Ll^Sm*=7v9K|Dgt)Mw%^ z!i==3+?_D#3?+`@UKR@?SVu2{pZXS2l=~SCXzb*^W;*eW3t!^!&8(t{%xc1^krhkL zmD%FDWlR8f`^kXZTfu8iRYha>YSN?Ofgac}&T=9&u)AQ0h&FYrX& zpp9zX=J~gWd$Fdm0C|&;`!d8sh)<}( zwfSq35mZv82P%{%Vl9@f$tU> literal 0 HcmV?d00001 diff --git a/lang/bdp-kompass_de_DE.po b/lang/bdp-kompass_de_DE.po new file mode 100644 index 0000000..0ad6ab1 --- /dev/null +++ b/lang/bdp-kompass_de_DE.po @@ -0,0 +1,111 @@ +msgid "Extended Security" +msgstr "Erweiterte Sicherheit" + +msgid "Save changes" +msgstr "Änderungen speichern" + +msgid "All settings are saved." +msgstr "Die Einstellungen wurden gespeichert." + +msgid "Disable xmlrpc" +msgstr "xmlrpc deaktivieren" + +msgid "By introducing the REST API in WordPress, xmlrpc. However, php is no longer needed to communicate outside of WordPress, which is why there is no longer any reason to leave it active or use it. Therefore, for the security of your site, it is better to deactivate or delete it." +msgstr "Durch die Einführung der REST API in WordPress wird xmlrpc. php jedoch nicht mehr benötigt, um außerhalb von WordPress zu kommunizieren, weshalb es hier keinen Grund mehr gibt, diese aktiv zu lassen oder zu nutzen. Deshalb ist es für die Sicherheit deiner Seite besser, diese zu deaktivieren oder zu löschen." + +msgid "Disable Authorscan" +msgstr "Autorenscan deaktivieren" + + +msgid "The author page in WordPress typically displays a list of all posts by a specific author on your website. Unfortunately, Google also records the page and to prevent this, we can deactivate the author page. When a visitor clicks on an name of an author, they are redirected to the author page. This page contains a list of posts written by this author, as well as possibly a brief description of the author and a photo. It is also possible to record which user names have been created." +msgstr "Die Autorenseite in WordPress zeigt normalerweise eine Liste aller Beiträge eines bestimmten Autors auf deiner Website an. Google erfasst die Seite auch leider und um das zu verhindern, können wir die Autorenseite deaktivieren. Wenn ein Besucher auf den Namen eines Autors klickt, wird er auf die Autorenseite weitergeleitet. Diese Seite enthält eine Liste der Beiträge, die von diesem Autor verfasst wurden, sowie möglicherweise eine kurze Beschreibung des Autors und ein Foto. Auch ist es darüber möglich zu erfassen, welche Nutzernamen angelegt sind." + +msgid "Disable scripting in /wp-content/uploads/" +msgstr "Scripting in /wp-content/uploads/ deaktivieren" + +msgid "Disabling scripting in /wp-content/uploads/ can be a security measure to protect your WordPress website from potential threats. The /wp-content/uploads folder is usually the default folder where WordPress stores uploaded files, such as images, videos, and other media files." +msgstr "Das Deaktivieren von Scripting in /wp-content/uploads/ kann eine Sicherheitsmaßnahme sein, um dein WordPress-Website vor potenziellen Bedrohungen zu schützen. Der Ordner /wp-content/uploads ist normalerweise der Standardordner, in dem WordPress hochgeladene Dateien, wie Bilder, Videos und andere Mediendateien, speichert." + +msgid "Block access to potentially sensitive files" +msgstr "Zugriff auf potenziell sensible Dateien blockieren" + +msgid "This setting prohibits access to configuration files and log files" +msgstr "Diese Einstellung verbietet den Zugriff auf Konfigurationsdateien sowie Log-Dateien" + +msgid "Disable file editor in WP Dashboard" +msgstr "Dateieditor im WP Dashboard deaktivieren" + +msgid "This is a security feature that allows you to prevent users from editing theme and plugin files directly from the WordPress dashboard. This can be useful for a variety of reasons, including preventing accidental code changes and protecting your website from malicious attacks." +msgstr "Hierbei handelt es sich um eine Sicherheitsfunktion, mit der Sie verhindern können, dass Benutzer Theme- und Plugin-Dateien direkt über das WordPress-Dashboard bearbeiten können. Dies kann aus verschiedenen Gründen nützlich sein, unter anderem um versehentliche Änderungen am Code zu verhindern und Ihre Website vor böswilligen Angriffen zu schützen." + +msgid "Disable script concatenation" +msgstr "Skriptverkettung deaktivieren" + +msgid "Disabling script concatenation in the WordPress admin panel is a simple and effective way to enhance performance. However, it is crucial to carefully consider the impact of this change, as it may increase the number of HTTP requests, potentially affecting loading times" +msgstr "Das Deaktivieren der Skriptverkettung im WordPress-Admin-Panel ist eine einfache und effektive Möglichkeit, die Leistung zu verbessern. Es ist jedoch wichtig, die Auswirkungen dieser Änderung sorgfältig abzuwägen, da sie die Anzahl der HTTP-Anfragen erhöhen und sich möglicherweise auf die Ladezeiten auswirken kann." + +msgid "Disable script execution in include dir" +msgstr "Skriptausführung im Include-Verzeichnis deaktivieren" + +msgid "Limiting script execution in specific directories can improve security by preventing potentially malicious scripts from running in critical parts of the WordPress system. This is particularly important to prevent attacks such as Cross-Site Scripting (XSS), which inject malicious code into website content." +msgstr "Das Begrenzen der Skriptausführung in bestimmten Verzeichnissen kann die Sicherheit verbessern, indem potenziell schädliche Skripte daran gehindert werden, in kritischen Teilen des WordPress-Systems ausgeführt zu werden. Dies ist besonders wichtig, um Angriffe wie Cross-Site Scripting (XSS) zu verhindern, bei denen schädlicher Code in Webseiteninhalte eingeschleust wird." + +msgid "Change site keys" +msgstr "Seitenschlüssel erneuern" + +msgid "An error occured connecting api.wordpress.org" +msgstr "Beim Kontaktieren von api.wordpress.org trat ein Fehler auf" + +msgid "The site keys were updated successfully." +msgstr "Die Seitenschlüssel wurden erneuert." + +msgid "Protect WP detected missing security settings" +msgstr "Protect WP hat fehlende Sicherheitseinstellungen festgestellt" + +msgid "Protect WP has detected that advanced security settings are missing.
You can update the settings directly in the dashboard." +msgstr "Protect WP hat festgestellt, dass erweiterte Sicherheitseinstellungen fehlen.
Du kannst die Einstellungen direkt im Dashboard aktualisieren." + +msgid "Protect WP - security settings" +msgstr "Protect WP - Sicherheitseinstellungen" + +msgid "Prohibit access from unwanted bots" +msgstr "Zugriff von ungewollten Bots verbieten" + +msgid "Excluding specific bots from a WordPress website provides improved security by reducing potentially malicious activity and security risks, optimizes resource consumption and site performance, protects against content theft and duplicate content, enables more precise control of traffic, and promotes more effective SEO -Optimization by reducing irrelevant bots, ultimately leading to a safer, more efficient and better performing website." +msgstr "Das Ausschließen bestimmter Bots von einer WordPress-Website bietet eine verbesserte Sicherheit, indem potenziell bösartige Aktivitäten und Sicherheitsrisiken reduziert werden, optimiert den Ressourcenverbrauch und die Website-Performance, schützt vor Inhaltsdiebstahl und Duplicate Content, ermöglicht eine genauere Kontrolle des Datenverkehrs und fördert eine effektivere SEO-Optimierung durch die Reduzierung nicht relevanter Bots, was letztendlich zu einer sichereren, effizienteren und besser performenden Website führt." + +msgid "Bot Detection Database" +msgstr "Datenbank zur Bot-Erkennung" + +msgid "Registered bots" +msgstr "Vorhandene Bots" + +msgid "Add more bots" +msgstr "Weitere Bots hinzufügen" + +msgid "Leave blank in order to delete" +msgstr "Zum Löschen leer lassen" + +msgid "Please use line breaks to enter multiple bots" +msgstr "Bitte Zeilenumbruch verwenden, um mehrere Bots einzutragen"# + +msgid "Bot Detection Database updated successfully." +msgstr "Die Datenbank zur Bot-Erkennung wurde erfolgreich aktualisiert." + +msgid "Disable directory listing" +msgstr "Auflistung von Verzeichnissen deaktivieren" + +msgid "Directory listing should be disabled to ensure the security and privacy of a website. When Directory Listing is enabled, this allows users to directly access the contents of directories on a web server without having to specify a specific file. This can expose sensitive information such as directory structures, internal files and scripts, posing a potential security risk. Disabling Directory Listing prevents users from accessing this sensitive information, thereby providing an additional layer of security for the website." +msgstr "Das Auflisten von Verzeichnissen sollte deaktiviert werden, um die Sicherheit und Privatsphäre einer Website zu gewährleisten. Wenn Directory Listing aktiviert ist, ermöglicht dies Benutzern den direkten Zugriff auf die Inhalte von Verzeichnissen auf einem Webserver, ohne dass eine spezifische Datei angegeben werden muss. Dies kann sensible Informationen wie Verzeichnisstrukturen, interne Dateien und Skripte offenlegen, was ein potenzielles Sicherheitsrisiko darstellt. Durch das Deaktivieren von Directory Listing wird verhindert, dass Benutzer auf diese sensiblen Informationen zugreifen können, und bietet somit eine zusätzliche Sicherheitsschicht für die Website." + +msgid "Disable debug output" +msgstr "Debug-Ausgaben deaktivieren" + +msgid "Debugging should be disabled to protect sensitive information about the internal structure and potential security vulnerabilities of a a WordPress website from potential attackers. When debugging is enabled, error messages and warnings are displayed directly on the website, which can provide attackers with valuable information about the configuration of the website and possible vulnerabilities." +msgstr "Debugging sollte deaktiviert werden, um sensible Informationen über die interne Struktur und mögliche Sicherheitslücken einer WordPress-Website vor potenziellen Angreifern zu schützen. Wenn Debuggin aktiviert ist, werden Fehlermeldungen und Warnungen direkt auf der Webseite angezeigt, was Angreifern wertvolle Informationen über die Konfiguration und mögliche Schwachstellen der Website geben kann. " + +msgid "Change Login URL" +msgstr "Login-URL ändern" + +msgid "Changing the default login URL of WordPress is advisable to enhance the security of your website. By default, WordPress login URLs is /wp-admin or /wp-login.php, which are easily guessed by hackers and facilitate attacks such as brute-force attacks. Changing the login URL to something unique and difficult to guess increases security since potential attackers will struggle to find the correct URL. This can help protect your website from unauthorized access and other malicious activities." +msgstr "Es ist ratsam, die Standard-Login-URL von WordPress zu ändern, um die Sicherheit deiner Website zu erhöhen. Standardmäßig lautet die Login-URL von WordPress /wp-admin oder /wp-login.php, was für Hacker leicht zu erraten ist und Angriffe wie Brute-Force-Attacken erleichtern kann. Durch Ändern der Login-URL auf etwas Einzigartiges und schwer zu erraten, erhöhst du die Sicherheit, da potenzielle Angreifer Schwierigkeiten haben werden, die richtige URL zu finden. Dies kann helfen, deine Website vor unautorisiertem Zugriff und anderen böswilligen Aktivitäten zu schützen." \ No newline at end of file diff --git a/modules/security/classes/Security.class.php b/modules/security/classes/Security.class.php index 8c252e6..60d38e6 100644 --- a/modules/security/classes/Security.class.php +++ b/modules/security/classes/Security.class.php @@ -4,18 +4,15 @@ namespace Bdp\Modules\Security; use ZipArchive; - - class Security { - public const required_security_plugins = [ - 'wps_hide_login' => ['downloadUrl' => 'https://downloads.wordpress.org/plugin/wps-hide-login.1.9.10.zip'], - 'limit-login-attempts-reloaded' => ['downloadUrl' => 'https://downloads.wordpress.org/plugin/limit-login-attempts-reloaded.2.25.27.zip']]; - + public const required_security_plugins = []; public const delete_plugins = [ 'akismet/akismet.php', - 'hello.php' + 'hello.php', + 'wps_hide_login', + 'limit-login-attempts-reloaded' ]; public static function setup() @@ -27,9 +24,17 @@ class Security } } - $loginUrl = get_option('whl_page', 'bdp_login'); - update_option('whl_page', $loginUrl); - + $loginUrl = get_option('whl_page', null) ?? 'bdp-login'; + enable_option_rewrite_url($loginUrl); + enable_option_disable_xmlrpc(); + enable_option_block_authorscan(); + enable_option_block_execution_in_uploads(); + enable_option_prohibit_special_files(); + enable_option_file_editor(); + enable_option_disable_conatenation(); + enable_option_secure_include_dir(); + enable_option_prohibit_bot_access(); + enable_option_block_directory_listing(); } public static function deletePlugins() { @@ -37,6 +42,67 @@ class Security delete_plugins(self::delete_plugins); } + public static function ProhibitBots() { + $botList = get_prohibitedbot_list(); + + if (!is_bot_access_prohibited() || count($botList) == 0) { + return; + } + + foreach ($botList as $botListEntry) { + if (stripos($_SERVER['HTTP_USER_AGENT'], $botListEntry) !== false) { + status_header(403); + die(); + } + } + } + + + public static function protectAuthorScan() + { + global $wp; + + if (str_starts_with($wp->request, 'author/') && is_authorscan_blocked()) { + status_header(403); + die(); + } + } + + public static function SetPageFilters() { + global $wp; + + if (str_contains($_SERVER['REQUEST_URI'], 'wp-login.php?action=logout')) { + return; + } + + add_action('template_redirect', [Security::class, 'protectAuthorScan']); + Security::protectLoginSecurity(); + } + + public static function protectLoginSecurity() { + $hideLogin = is_login_rewritten(); + + if (null === $hideLogin) { + return; + } + + if ( str_contains( $_SERVER['REQUEST_URI'], 'wp-login.php' ) && ! isset( $_POST['redirect_to'] ) && $_POST['redirect_to'] !== 'interner-bereich' ) { + wp_redirect( home_url() ); + die(); + } + + if ( str_contains( $_SERVER['REQUEST_URI'], $hideLogin ) !== false ) { + $user_login = ''; + $_REQUEST['redirect_to'] = 'interner-bereich'; + require_once 'wp-login.php'; + die(); + } + + if ( str_contains( $_SERVER['REQUEST_URI'], 'interner-bereich' ) !== false ) { + wp_redirect( '/wp-admin' ); + die(); + } + } public static function installSecurityPlugin(string $pluginSlug, string $downloadUrl) : bool { diff --git a/modules/security/includes/settings_reader.php b/modules/security/includes/settings_reader.php new file mode 100644 index 0000000..d11b85d --- /dev/null +++ b/modules/security/includes/settings_reader.php @@ -0,0 +1,79 @@ + +
+

+ +

+
+ +
+

+ +

+
+ +
+

+ +

+
+ +
+

+ +

+
+ +

+ +
+
+

+

+ +

+
+

+ diff --git a/modules/security/internal/index.php b/modules/security/internal/index.php index aeb4f8c..1712cae 100644 --- a/modules/security/internal/index.php +++ b/modules/security/internal/index.php @@ -1,6 +1,6 @@ '; -echo '

Erweiterte Sicherheitseinstellungen

'; +echo '

Erweiterte Sicherheitseinstellungen

'; if (isset($_POST['submit'])) { echo '
Die Einstellungen wurden gespeichert.
'; update_option('whl_page', $_POST['login_url']); @@ -9,13 +9,12 @@ if (isset($_POST['submit'])) {
-
- Wordpress-Login - - +
- - + -
Login-URL:
Login-URL:		 + /
-
- +

+ +
diff --git a/modules/security/internal/site-health-tab.php b/modules/security/internal/site-health-tab.php new file mode 100644 index 0000000..b7b3014 --- /dev/null +++ b/modules/security/internal/site-health-tab.php @@ -0,0 +1,118 @@ +

+ +
+ type="checkbox" id="sec_mod_1" name="security_settings[]" value="option_disable_xmlrpc" /> + +
+
+ type="checkbox" id="sec_mod_2" name="security_settings[]" value="option_block_authorscan" /> + +
+
+ type="checkbox" id="sec_mod_3" name="security_settings[]" value="option_block_execution_in_uploads" /> + +
+
+ type="checkbox" id="sec_mod_4" name="security_settings[]" value="option_prohibit_special_files" /> + +
+ +
+ type="checkbox" id="sec_mod_5" name="security_settings[]" value="option_file_editor" /> + +
+ +
+ type="checkbox" id="sec_mod_6" name="security_settings[]" value="option_disable_conatenation" /> + +
+ +
+ type="checkbox" id="sec_mod_7" name="security_settings[]" value="option_secure_include_dir" /> + +
+ +
+ type="checkbox" id="sec_mod_8" name="security_settings[]" value="option_prohibit_bot_access" /> + +
+ +
+ type="checkbox" id="sec_mod_9" name="security_settings[]" value="option_block_directory_listing" /> + +
+ +
+ type="checkbox" id="sec_mod_10" name="security_settings[]" value="option_disable_wp_debug" /> + +
+
+ type="checkbox" id="sec_mod_11" name="security_settings[]" value="option_rewrite_url" /> + +
+ + + +

+ + \ No newline at end of file diff --git a/modules/security/security.php b/modules/security/security.php index acfd2fe..e911026 100644 --- a/modules/security/security.php +++ b/modules/security/security.php @@ -1,21 +1,53 @@ '; + echo '
'; + echo ''; + require BDP_LV_PLUGIN_DIR . 'modules/security/internal/botlist-tab.php'; + echo '
'; + echo ''; + return; + } + + update_option('protect_wp_needs_attention', false); + if (isset($_POST['save_settings'])) { + $securitySettings = []; + if (isset($_POST['security_settings'])) { + $securitySettings = $_POST['security_settings']; + } + kompass_sec_save_settings($securitySettings); + } + if (isset($_GET['action']) && $_GET['action'] == 'updatesitekeys') { + kompass_sec_site_keys(); + } + + echo '
'; + echo '
'; + echo ''; + require BDP_LV_PLUGIN_DIR . 'modules/security/internal/site-health-tab.php'; + echo '
'; + echo '
'; + return; + } } add_action('site_health_tab_content', 'wp_example_site_health_tab_content');