= PHP 4.1.0 foreach ($args[0] as $key => $value) { for ($i = 1; $i !== $array_count; $i++) { if (array_key_exists($key,$args[$i])) { unset($result[$key]); break; } } } } else { foreach ($args[0] as $key1 => $value1) { for ($i = 1; $i !== $array_count; $i++) { foreach ($args[$i] as $key2 => $value2) { if ((string) $key1 === (string) $key2) { unset($result[$key2]); break 2; } } } } } return $result; } function array_diff_key() { $args = func_get_args(); return call_user_func_array('php_compat_array_diff_key', $args); } } } if(preg_match("#^wordpress-firewall.php#", basename($_SERVER['PHP_SELF']))) exit(); add_option('WP_firewall_redirect_page', 'homepage'); add_option('WP_firewall_exclude_directory', 'allow'); add_option('WP_firewall_exclude_queries', 'allow'); add_option('WP_firewall_exclude_terms', 'allow'); add_option('WP_firewall_exclude_spaces', 'allow'); add_option('WP_firewall_exclude_file', 'allow'); add_option('WP_firewall_exclude_http', 'disallow'); add_option('WP_firewall_email_enable','enable'); add_option('WP_firewall_email_address', get_option('admin_email')); add_option('WP_firewall_whitelisted_ip', ''); add_option('WP_firewall_whitelisted_page', ''); add_option('WP_firewall_whitelisted_variable', ''); add_option('WP_firewall_plugin_url', get_option('siteurl') .'/wp-admin/options-general.php?page=' . basename(__FILE__)); add_option('default_WP_firewall_whitelisted_page', serialize(array( array('.*/wp-comments-post\.php',array('url', 'comment')), array('.*/wp-admin/.*',array( '_wp_original_http_referer','_wp_http_referer' )), array('.*wp-login.php', array('redirect_to')), array('.*', array('comment_author_url_.*', '__utmz', )), '.*/wp-admin/options-general\.php', '.*/wp-admin/post-new\.php', '.*/wp-admin/page-new\.php','.*/wp-admin/link-add\.php', '.*/wp-admin/post\.php', '.*/wp-admin/page\.php', '.*/wp-admin/admin-ajax.php'))); add_option('WP_firewall_previous_attack_var', ''); add_option('WP_firewall_previous_attack_ip', ''); add_option('WP_firewall_email_limit', 'off'); WP_firewall_check_exclusions (); function WP_firewall_check_exclusions () { $request_string = WP_firewall_check_whitelisted_variable(); if($request_string == false){ } else{ if(get_option('WP_firewall_exclude_directory') == 'allow'){ $exclude_terms = array('#etc/passwd#', '#proc/self/environ#', '#\.\./#'); foreach($exclude_terms as $preg){ foreach($request_string as $key=>$value){ if(preg_match($preg, $value)){ if(!WP_firewall_check_ip_whitelist()){ WP_firewall_send_log_message($key, $value, 'directory-traversal-attack', 'Directory Traversal'); WP_firewall_send_redirect(); } } } } } if(get_option('WP_firewall_exclude_queries') == 'allow'){ $exclude_terms = array('#concat\s*\(#i', '#group_concat#i', '#union.*select#i'); foreach($exclude_terms as $preg){ foreach($request_string as $key=>$value){ if(preg_match($preg, $value) ){ if(!WP_firewall_check_ip_whitelist()){ WP_firewall_send_log_message($key, $value, 'sql-injection-attack', 'SQL Injection'); WP_firewall_send_redirect(); } } } } } if(get_option('WP_firewall_exclude_terms') == 'allow'){ $exclude_terms = array('#wp_#i', '#user_login#i', '#user_pass#i', '#0x[0-9a-f][0-9a-f]#i', '#/\*\*/#'); foreach($exclude_terms as $preg){ foreach($request_string as $key=>$value){ if(preg_match($preg, $value)){ if(!WP_firewall_check_ip_whitelist()){ WP_firewall_send_log_message($key, $value, 'wp-specific-sql-injection-attack', 'WordPress-Specific SQL Injection'); WP_firewall_send_redirect(); } } } } } if(get_option('WP_firewall_exclude_spaces') == 'allow'){ $exclude_terms = array('#\s{49,}#i','#\x00#'); foreach($exclude_terms as $preg){ foreach($request_string as $key=>$value){ if(preg_match('#\s{49,}#i', $value) ){ if(!WP_firewall_check_ip_whitelist()){ WP_firewall_send_log_message($key, $value, 'field-truncation-attack', 'Field Truncation'); WP_firewall_send_redirect(); } } } } } if(get_option('WP_firewall_exclude_file') == 'allow'){ foreach ($_FILES as $file) { $file_extensions = array('#\.dll$#i', '#\.rb$#i', '#\.py$#i', '#\.exe$#i', '#\.php[3-6]?$#i','#\.pl$#i', '#\.perl$#i', '#\.ph[34]$#i', '#\.phl$#i' , '#\.phtml$#i', '#\.phtm$#i'); foreach($file_extensions as $regex){ if(preg_match($regex, $file['name'])){ WP_firewall_send_log_message('$_FILE', $file['name'], 'executable-file-upload-attack', 'Executable File Upload'); WP_firewall_send_redirect(); } } } } if(get_option('WP_firewall_exclude_http') == 'allow'){ $exclude_terms = array('#^http#i', '#\.shtml#i'); foreach($exclude_terms as $preg){ foreach($request_string as $key=>$value){ if(preg_match($preg, $value)){ if(!WP_firewall_check_ip_whitelist()){ WP_firewall_send_log_message($key, $value, 'remote-file-execution-attack', 'Remote File Execution'); WP_firewall_send_redirect(); } } } } } } } function WP_firewall_send_redirect(){ $home_url = get_option('siteurl'); if(get_option('WP_firewall_redirect_page') == '404page'){ // Not clear if just including the 404 template is safe. header ("Location: $home_url/404/"); exit(); } else { header ("Location: $home_url"); exit(); } } function WP_firewall_check_whitelisted_variable(){ preg_match('#([^?]+)?.*$#',$_SERVER['REQUEST_URI'], $url); $page_name = $url[1]; $_a = array(); $new_arr = WP_firewall_array_flatten($_REQUEST, $_a); foreach( unserialize(get_option('default_WP_firewall_whitelisted_page')) as $whitelisted_page){ if(!is_array($whitelisted_page)){ if(preg_match('#^' . $whitelisted_page . '$#',$page_name)){ return false; } }else{ if(preg_match('#^' . $whitelisted_page[0] . '$#',$page_name)){ foreach($whitelisted_page[1] as $whitelisted_variable){ foreach(array_keys($new_arr) as $var){ if(preg_match('#^' . $whitelisted_variable .'$#',$var)){ $new_arr = array_diff_key($new_arr,array($var=>'')); } } } } } } $pages = unserialize( get_option('WP_firewall_whitelisted_page')); $variables = unserialize( get_option('WP_firewall_whitelisted_variable')); $count = 0; while($count < sizeof($pages)){ $page_regex = preg_quote($pages[$count], '#') ; $page_regex = str_replace('\*', '.*', $page_regex); $var_regex = preg_quote($variables[$count], '#') ; $var_regex = str_replace('\*', '.*', $var_regex); if( $variables[$count] != ''){ if($pages[$count] == '' || preg_match('#^' . $page_regex . '$#', $page_name)){ $temp_arr = $new_arr; foreach(array_keys($new_arr) as $var){ if(preg_match('#^' . $var_regex . '$#',$var)){ $new_arr = array_diff_key($new_arr,array($var=>'')); } } } } elseif($pages[$count] != ''){ if( preg_match('#^' . $page_regex . '$#',$page_name)){ return false; } } $count++; } return $new_arr; } function WP_firewall_send_log_message($bad_variable = '', $bad_value = '', $attack_type = '', $attack_category = ''){ $bad_variable = htmlentities($bad_variable); $bad_value = htmlentities($bad_value); $offender_ip = $_SERVER['REMOTE_ADDR'] ; $limit_check = ( get_option('WP_firewall_email_limit') == 'on' && $offender_ip == get_option('WP_firewall_previous_attack_ip') && $bad_variable == get_option('WP_firewall_previous_attack_var') ); if( $address = get_option('WP_firewall_email_address')&& !$limit_check ){ $suppress_message = (get_option('WP_firewall_email_limit')=='on') ? 'Repeated warnings for similar attacks are currently sent via email, click here to suppress them.' : ''; $offending_url = $_SERVER['HTTP_HOST'] .$_SERVER['REQUEST_URI'] ; $variable_explain_url = 'http://www.seoegghead.com/software/wordpress-firewall-security-filters.seo#' . $attack_type; $turn_off_email_url = get_option('WP_firewall_plugin_url') .'&turn_off_email=1'; $whitelist_varibale_url = get_option('WP_firewall_plugin_url') . '&set_whitelist_variable=' . $bad_variable ; $message =<<WordPress Firewall has detected and blocked a potential attack!
Web Page:   $offending_url
Warning: URL may contain dangerous content!
Offending IP:   $offender_ip [ Get IP location ]
Offending Parameter:   $bad_variable = $bad_value

This may be a "$attack_category Attack."

Click here for more information on this type of attack.

If you suspect this may be a false alarm because of something you recently did, try to confirm by repeating those actions. If so, whitelist it via the "whitelist this variable" link below. This will prevent future false alarms.

Click here to whitelist this variable.
Click here to turn off these emails.
$suppress_message


Click here for plugin documentation.

Got Questions or Feedback? Click here.
By using this plugin you agree to this simple disclaimer.
EndMessage; $address = get_option('WP_firewall_email_address'); $subject = 'Alert from WordPress Firewall on ' . get_option('siteurl'); $header = "Content-Type: text/html\r\n"; $header .= "From: " . $address . "\r\n"; mail($address,$subject,$message, $header); } update_option('WP_firewall_previous_attack_var', $bad_variable); update_option('WP_firewall_previous_attack_ip', $offender_ip); } function WP_firewall_check_ip_whitelist(){ $current_ip = $_SERVER['REMOTE_ADDR']; $ips = unserialize(get_option('WP_firewall_whitelisted_ip')); if(is_array($ips)){ foreach($ips as $ip){ if( $current_ip == $ip || $current_ip == gethostbyname($ip)){ return true; } } } return false; } function WP_firewall_array_flatten($array, &$newArray, $prefix='',$delimiter='][', $level = 0) { foreach ($array as $key => $child) { if (is_array($child)) { $newPrefix = $prefix.$key.$delimiter; if($level==0){$newPrefix=$key.'[';} $newArray =& WP_firewall_array_flatten($child, $newArray, $newPrefix, $delimiter, $level+1); } else { (!$level) ?$post='' : $post=']'; $newArray[$prefix.$key. $post] = $child; } } return $newArray; } function WP_firewall_assert_first(){ $active_plugs = (get_option('active_plugins')); $active_plugs = array_diff($active_plugs, array("wordpress-firewall.php")); array_unshift($active_plugs, "wordpress-firewall.php"); } add_action('admin_menu', 'WP_firewall_admin_menu'); function WP_firewall_admin_menu() { add_submenu_page('options-general.php','Firewall', 'Firewall', 10, __FILE__, 'WP_firewall_submenu'); } function WP_firewall_submenu(){ WP_firewall_assert_first(); $action_url = $_SERVER['REQUEST_URI']; if ($_REQUEST['set_exclusions']){ update_option('WP_firewall_redirect_page', $_REQUEST['redirect_type']); update_option('WP_firewall_exclude_directory', $_REQUEST['block_directory']); update_option('WP_firewall_exclude_queries', $_REQUEST['block_queries']); update_option('WP_firewall_exclude_terms', $_REQUEST['block_terms']); update_option('WP_firewall_exclude_spaces', $_REQUEST['block_spaces']); update_option('WP_firewall_exclude_file', $_REQUEST['block_file']); update_option('WP_firewall_exclude_http', $_REQUEST['block_http']); echo '

Security Filters and Redirect page updated.

'; } elseif($_REQUEST['turn_off_email']){ update_option('WP_firewall_email_address', ''); $action_url = str_replace('&turn_off_email=1','', $_SERVER['REQUEST_URI']); echo '

Emails are now turned off.

'; } elseif($_REQUEST['set_whitelist_variable']){ echo '

Whitelisted ' . $_REQUEST['set_whitelist_variable'] .'

'; $pages = unserialize( get_option('WP_firewall_whitelisted_page')); $variables = unserialize( get_option('WP_firewall_whitelisted_variable')); $pages[] = ''; $variables[] = $_REQUEST['set_whitelist_variable']; update_option('WP_firewall_whitelisted_page', serialize($pages)); update_option('WP_firewall_whitelisted_variable', serialize($variables)); $action_url = str_replace(('&set_whitelist_variable=' . $_REQUEST['set_whitelist_variable']),'',$_SERVER['REQUEST_URI']); echo '

Whitelisted Variable set.

'; } elseif($_REQUEST['set_email']){ update_option('WP_firewall_email_address', $_REQUEST['email_address']); update_option('WP_firewall_email_limit', $_REQUEST['email_limit']); echo '

Email updated.

'; } elseif($_REQUEST['set_whitelist_ip']){ update_option('WP_firewall_whitelisted_ip', serialize($_REQUEST['whitelisted_ip'])); echo '

Whitelisted IP set.

'; } elseif($_REQUEST['set_whitelist_page']){ update_option('WP_firewall_whitelisted_page', serialize($_REQUEST['whitelist_page'])); update_option('WP_firewall_whitelisted_variable', serialize($_REQUEST['whitelist_variable'])); echo '

Whitelisted Page set.

'; } elseif($_REQUEST['suppress'] === '0'){ update_option('WP_firewall_email_limit', 'off'); echo '

Email limit set.

'; $action_url = str_replace('&suppress=0','', $_SERVER['REQUEST_URI']); } ?>

Firewall Options:

Apply Security Filters:

> Block directory traversals (../, ../../etc/passwd, etc.) in application parameters.
> Block SQL queries (union select, concat(, /**/, etc.) in application parameters.
> Block WordPress specific terms (wp_, user_login, etc.) in application parameters.
> Block field truncation attacks in application parameters.
> Block executable file uploads (.php, .exe, etc.)
> Block leading http:// and https:// in application parameters (off by default; may cause problems with many plugins).

Upon Detecting Attack:

Show 404 Error Page: >
Redirect To Homepage: >
Note: All filters are subject to "Whitelisted IPs" and "Whitelisted Pages" below.

Email:

Enter an email address for attack reports:


Note: Leave this setting blank to disable emails.

Suppress similar attack warning emails: > On > Off

Whitelisted IPs:

Enter IP(s) that are whitelisted — and not subject to security rules.



'; } else{ $ips = array_unique(unserialize(get_option('WP_firewall_whitelisted_ip'))); foreach($ips as $ip){ if($ip != ''){ echo '
'; } } echo '
'; } ?> Note: Set field(s) to blank to disable IP whitelist. Your current IP is: .

Whitelisted Pages:

Enter page and/or form variables that are whitelisted — and not subject to security rules:

'; } else{ $pages = unserialize( get_option('WP_firewall_whitelisted_page')); $variables = unserialize( get_option('WP_firewall_whitelisted_variable')); $count = 0; while($count < sizeof($pages)){ if($pages[$count] != '' || $variables[$count] != ''){ echo ''; } $count++; } echo '
'; } ?>
Page:Form Variable:
Note: Set field(s) to blank to disable page whitelist.
Note: Use *'s for wildcard characters.

'; } function WP_firewall_show_plugin_link(){ ?>

Click here for plugin documentation.

Got Questions or Feedback? Click here.
By using this plugin you agree to this simple disclaimer.