OwlCyberSecurity - MANAGER
Edit File: Settings.php
<?php /** * Settings Model * Handles the plugin settings actions and database * * @file The Settings Model file * @package HMWP/SettingsModel * @since 4.0.0 */ defined( 'ABSPATH' ) || die( 'Cheatin\' uh?' ); class HMWP_Models_Settings { /** * Filter the keys that need validation * * @var array $validate_keys */ private $validate_keys; /** * Filter the names that need validation * * @var array $validate_keys */ private $invalid_names; /** * Initialize the validation keys and names * * @return void */ public function initValidationFields() { $this->validate_keys = apply_filters( 'hmwp_validate_keys', array( 'hmwp_admin_url', 'hmwp_login_url', 'hmwp_activate_url', 'hmwp_lostpassword_url', 'hmwp_register_url', 'hmwp_logout_url', 'hmwp_plugin_url', 'hmwp_themes_url', 'hmwp_upload_url', 'hmwp_admin-ajax_url', 'hmwp_wp-content_url', 'hmwp_wp-includes_url', 'hmwp_author_url', 'hmwp_wp-comments-post', 'hmwp_themes_style', 'hmwp_wp-json', ) ); $this->invalid_names = apply_filters( 'hmwp_invalid_names', array( 'index.php', 'readme.html', 'sitemap.xml', '.htaccess', 'license.txt', 'wp-blog-header.php', 'wp-config.php', 'wp-config-sample.php', 'wp-cron.php', 'wp-mail.php', 'wp-load.php', 'wp-links-opml.php', 'wp-settings.php', 'wp-signup.php', 'wp-trackback.php', 'xmlrpc.php', 'content', 'includes', 'css', 'js', 'font', ) ); } /** * Set the permalinks in database * * @param array * $params * * @throws Exception */ public function savePermalinks( $params ) { HMWP_Classes_Tools::saveOptions( 'error', false ); HMWP_Classes_Tools::saveOptions( 'changes', false ); if ( $params['hmwp_admin_url'] == $params['hmwp_login_url'] && $params['hmwp_admin_url'] <> '' ) { HMWP_Classes_Tools::saveOptions( 'error', true ); HMWP_Classes_Tools::saveOptions( 'test_frontend', false ); HMWP_Classes_Error::setNotification( esc_html__( "You can't set both ADMIN and LOGIN with the same name. Please use different names", 'hide-my-wp' ) ); return; } //send email when the admin is changed if ( isset( $params['hmwp_send_email'] ) ) { HMWP_Classes_Tools::$default['hmwp_send_email'] = $params['hmwp_send_email']; } if ( $params['hmwp_mode'] == 'default' ) { $params = HMWP_Classes_Tools::$default; } //////////////////////////////////////////// //Save all values $this->saveValues( $params, true ); //Some values need to be saved as blank is case no data is received //Set them to blank or value HMWP_Classes_Tools::saveOptions( 'hmwp_lostpassword_url', HMWP_Classes_Tools::getValue( 'hmwp_lostpassword_url', '' ) ); HMWP_Classes_Tools::saveOptions( 'hmwp_register_url', HMWP_Classes_Tools::getValue( 'hmwp_register_url', '' ) ); HMWP_Classes_Tools::saveOptions( 'hmwp_logout_url', HMWP_Classes_Tools::getValue( 'hmwp_logout_url', '' ) ); //Make sure the theme style name is ending with .css to be a static file if ( $stylename = HMWP_Classes_Tools::getValue( 'hmwp_themes_style' ) ) { if ( strpos( $stylename, '.css' ) === false ) { HMWP_Classes_Tools::saveOptions( 'hmwp_themes_style', $stylename . '.css' ); } } //generate unique names for plugins if needed if ( HMWP_Classes_Tools::getOption( 'hmwp_hide_plugins' ) ) { HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rewrite' )->hidePluginNames(); } if ( HMWP_Classes_Tools::getOption( 'hmwp_hide_themes' ) ) { HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rewrite' )->hideThemeNames(); } if ( ! HMWP_Classes_Tools::getOption( 'hmwp_hide_oldpaths' ) ) { HMWP_Classes_Tools::saveOptions( 'hmwp_hide_oldpaths_plugins', 0 ); HMWP_Classes_Tools::saveOptions( 'hmwp_hide_oldpaths_themes', 0 ); } //If no change is made on settings, just return if ( ! $this->checkOptionsChange() ) { return; } //Save the rules and add the rewrites $this->saveRules(); } /** * Check if the current setup changed the last settings * * @return bool */ public function checkOptionsChange() { $lastsafeoptions = HMWP_Classes_Tools::getOptions( true ); foreach ( $lastsafeoptions as $index => $value ) { if ( HMWP_Classes_Tools::getOption( $index ) <> $value ) { return true; } } return false; } /** * Check if the main paths were change and a logout is needed * * @return void */ public function checkMainPathsChange() { //If the admin is changed, require a logout if necessary $lastsafeoptions = HMWP_Classes_Tools::getOptions( true ); $options = HMWP_Classes_Tools::getOptions(); if ( ! empty( $lastsafeoptions ) ) { if ( $lastsafeoptions['hmwp_admin_url'] <> HMWP_Classes_Tools::getOption( 'hmwp_admin_url' ) ) { HMWP_Classes_Tools::saveOptions( 'logout', true ); } elseif ( $lastsafeoptions['hmwp_login_url'] <> HMWP_Classes_Tools::getOption( 'hmwp_login_url' ) ) { HMWP_Classes_Tools::saveOptions( 'logout', true ); } elseif ( $lastsafeoptions['hmwp_admin-ajax_url'] <> HMWP_Classes_Tools::getOption( 'hmwp_admin-ajax_url' ) ) { HMWP_Classes_Tools::saveOptions( 'logout', true ); } elseif ( $lastsafeoptions['hmwp_wp-json'] <> HMWP_Classes_Tools::getOption( 'hmwp_wp-json' ) ) { HMWP_Classes_Tools::saveOptions( 'logout', true ); } elseif ( $lastsafeoptions['hmwp_upload_url'] <> HMWP_Classes_Tools::getOption( 'hmwp_upload_url' ) ) { HMWP_Classes_Tools::saveOptions( 'logout', true ); } elseif ( $lastsafeoptions['hmwp_wp-content_url'] <> HMWP_Classes_Tools::getOption( 'hmwp_wp-content_url' ) ) { HMWP_Classes_Tools::saveOptions( 'logout', true ); } } } /** * Save the Values in database * * @param $params * @param bool $validate */ public function saveValues( $params, $validate = false ) { //Save the option values foreach ( $params as $key => $value ) { if ( in_array( $key, array_keys( HMWP_Classes_Tools::$options ) ) ) { // Don't save these keys as they are handled later if ( in_array( $key, array('whitelist_ip', 'whitelist_urls', 'banlist_ip', 'banlist_hostname', 'banlist_user_agent', 'banlist_referrer', 'hmwp_geoblock_urls') ) ){ continue; } //Make sure is set in POST if ( HMWP_Classes_Tools::getIsset( $key ) ) { //sanitize the value first $value = HMWP_Classes_Tools::getValue( $key ); //set the default value in case of nothing to prevent empty paths and errors if ( $value == '' ) { if ( isset( HMWP_Classes_Tools::$default[ $key ] ) ) { $value = HMWP_Classes_Tools::$default[ $key ]; } elseif ( isset( HMWP_Classes_Tools::$init[ $key ] ) ) { $value = HMWP_Classes_Tools::$init[ $key ]; } } //Detect Invalid Names if ( $validate ) { //if there is no the default mode //Don't check the validation for whitlist URLs if ( isset( $params['hmwp_mode'] ) && $params['hmwp_mode'] <> 'default' ) { //check if the name is valid if ( $this->checkValidName( $key, $value ) && $this->checkValidPath( $key, $value ) ) { //Detect Weak Names $this->checkWeakName( $value ); //show weak names HMWP_Classes_Tools::saveOptions( $key, $value ); } } else { HMWP_Classes_Tools::saveOptions( $key, $value ); } } else { HMWP_Classes_Tools::saveOptions( $key, $value ); } } } } } /** * Save the rules in the config file * * @throws Exception */ public function saveRules() { //CLEAR RULES ON DEFAULT if ( HMWP_Classes_Tools::getOption( 'hmwp_mode' ) == 'default' ) { HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rules' )->writeToFile( '', 'HMWP_VULNERABILITY' ); return; } //INSERT SEURITY RULES if ( ! HMWP_Classes_Tools::isIIS() ) { //For Nginx and Apache the rules can be inserted separately $rules = HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rules' )->getInjectionRewrite(); if ( strlen( $rules ) > 1 ) { if ( ! HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rules' )->writeToFile( $rules, 'HMWP_VULNERABILITY' ) ) { $config_file = HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rules' )->getConfFile(); HMWP_Classes_Error::setNotification( sprintf( esc_html__( 'Config file is not writable. Create the file if not exists or copy to %s file with the following lines: %s', 'hide-my-wp' ), '<strong>' . $config_file . '</strong>', '<br /><br /><pre><strong># BEGIN HMWP_VULNERABILITY<br />' . htmlentities( str_replace( ' ', ' ', $rules ) ) . '# END HMWP_VULNERABILITY</strong></pre>' ) ); } } } } /** * Save the Text mapping * * @param $hmwp_url_mapping_from * @param $hmwp_url_mapping_to * * @return void * @throws Exception */ public function saveTextMapping( $hmwp_text_mapping_from, $hmwp_text_mapping_to ) { $hmwp_text_mapping = array(); add_filter( 'hmwp_validate_keys', function ( $keys ) { return array( 'hmwp_text_mapping' ); } ); add_filter( 'hmwp_invalid_names', function ( $invalid_paths ) { return array( 'wp-post-image', 'wp-content', 'wp-includes', 'wp-admin', 'wp-login.php', 'uploads', ); } ); foreach ( $hmwp_text_mapping_from as $index => $from ) { if ( $hmwp_text_mapping_from[ $index ] <> '' && $hmwp_text_mapping_to[ $index ] <> '' ) { $hmwp_text_mapping_from[ $index ] = preg_replace( '/[^A-Za-z0-9-_.+*#:~{}\!\s\/]/', '', $hmwp_text_mapping_from[ $index ] ); $hmwp_text_mapping_to[ $index ] = preg_replace( '/[^A-Za-z0-9-_.+*#:~{}\!\s\/]/', '', $hmwp_text_mapping_to[ $index ] ); //check for invalid names if ( $this->checkValidName( 'hmwp_text_mapping', $hmwp_text_mapping_from[ $index ] ) && $this->checkValidName( 'hmwp_text_mapping', $hmwp_text_mapping_to[ $index ] ) ) { if ( ! isset( $hmwp_text_mapping['from'] ) || ! in_array( $hmwp_text_mapping_from[ $index ], (array) $hmwp_text_mapping['from'] ) ) { //Don't save the wp-posts for Woodmart theme if ( HMWP_Classes_Tools::isPluginActive( 'woocommerce/woocommerce.php' ) ) { if ( $hmwp_text_mapping_from[ $index ] == 'wp-post-image' ) { continue; } } if ( ! HMW_DYNAMIC_FILES && ! HMWP_Classes_Tools::getOption( 'hmwp_mapping_file' ) ) { if ( in_array( $hmwp_text_mapping_from[ $index ], array( 'elementor', 'wp-block', 'woocommerce', 'bricks' ) ) ) { HMWP_Classes_Error::setNotification( sprintf( esc_html__( 'Global class name detected: %s. Read this article first: %s' ), '<strong>' . $hmwp_text_mapping_from[ $index ] . '</strong>', '<a href="' . esc_url( HMWP_Classes_Tools::getOption('hmwp_plugin_website') . '/kb/hiding-plugins-like-woocommerce-and-elementor/' ) . '" target="_blank">Hiding plugins like WooCommerce and Elementor</a>' ) ); } } if ( $hmwp_text_mapping_from[ $index ] <> $hmwp_text_mapping_to[ $index ] ) { $hmwp_text_mapping['from'][] = $hmwp_text_mapping_from[ $index ]; $hmwp_text_mapping['to'][] = $hmwp_text_mapping_to[ $index ]; } } else { HMWP_Classes_Error::setNotification( esc_html__( 'Error: You entered the same text twice in the Text Mapping. We removed the duplicates to prevent any redirect errors.' ) ); } } } } //let other plugins to change $hmwp_text_mapping = apply_filters( 'hmwp_text_mapping_before_save', $hmwp_text_mapping ); HMWP_Classes_Tools::saveOptions( 'hmwp_text_mapping', json_encode( $hmwp_text_mapping ) ); } /** * Save the URL mapping * * @param $hmwp_url_mapping_from * @param $hmwp_url_mapping_to * * @return void * @throws Exception */ public function saveURLMapping( $hmwp_url_mapping_from, $hmwp_url_mapping_to ) { $hmwp_url_mapping = array(); add_filter( 'hmwp_validate_keys', function ( $keys ) { return array( 'hmwp_url_mapping' ); } ); add_filter( 'hmwp_invalid_names', function ( $invalid_paths ) { return array( 'wp-content', '/wp-content', site_url( 'wp-content' ), site_url( 'wp-content', 'relative' ), 'wp-includes', '/wp-includes', site_url( 'wp-includes' ), site_url( 'wp-includes', 'relative' ), 'wp-admin', '/wp-admin', site_url( 'wp-admin' ), site_url( 'wp-admin', 'relative' ), 'wp-login.php', '/wp-login.php', home_url( 'wp-login.php' ), home_url( 'wp-login.php', 'relative' ), 'uploads', 'wp-content/uploads', '/wp-content/uploads', 'plugins', 'wp-content/plugins', '/wp-content/plugins', 'themes', 'wp-content/themes', '/wp-content/themes', ); } ); foreach ( $hmwp_url_mapping_from as $index => $from ) { if ( $hmwp_url_mapping_from[ $index ] <> '' && $hmwp_url_mapping_to[ $index ] <> '' ) { $hmwp_url_mapping_from[ $index ] = preg_replace( '/[^A-Za-z0-9-_;:=%.#\/\?]/', '', $hmwp_url_mapping_from[ $index ] ); $hmwp_url_mapping_to[ $index ] = preg_replace( '/[^A-Za-z0-9-_;:%=.#\/\?]/', '', $hmwp_url_mapping_to[ $index ] ); if ( $this->checkValidName( 'hmwp_url_mapping', $hmwp_url_mapping_from[ $index ] ) && $this->checkValidName( 'hmwp_url_mapping', $hmwp_url_mapping_to[ $index ] ) ) { if ( ! isset( $hmwp_url_mapping['from'] ) || ( ! in_array( $hmwp_url_mapping_from[ $index ], (array) $hmwp_url_mapping['from'] ) && ! in_array( $hmwp_url_mapping_to[ $index ], (array) $hmwp_url_mapping['to'] ) ) ) { if ( $hmwp_url_mapping_from[ $index ] <> $hmwp_url_mapping_to[ $index ] ) { $hmwp_url_mapping['from'][] = $hmwp_url_mapping_from[ $index ]; $hmwp_url_mapping['to'][] = $hmwp_url_mapping_to[ $index ]; } } else { HMWP_Classes_Error::setNotification( esc_html__( 'Error: You entered the same URL twice in the URL Mapping. We removed the duplicates to prevent any redirect errors.' ) ); } } } } //let other plugins to change $hmwp_url_mapping = apply_filters( 'hmwp_url_mapping_before_save', $hmwp_url_mapping ); HMWP_Classes_Tools::saveOptions( 'hmwp_url_mapping', json_encode( $hmwp_url_mapping ) ); if ( ! empty( $hmwp_url_mapping ) ) { //show rules to be added manually if ( ! HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rewrite' )->clearRedirect()->setRewriteRules()->flushRewrites() ) { HMWP_Classes_Tools::saveOptions( 'test_frontend', false ); HMWP_Classes_Tools::saveOptions( 'file_mappings', array() ); HMWP_Classes_Tools::saveOptions( 'error', true ); } } } /** * Check invalid name and avoid errors * * @param string $key DB Option name * @param string $name Option value * * @return bool */ public function checkValidName( $key, $name ) { if ( is_array( $name ) ) { foreach ( $name as $current ) { if ( ! $this->checkValidName( $key, $current ) ) { return false; } } } else { //initialize validation fields $this->initValidationFields(); if ( in_array( $key, $this->validate_keys ) ) { // Avoid names that lead to WordPress errors if ( ( $key <> 'hmwp_themes_url' && $name == 'themes' ) || ( $key == 'hmwp_themes_url' && $name == 'assets' ) || ( $key <> 'hmwp_upload_url' && $name == 'uploads' ) || in_array( $name, $this->invalid_names ) ) { HMWP_Classes_Error::setNotification( sprintf( esc_html__( "Invalid name detected: %s. You need to use another name to avoid WordPress errors.", 'hide-my-wp' ), '<strong>' . $name . '</strong>' ) ); return false; } } } return true; } /** * Check if the path is valid * * @param $key * @param $name * * @return bool */ public function checkValidPath( $key, $name ) { //initialize validation fields $this->initValidationFields(); if ( in_array( $key, $this->validate_keys ) ) { if ( strlen( $name ) > 1 && strlen( $name ) < 3 ) { HMWP_Classes_Error::setNotification( sprintf( esc_html__( "Short name detected: %s. You need to use unique paths with more than 4 chars to avoid WordPress errors.", 'hide-my-wp' ), '<strong>' . $name . '</strong>' ) ); return false; } if ( strpos( $name, '//' ) !== false ) { HMWP_Classes_Error::setNotification( sprintf( esc_html__( "Invalid name detected: %s. Add only the final path name to avoid WordPress errors.", 'hide-my-wp' ), '<strong>' . $name . '</strong>' ) ); return false; } if ( strpos( $name, '/' ) !== false && strpos( $name, '/' ) == 0 ) { HMWP_Classes_Error::setNotification( sprintf( esc_html__( "Invalid name detected: %s. The name can't start with / to avoid WordPress errors.", 'hide-my-wp' ), '<strong>' . $name . '</strong>' ) ); return false; } if ( strpos( $name, '/' ) !== false && substr( $name, - 1 ) == '/' ) { HMWP_Classes_Error::setNotification( sprintf( esc_html__( "Invalid name detected: %s. The name can't end with / to avoid WordPress errors.", 'hide-my-wp' ), '<strong>' . $name . '</strong>' ) ); return false; } $array = explode( '/', $name ); if ( ! empty( $array ) ) { foreach ( $array as $row ) { if ( substr( $row, - 1 ) === '.' ) { HMWP_Classes_Error::setNotification( sprintf( esc_html__( "Invalid name detected: %s. The paths can't end with . to avoid WordPress errors.", 'hide-my-wp' ), '<strong>' . $name . '</strong>' ) ); return false; } } } } return true; } /** * Check if the name is week for security * * @param string $name */ public function checkWeakName( $name ) { $invalit_paths = array( 'login', 'mylogin', 'wp-login', 'admin', 'wp-mail.php', 'wp-settings.php', 'wp-signup.php', 'wp-trackback.php', 'xmlrpc.php', 'wp-include', ); if ( in_array( $name, $invalit_paths ) ) { HMWP_Classes_Error::setNotification( sprintf( esc_html__( "Weak name detected: %s. You need to use another name to increase your website security.", 'hide-my-wp' ), '<strong>' . $name . '</strong>' ) ); } } /** * This function applies changes to permalinks. * It deletes the restore transient and clears the cache if there are no errors. * If no changes are made on settings and $force is false, the function returns true. * It forces the recheck security notification, clears the cache, removes the redirects, and flushes the WordPress rewrites. * If there are no errors, it checks if there is any main path change and saves the working options into backup. * It sends an email notification about the path changed, sets the cookies for the current path, activates frontend test, and triggers an action after applying the permalink changes. * * @param bool $force If true, the function will always apply the permalink changes. * * @return bool Returns true if the changes are applied successfully; otherwise, returns false. * * @throws Exception */ public function applyPermalinksChanged( $force = false ) { // Delete the restore transient delete_transient( 'hmwp_restore' ); // Clear the cache if there are no errors if ( HMWP_Classes_Tools::getOption( 'error' ) ) { return false; } // If no change is made on settings, just return if ( ! $force && ! $this->checkOptionsChange() ) { return true; } // Force the recheck security notification delete_option( HMWP_SECURITY_CHECK_TIME ); // Clear the cache and remove the redirects HMWP_Classes_Tools::emptyCache(); // Flush the WordPress rewrites HMWP_Classes_Tools::flushWPRewrites(); // Check if the config file is writable or is WP-engine server if ( ! HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rules' )->isConfigWritable() || HMWP_Classes_Tools::isWpengine() ) { // If not writeable, call the rules to show manually changes //show rules to be added manually if ( ! HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rewrite' )->clearRedirect()->setRewriteRules()->flushRewrites() ) { HMWP_Classes_Tools::saveOptions( 'test_frontend', false ); HMWP_Classes_Tools::saveOptions( 'error', true ); } } else { // Flush the changes HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rewrite' )->flushChanges(); } // If there are no errors if ( ! HMWP_Classes_Error::isError() ) { // Check if there is any main path change $this->checkMainPathsChange(); if ( HMWP_Classes_Tools::getOption( 'hmwp_mode' ) == 'default' ) { // Save the working options into backup HMWP_Classes_Tools::saveOptionsBackup(); } // Redirect to the new admin URL if ( HMWP_Classes_Tools::getOption( 'logout' ) ) { // Send email notification about the path changed HMWP_Classes_ObjController::getClass( 'HMWP_Models_Rewrite' )->sendEmail(); // Set the cookies for the current path $cookies = HMWP_Classes_ObjController::newInstance( 'HMWP_Models_Cookies' ); if ( HMWP_Classes_Tools::isNginx() || HMWP_Classes_Tools::isCloudPanel() || $cookies->setCookiesCurrentPath() ) { HMWP_Classes_Tools::saveOptions( 'logout', false ); // Activate frontend test HMWP_Classes_Tools::saveOptions( 'test_frontend', true ); remove_all_filters( 'wp_redirect' ); remove_all_filters( 'admin_url' ); // Trigger action after apply the permalink changes do_action( 'hmwp_apply_permalink_changes' ); if ( ! HMWP_Classes_Tools::isNginx() && ! HMWP_Classes_Tools::isCloudPanel() ) { wp_redirect( HMWP_Classes_Tools::getSettingsUrl( HMWP_Classes_Tools::getValue( 'page' ) ) ); exit(); } } } // Trigger action after apply the permalink changes do_action( 'hmwp_apply_permalink_changes' ); return true; } return false; } }