Last active
April 21, 2024 05:11
-
-
Save olenkadark/cad4cb06e1d9868e25342f89bc926814 to your computer and use it in GitHub Desktop.
Protect Your WordPress Admin Area. Hide your WP Admin URL. Secure your WordPress website by protecting the login page and preventing brute force attacks. Put this file to mu-plugins directory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Protect Your WordPress Admin Area | |
| * | |
| * Hide your WP Admin URL. | |
| * Secure your WordPress website by protecting the login page and preventing brute force attacks | |
| */ | |
| define( 'U_RESTRICT_USERS', true); | |
| define( 'WP_ADMIN_DIR', 'dashboard'); | |
| define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR); | |
| class U_MU_Protect_WP_Admin | |
| { | |
| public static function init() | |
| { | |
| add_filter('xmlrpc_enabled', '__return_false'); | |
| add_action('wp_install', array(__CLASS__, 'maybe_enable_pretty_permalinks'),99); | |
| if ( !get_option('permalink_structure') ) return; | |
| add_action('wp_loaded', array(__CLASS__, 'wp_loaded'),99); | |
| add_filter('mod_rewrite_rules', array(__CLASS__, 'mod_rewrite_rules'), 50, 1); | |
| add_filter('login_headerurl', array(__CLASS__, 'login_headerurl'),99, 1); | |
| add_filter('login_headertext', array(__CLASS__, 'login_headertext'),99, 1); | |
| add_action('login_head', array(__CLASS__, 'update_login_page_logo')); | |
| add_action('init', array(__CLASS__, 'admin_url_redirect_conditions') ); | |
| add_filter( 'site_url', array(__CLASS__, 'site_url'), 10, 3 ); | |
| add_filter( 'login_url', array(__CLASS__, 'login_url'), 10, 2 ); | |
| add_filter( 'logout_url', array(__CLASS__, 'logout_url'), 10, 2 ); | |
| add_filter( 'register_url', array(__CLASS__, 'register_url'), 10, 1 ); | |
| add_filter( 'lostpassword_url', array(__CLASS__, 'lostpassword_url'), 10, 2 ); | |
| add_filter( 'logout_redirect', array(__CLASS__, 'logout_redirect'), 10, 1 ); | |
| add_filter( 'lostpassword_redirect', array(__CLASS__, 'logout_redirect'), 10, 1 ); | |
| } | |
| public static function maybe_enable_pretty_permalinks(){ | |
| global $wp_rewrite; | |
| $old_permastruct = get_option( 'permalink_structure' ); | |
| $wp_rewrite->set_permalink_structure('/%postname%/'); | |
| $wp_rewrite->flush_rules( true ); | |
| $test_url = ''; | |
| // Test against a real WordPress Post | |
| $first_post = get_page_by_path( sanitize_title( _x( 'hello-world', 'Default post slug' ) ), OBJECT, 'post' ); | |
| if ( $first_post ) { | |
| $test_url = get_permalink( $first_post->ID ); | |
| } | |
| /* | |
| * Send a request to the site, and check whether | |
| * the 'x-pingback' header is returned as expected. | |
| * | |
| * Uses wp_remote_get() instead of wp_remote_head() because web servers | |
| * can block head requests. | |
| */ | |
| $response = wp_remote_get( $test_url, array( 'timeout' => 5 , 'sslverify' => false) ); | |
| $x_pingback_header = wp_remote_retrieve_header( $response, 'x-pingback' ); | |
| $pretty_permalinks = $x_pingback_header && $x_pingback_header === get_bloginfo( 'pingback_url' ); | |
| if ( $pretty_permalinks ) { | |
| update_option( "rewrite_rules", FALSE ); | |
| return true; | |
| } | |
| /* | |
| * If it makes it this far, pretty permalinks failed. | |
| * Fallback to query-string permalinks. | |
| */ | |
| $wp_rewrite->set_permalink_structure( $old_permastruct ); | |
| $wp_rewrite->flush_rules( true ); | |
| return false; | |
| } | |
| public static function wp_loaded(){ | |
| // Ensure get_home_path() is declared. | |
| require_once( ABSPATH . 'wp-admin/includes/file.php' ); | |
| require_once( ABSPATH . 'wp-admin/includes/misc.php' ); | |
| $home_path = get_home_path(); | |
| $htaccess_file = $home_path . '.htaccess'; | |
| /* | |
| * If the file doesn't already exist check for write access to the directory | |
| * and whether we have some rules. Else check for write access to the file. | |
| */ | |
| if ( !file_exists($htaccess_file) ) { | |
| flush_rewrite_rules( true ); | |
| } | |
| } | |
| public static function login_headerurl($login_header_url){ | |
| if ( !is_multisite() ) { | |
| $login_header_url = get_home_url(); | |
| } | |
| return $login_header_url; | |
| } | |
| public static function login_headertext($login_header_title){ | |
| if ( !is_multisite() ) { | |
| $login_header_title = get_bloginfo('name'); | |
| } | |
| return $login_header_title; | |
| } | |
| public static function update_login_page_logo(){ | |
| $title = ''; | |
| if ( is_multisite() ) { | |
| $title = get_network()->site_name; | |
| }else{ | |
| $title = get_bloginfo('name'); | |
| } | |
| $words = preg_split("/\s+/", $title); | |
| $acronym = $words[0][0]; | |
| echo '<style type="text/css"> /* Protect WP-Admin Style*/'; | |
| echo '.login h1 a { | |
| background-image: none !important; | |
| background: #2196F3 !important; | |
| width: 10rem; | |
| height: 10rem; | |
| line-height: 10rem; | |
| font-size: 6.6rem; | |
| font-weight: 500; | |
| margin: 3.2rem auto; | |
| color: #FFFFFF; | |
| -webkit-border-radius: 2px; | |
| border-radius: 2px; | |
| } | |
| .login h1 a:focus, | |
| .login h1 a:hover{ | |
| color: #FFFFFF !important; | |
| } | |
| .login h1 a:before{ | |
| content: "'.$acronym.'"; | |
| text-indent:0; | |
| display: block; | |
| } | |
| #login{ | |
| padding: 1.2rem !important; | |
| width: 22.5rem; | |
| max-width: 22.5rem; | |
| background: #FFFFFF; | |
| text-align: center; | |
| box-shadow: 0 1px 3px rgba(0,0,0,0.13); | |
| } | |
| .login form{ | |
| box-shadow: none; | |
| } | |
| body.login{ | |
| padding-top: 80px !important; | |
| height: calc(100% - 80px); | |
| background-color: #343a40 !important; | |
| } | |
| '; | |
| echo '</style>'; | |
| } | |
| public static function mod_rewrite_rules( $rules ){ | |
| $newurl = 'core/' . WP_ADMIN_DIR; | |
| $newrules = "<IfModule mod_rewrite.c>\n"; | |
| $newrules .= "RewriteEngine On\n"; | |
| $newrules .= "RewriteBase /\n"; | |
| $newrules .= "RewriteRule ^$newurl/register/?$ /core/wp-login.php?action=register [QSA,L]\n"; | |
| $newrules .= "RewriteRule ^$newurl/lostpassword/?$ /core/wp-login.php?action=lostpassword [QSA,L]\n"; | |
| $newrules .= "RewriteRule ^$newurl/(.*) /core/wp-admin/$1?%{QUERY_STRING} [QSA,L]\n"; | |
| $newrules .= "RewriteRule ^$newurl/?$ /core/wp-login.php [QSA,L]\n"; | |
| $newrules .= "</IfModule>\n\n"; | |
| $rules = $newrules . $rules; | |
| $urlparts = parse_url(site_url()); | |
| $domain = $urlparts ['host']; | |
| $rules .= " \n # Block unnecessary request methods \n"; | |
| $rules .= "<IfModule mod_rewrite.c>\n"; | |
| $rules .= "RewriteEngine On\n"; | |
| $rules .= "RewriteCond %{REQUEST_METHOD} ^(PATCH|CONNECT|DEBUG|DELETE|MOVE|PUT|TRACE|TRACK|OPTIONS) [NC]\n"; | |
| $rules .= "RewriteRule .* - [F,L]\n"; | |
| $rules .= "</IfModule>\n"; | |
| $rules .= " \n # Stop spam attack logins and comments \n"; | |
| $rules .= "<IfModule mod_rewrite.c>\n"; | |
| $rules .= "RewriteEngine On\n"; | |
| $rules .= "RewriteCond %{REQUEST_METHOD} POST\n"; | |
| $rules .= "RewriteCond %{REQUEST_URI} .*/(wp-comments-post|wp-login|wp-signup)\.php.*\n"; | |
| $rules .= "RewriteCond %{HTTP_REFERER} !.*$domain.* [OR]\n"; | |
| $rules .= "RewriteCond %{HTTP_USER_AGENT} ^$\n"; | |
| $rules .= "RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]\n"; | |
| $rules .= "</IfModule>\n"; | |
| $rules .= "\n # Block WordPress xmlrpc.php requests\n"; | |
| $rules .= "<Files xmlrpc.php>\n"; | |
| $rules .= "order deny,allow\n"; | |
| $rules .= "deny from all\n"; | |
| $rules .= "allow from 123.123.123.123\n"; | |
| $rules .= "</Files>\n"; | |
| $rules .= "\n # Protect all text files\n"; | |
| $rules .= "<Files *.txt>\n"; | |
| $rules .= "deny from all\n"; | |
| $rules .= "</Files>\n"; | |
| return $rules; | |
| } | |
| public static function admin_url_redirect_conditions(){ | |
| $rewrite_text = 'core/' . WP_ADMIN_DIR; | |
| $actual_url_arr = array | |
| ( | |
| home_url('/core/wp-login.php'), | |
| home_url('/core/wp-login.php/'), | |
| home_url('/core/wp-login'), | |
| home_url('/core/wp-login/'), | |
| home_url('/core/wp-admin'), | |
| home_url('/core/wp-admin/'), | |
| home_url('/wp-login.php'), | |
| home_url('/wp-login.php/'), | |
| home_url('/wp-login'), | |
| home_url('/wp-login/'), | |
| home_url('/wp-admin'), | |
| home_url('/wp-admin/'), | |
| ); | |
| $request_url = self::get_current_page_url($_SERVER); | |
| $new_url = explode('?', $request_url); | |
| if( !in_array($new_url[ 0 ], $actual_url_arr ) ) return; | |
| if (!is_user_logged_in() ) { | |
| if (defined('DOING_AJAX') && DOING_AJAX && $new_url[ 0 ] == home_url('core/wp-admin/admin-ajax.php')) | |
| return; | |
| /** is forgot password link */ | |
| if (isset($_GET[ 'login' ]) && isset($_GET[ 'action' ]) && $_GET[ 'action' ] == 'rp' && $_GET[ 'login' ] != '') { | |
| $username = $_GET[ 'login' ]; | |
| if (username_exists($username)) { | |
| //silent | |
| } else { | |
| wp_redirect(home_url('/'), 301); //exit; | |
| } | |
| } elseif (isset($_GET[ 'action' ]) && $_GET[ 'action' ] == 'rp') { | |
| //silent | |
| } elseif (isset($_GET[ 'action' ]) && isset($_GET[ 'error' ]) && $_GET[ 'action' ] == 'lostpassword' && $_GET[ 'error' ] == 'invalidkey') { | |
| $redirectUrl = add_query_arg(wp_lostpassword_url(), ['error' => 'invalidkey']); | |
| wp_redirect($redirectUrl, 301);//exit; | |
| } elseif (isset($_GET[ 'action' ]) && $_GET[ 'action' ] == 'resetpass') { | |
| // silent | |
| } else { | |
| self::handle_404(); | |
| } | |
| exit; | |
| } else if ( defined('U_RESTRICT_USERS') && U_RESTRICT_USERS ) { | |
| global $current_user; | |
| $user_roles = $current_user->roles; | |
| $user_ID = $current_user->ID; | |
| $user_role = array_shift($user_roles); | |
| $userids = array(); | |
| if ($user_role == 'administrator' || in_array($user_ID, $userids)) { | |
| //silent is gold | |
| } else { | |
| show_admin_bar(false); // disble admin_bar for guest user | |
| wp_redirect(home_url('/')); | |
| exit; | |
| } | |
| } else { | |
| //silent is gold | |
| } | |
| } | |
| public static function site_url( $url, $path, $orig_scheme ) | |
| { | |
| $old = array( "/(wp-admin)/", "/(wp-login.php)/"); | |
| $new = array(WP_ADMIN_DIR, WP_ADMIN_DIR); | |
| return preg_replace( $old, $new, $url, 1); | |
| } | |
| public static function login_url( $login_url, $redirect ) | |
| { | |
| $login_url = str_replace("wp-login.php", WP_ADMIN_DIR, $login_url); | |
| return $login_url; | |
| } | |
| public static function logout_url( $logout_url, $redirect ) | |
| { | |
| $logout_url = str_replace("wp-login.php", WP_ADMIN_DIR, $logout_url); | |
| return $logout_url; | |
| } | |
| public static function register_url( $register_url ) | |
| { | |
| return admin_url('register'); | |
| } | |
| public static function lostpassword_url( $lostpassword_url, $redirect ) | |
| { | |
| return admin_url('lostpassword'); | |
| } | |
| public static function logout_redirect( $redirect_to ) | |
| { | |
| $redirect_to = str_replace("wp-login.php", WP_ADMIN_DIR, $redirect_to); | |
| return $redirect_to; | |
| } | |
| private static function current_path_protocol($s, $use_forwarded_host = false) | |
| { | |
| $pwahttp = (!empty($s[ 'HTTPS' ]) && $s[ 'HTTPS' ] == 'on') ? true : false; | |
| $pwasprotocal = strtolower($s[ 'SERVER_PROTOCOL' ]); | |
| $pwa_protocol = substr($pwasprotocal, 0, strpos($pwasprotocal, '/')) . (($pwahttp) ? 's' : ''); | |
| $port = $s[ 'SERVER_PORT' ]; | |
| $port = ((!$pwahttp && $port == '80') || ($pwahttp && $port == '443')) ? '' : ':' . $port; | |
| $host = ($use_forwarded_host && isset($s[ 'HTTP_X_FORWARDED_HOST' ])) ? $s[ 'HTTP_X_FORWARDED_HOST' ] : (isset($s[ 'HTTP_HOST' ]) ? $s[ 'HTTP_HOST' ] : null); | |
| $host = isset($host) ? $host : $s[ 'SERVER_NAME' ] . $port; | |
| return $pwa_protocol . '://' . $host; | |
| } | |
| private static function get_current_page_url($s, $use_forwarded_host = false) | |
| { | |
| return self::current_path_protocol($s, $use_forwarded_host) . $s['REQUEST_URI']; | |
| } | |
| public static function handle_404() { | |
| global $wp_query; | |
| $wp_query->set_404(); | |
| add_action( 'wp_title', function () { | |
| return '404: Not Found'; | |
| }, 9999 ); | |
| status_header( 404 ); | |
| nocache_headers(); | |
| require get_404_template(); | |
| exit; | |
| } | |
| } | |
| U_MU_Protect_WP_Admin::init(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment