jaip
Forum Replies Created
-
Forum: Hacks
In reply to: Message You suck! Go hack someone else.The regexp https?\:\\\(www\.)?[^(wordpress)] is not working properly. Someone else might be able to write a regexp which excludes requests to w3.org apache.org codex.wordpress and wordpress and mayby more in the search for external http requests in plugins or themes.
Forum: Hacks
In reply to: Message You suck! Go hack someone else.You should also search all tables in the database for a match. In phpmyadmin it is easily done with selecting database, click search, select all tables and enter the searchword(s).
A pure sql code doing the same can be seen here:
When still nothing is found it might be the result of a plugin doing an external http request. You can find http requests whis are not to wordpress by using this searchstring https?\:\\\(www\.)?[^(wordpress)] in the above php directory search.
Forum: Hacks
In reply to: Message You suck! Go hack someone else.Try this code and let your clients who get the message try it also.
<?php $dir=dirname(__FILE__).'/wordpress'; dirToArray($dir); function dirToArray($dir) { $result = array(); $cdir = scandir($dir); foreach ($cdir as $key => $value) { if (!in_array($value,array(".",".."))) { if (is_dir($dir . DIRECTORY_SEPARATOR . $value)) { $result[$value] = dirToArray($dir . DIRECTORY_SEPARATOR . $value); } else { $file_content=file_get_contents($dir. DIRECTORY_SEPARATOR .$value); if(preg_match('/suck/i',$file_content)) echo $dir. DIRECTORY_SEPARATOR .$value.'</br>'; } } } } ?>Forum: Hacks
In reply to: Message You suck! Go hack someone else.It should be possible to make a program which traverses all the files of your wordpress directory, gets the content of the file and looks for the unwanted message. If you class yourself as an advanced developer this is an easy thing to do. Mayby you can also find a useable code by googling a little. It is prob ably not in the core code but this one from edit-comments.php surprised me :wp_die(__(‘Cheatin’ uh?’));
Best regards
Forum: Fixing WordPress
In reply to: password protect imagesThe end is that checking for empty($post->password) does work for single pages but not for the childpages in for instance ft protect children pages where the first topmost solution does work with childpages.
The plugin solution without checking for empty($post->password) does also work with childpages, but have a security breach if you do not disallow when window has loaded.
Forum: Fixing WordPress
In reply to: password protect imagesForum: Fixing WordPress
In reply to: password protect imagesIn a plugin the code below seems to work and so avoid changing core code. In case the folder ‘secret’ not exists php does not create it, so there are a few microseconds of delay on unprotected pages and nothing else. So far as I can see from this angle it is a must to disallow ip on $(window).load else any page call will allow the images to be seen (if you know or guess the url)
add_action(‘wp_head’,’jaip_protect_images’);
function jaip_protect_images(){
if(post_password_required()==false)){
$ok_ip=$_SERVER[‘REMOTE_ADDR’];
$allow_ip=file_get_contents(WP_CONTENT_DIR.’/uploads/secret/.htaccess’);
$allow_ip.=”\n”.’allow from ‘.$ok_ip;
file_put_contents(WP_CONTENT_DIR.’/uploads/secret/.htaccess’,$allow_ip);
}
}using this clause will avoid setting the ok_ip on unprotected pages as far as I can see
$post = get_post();
if(post_password_required()==false&&!empty($post->post_password)){
$ok_ip=$_SERVER[‘REMOTE_ADDR’];
$allow_ip=file_get_contents(WP_CONTENT_DIR.’/uploads/secret/.htaccess’);
$allow_ip.=”\n”.’allow from ‘.$ok_ip;
file_put_contents(WP_CONTENT_DIR.’/uploads/secret/.htaccess’,$allow_ip);
}
}Forum: Fixing WordPress
In reply to: password protect imagesIf it is possible to redefine this function in a childtheme then this of course is the way. It is just not in the plugable functions so I have not tried it yet but only developed the code and praxis which has the flaws of editing core code where you of course have to consider where the function might be used apart from the actual situation. In the concrete example nothing unforeseen happens unless you mess it all up and delete something you not wanted or something like that. I would expect some acknowledgement apart from the worries because it works and is easy and several requests for a solution have been made. It could easily be made a part of the corecode where the path to protected folder should be provided along with a password when creating protected pages – why not?
Forum: Plugins
In reply to: file_put_contents() during ajax callThe variable WP_CONTENT_DIR seems not to be defined in the file which answers the ajax call. This is the reason. How can I define it?