Phase 6: AIOS security plugin with conservative login lockdown config (10 attempts)

2025-11-28 17:19:54 -06:00
parent 78a744ef06
commit abbd3502e8
430 changed files with 137111 additions and 7 deletions
@@ -0,0 +1,31 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox aio_hidden" data-template="advanced-character-filter">
+		<h3 class="hndle"><label for="title"><?php esc_html_e('Advanced character string filter', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+		<div class="inside">
+		<div id="firewall-advanced-character-string-filter-badge">
+			<?php
+			//Display security info badge
+			$aiowps_feature_mgr->output_feature_details_badge("firewall-advanced-character-string-filter");
+			?>
+		</div>
+		<table class="form-table">
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Enable advanced character string filter', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(__('This will block character sequences which resemble XSS attacks.', 'all-in-one-wp-security-and-firewall'), 'aiowps_advanced_char_string_filter', $aiowps_advanced_char_string_filter); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+							<p class="description">
+								<?php
+								esc_html_e('This is an advanced character string filter to prevent malicious string attacks on your site coming from Cross Site Scripting (XSS).', 'all-in-one-wp-security-and-firewall');
+								echo '<br />' . esc_html__('This setting matches for common malicious string patterns and exploits and will produce a 403 error for the hacker attempting the query.', 'all-in-one-wp-security-and-firewall');
+								echo '<br />' . esc_html__('NOTE: Some strings for this setting might break some functionality.', 'all-in-one-wp-security-and-firewall');
+								?>
+							</p>
+						</div>
+					</div>
+				</td>
+			</tr>
+		</table>
+		</div></div>
@@ -0,0 +1,70 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<h3><?php esc_html_e('Block request methods', 'all-in-one-wp-security-and-firewall'); ?></h3>
+<span data-tooltip="<?php echo esc_attr__('HTTP request methods are used by browsers and clients to communicate with servers to get responses.', 'all-in-one-wp-security-and-firewall') . ' ' . esc_attr__('The below request methods are not necessary for every site to function and you may disable all HTTP request methods that are not essential for your site to function.', 'all-in-one-wp-security-and-firewall'); ?>">
+	<span class="dashicons dashicons-editor-help"></span>
+</span>
+<div class="options">
+	<table class="form-table">
+		<?php foreach ($block_request_methods as $block_request_method) {?>
+			<tr>
+				<?php /* translators: %s: Block method */ ?>
+				<th><?php printf(esc_html__('Block %s method', 'all-in-one-wp-security-and-firewall'), esc_html(strtoupper($block_request_method)));?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php /* translators: %s: Block request method */ ?>
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(sprintf(__('Check this to block the %s request method', 'all-in-one-wp-security-and-firewall'), strtoupper($block_request_method)), "aiowps_block_request_method_{$block_request_method}", in_array(strtoupper($block_request_method), $methods)); ?>
+						<?php if ('put' == $block_request_method) {?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+							<?php
+								echo '<p class="description">' . esc_html__('Some WooCommerce extensions use the PUT request method in addition to GET and POST.', 'all-in-one-wp-security-and-firewall') . ' ' . esc_html__("This means WooCommerce users shouldn't block the PUT request method.", 'all-in-one-wp-security-and-firewall') . '</p>';
+								echo '<p class="description">' . esc_html__('A few REST requests use the PUT request method.', 'all-in-one-wp-security-and-firewall') . ' ' . esc_html__('If your site is communicated by the WP REST API, you should not block the PUT request method.', 'all-in-one-wp-security-and-firewall') . '</p>';
+							?>
+						</div>
+					</div>
+						<?php } ?>
+				</td>
+			</tr>
+		<?php } ?>
+	</table>
+</div>
+<h3><?php esc_html_e('Other settings', 'all-in-one-wp-security-and-firewall'); ?></h3>
+<span data-tooltip="<?php esc_attr_e('The 6G firewall provides other settings for blocking malicious query strings, request strings, referers and user-agents; you can configure their settings below.', 'all-in-one-wp-security-and-firewall'); ?>">
+	<span class="dashicons dashicons-editor-help"></span>
+</span>
+<div class="options">
+	<table class="form-table">
+		<tr>
+			<th><?php esc_html_e('Block query strings', 'all-in-one-wp-security-and-firewall');?>:</th>
+			<td>
+				<div class="aiowps_switch_container">
+					<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this to block all query strings recommended by 6G', 'all-in-one-wp-security-and-firewall'), 'aiowps_block_query', $blocked_query); ?>
+				</div>
+			</td>
+		</tr>
+		<tr>
+			<th><?php esc_html_e('Block request strings', 'all-in-one-wp-security-and-firewall');?>:</th>
+			<td>
+				<div class="aiowps_switch_container">
+					<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this to block all request strings recommended by 6G', 'all-in-one-wp-security-and-firewall'), 'aiowps_block_request', $blocked_request); ?>
+				</div>
+			</td>
+		</tr>
+		<tr>
+			<th><?php esc_html_e('Block referers', 'all-in-one-wp-security-and-firewall');?>:</th>
+			<td>
+				<div class="aiowps_switch_container">
+					<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this to block all referers recommended by 6G', 'all-in-one-wp-security-and-firewall'), 'aiowps_block_refs', $blocked_referrers); ?>
+				</div>
+			</td>
+		</tr>
+		<tr>
+			<th><?php esc_html_e('Block user-agents', 'all-in-one-wp-security-and-firewall');?>:</th>
+			<td>
+				<div class="aiowps_switch_container">
+					<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this to block all user-agents recommended by 6G', 'all-in-one-wp-security-and-firewall'), 'aiowps_block_agents', $blocked_agents); ?>
+				</div>
+			</td>
+		</tr>
+	</table>
+</div>
@@ -0,0 +1,19 @@
+<div class="postbox">
+	<h3 class="hndle"><label for="title"><?php esc_html_e('Allow list', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+	<div class="inside">
+		<div class="aio_blue_box">
+			<p>
+				<?php esc_html_e('This option allows you to add IP addresses to your allow list.', 'all-in-one-wp-security-and-firewall'); ?><br>
+				<?php esc_html_e('All IPs in your allow list will no longer be affected by the firewall\'s rules.', 'all-in-one-wp-security-and-firewall'); ?><br>
+			</p>
+		</div>
+			<form action="" method='post' id="aios-firewall-allowlist-form">
+			<table class="form-table">
+				<tr valign="top">
+					<?php AIOWPSecurity_Utility_UI::ip_input_textarea(__('Enter IP addresses:', 'all-in-one-wp-security-and-firewall'), 'aios_firewall_allowlist', $allowlist,  __('Enter one or more IP addresses or IP ranges.', 'all-in-one-wp-security-and-firewall')); ?>
+				</tr>
+			</table>
+			<?php submit_button(esc_html__('Save allow list', 'all-in-one-wp-security-and-firewall'), 'primary', 'aiowps_save_firewall_allowlist');?>
+		</form>
+	</div>			
+</div>
@@ -0,0 +1,30 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox aio_hidden" data-template="bad-query-strings">
+		<h3 class="hndle"><label for="title"><?php esc_html_e('Bad query strings', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+		<div class="inside">
+			<div id="firewall-deny-bad-queries-badge">
+				<?php
+				//Display security info badge
+				$aiowps_feature_mgr->output_feature_details_badge("firewall-deny-bad-queries");
+				?>
+			</div>
+		<table class="form-table">
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Deny bad query strings', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('This will help protect you against malicious queries via XSS.', 'all-in-one-wp-security-and-firewall'), 'aiowps_deny_bad_query_strings', $aiowps_deny_bad_query_strings); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+							<p class="description">
+								<?php
+								esc_html_e('This feature will prevent malicious string attacks on your site using XSS.', 'all-in-one-wp-security-and-firewall');
+								echo '<br />'.esc_html__('NOTE: Some of these strings might be used for plugins or themes and hence this might break some functionality.', 'all-in-one-wp-security-and-firewall');
+								?>
+							</p>
+						</div>
+					</div>
+				</td>
+			</tr>
+		</table>
+		</div></div>
@@ -0,0 +1,42 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox aio_hidden" data-template="basic-firewall-settings">
+		<h3 class="hndle"><label for="title"><?php esc_html_e('Basic firewall settings', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+		<div class="inside">
+			<div id="firewall-basic-rules-badge">
+				<?php
+				//Display security info badge
+				$aiowps_feature_mgr->output_feature_details_badge("firewall-basic-rules");
+				?>
+			</div>
+		<table class="form-table">
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Enable basic firewall protection', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this to apply basic firewall protection to your site.', 'all-in-one-wp-security-and-firewall'), 'aiowps_enable_basic_firewall', '1' == $aiowps_enable_basic_firewall); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+								<?php
+								echo '<p class="description">'.esc_html__('This setting will implement the following basic firewall protection mechanisms on your site:', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('1) Protect your htaccess file by denying access to it.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('2) Disable the server signature.', 'all-in-one-wp-security-and-firewall').'</p>';
+								/* translators: %s: Upload limit. */
+								echo '<p class="description">'.sprintf(esc_html__('3) Limit file upload size (%sMB).', 'all-in-one-wp-security-and-firewall'), esc_html(AIOS_FIREWALL_MAX_FILE_UPLOAD_LIMIT_MB)).'</p>';
+								echo '<p class="description">'.esc_html__('4) Protect your wp-config.php file by denying access to it.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('The above firewall features will be applied via your .htaccess file and should not affect your site\'s overall functionality.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('You are still advised to take a backup of your active .htaccess file just in case.', 'all-in-one-wp-security-and-firewall').'</p>';
+								?>
+						</div>
+					</div>
+				</td>
+			</tr>
+			<tr valign="top">
+				<th scope="row"><label for="aiowps_max_file_upload_size"><?php esc_html_e('Max file upload size (MB)', 'all-in-one-wp-security-and-firewall'); ?>:</label></th>
+				<td><input id="aiowps_max_file_upload_size" type="number" min="0" step="1" name="aiowps_max_file_upload_size" value="<?php echo esc_html($aiowps_max_file_upload_size); ?>" />
+				<?php /* translators: %s: Upload limit. */ ?>
+				<span class="description"><?php echo sprintf(esc_html__('The value for the maximum file upload size used in the .htaccess file. (Defaults to %sMB if left blank)', 'all-in-one-wp-security-and-firewall'), esc_html(AIOS_FIREWALL_MAX_FILE_UPLOAD_LIMIT_MB)); ?></span>
+				</td>
+			</tr>
+
+		</table>
+		</div></div>
@@ -0,0 +1,27 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+
+<table class="form-table">
+		<tr valign="top">
+			<div id="firewall-ban-post-blank-headers-badge">
+				<?php
+				// Display security info badge
+				$aiowps_feature_mgr->output_feature_details_badge("firewall-ban-post-blank-headers");
+				?>
+			</div>
+		</tr>
+		<tr valign="top">
+		<th scope="row"><?php esc_html_e('Ban POST requests that have a blank user-agent and referer', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+		<td>
+			<div class="aiowps_switch_container">
+				<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this if you want to ban POST requests that have a blank user-agent and referer.', 'all-in-one-wp-security-and-firewall'), 'aiowps_ban_post_blank_headers', $aiowps_ban_post_blank_headers); ?>
+				<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+				<div class="aiowps_more_info_body">
+						<?php
+						echo '<p class="description">'.esc_html__('This feature will check whether the user-agent and referer HTTP headers are blank.', 'all-in-one-wp-security-and-firewall').'</p>';
+						echo '<p class="description">'.esc_html__('If they are both blank, the IP address associated with the request will be added to your permanent block list.', 'all-in-one-wp-security-and-firewall').'</p>';
+						?>
+				</div>
+			</div>
+		</td>
+	</tr>
+	</table>
@@ -0,0 +1,30 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox aio_hidden" data-template="block-debug-log">
+		<h3 class="hndle"><label for="title"><?php esc_html_e('Block access to debug log file', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+		<div class="inside">
+			<div id="firewall-block-debug-file-access-badge">
+			<?php
+			//Display security info badge
+			global $aiowps_feature_mgr;
+			$aiowps_feature_mgr->output_feature_details_badge("firewall-block-debug-file-access");
+			?>
+			</div>
+		<table class="form-table">
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Block access to debug.log file', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(__('Enable this if you want to block access to the debug.log file that WordPress creates when debug logging is enabled.', 'all-in-one-wp-security-and-firewall'), 'aiowps_block_debug_log_file_access', '1' == $aiowps_block_debug_log_file_access); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+							<?php
+							echo '<p class="description">' . esc_html__('WordPress has an option to turn on the debug logging to a file located in wp-content/debug.log.', 'all-in-one-wp-security-and-firewall') . ' ' . esc_html__('This file may contain sensitive information.', 'all-in-one-wp-security-and-firewall').'</p>';
+							echo '<p class="description">' . esc_html__('Using this option will block external access to this file.', 'all-in-one-wp-security-and-firewall') . ' ' . esc_html__('You can still access this file by logging into your site via FTP.', 'all-in-one-wp-security-and-firewall').'</p>';
+							?>
+						</div>
+					</div>
+				</td>
+			</tr>
+		</table>
+		</div></div>
+		
@@ -0,0 +1,30 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox aio_hidden" data-template="disable-rss-atom">
+			<h3 class="hndle"><?php esc_html_e('Disable WordPress RSS and ATOM feeds', 'all-in-one-wp-security-and-firewall'); ?></h3>
+			<div class="inside">
+				<div id="firewall-disable-rss-and-atom-badge">
+					<?php
+					//Display security info badge
+					$aiowps_feature_mgr->output_feature_details_badge("firewall-disable-rss-and-atom");
+					?>
+				</div>
+				<table class="form-table">
+					<tr valign="top">
+						<th scope="row"><?php esc_html_e('Disable RSS and ATOM feeds:', 'all-in-one-wp-security-and-firewall'); ?></th>
+						<td>
+							<div class="aiowps_switch_container">
+								<?php AIOWPSecurity_Utility_UI::setting_checkbox(__('Enable this if you do not want users using feeds.', 'all-in-one-wp-security-and-firewall') . ' ' .__('RSS and ATOM feeds are used to read content from your site.', 'all-in-one-wp-security-and-firewall'), 'aiowps_disable_rss_and_atom_feeds', '1' == $aiowps_disable_rss_and_atom_feeds); ?>
+								<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+								<div class="aiowps_more_info_body">
+									<?php
+									echo '<p class="description">' . esc_html__('Most users will want to share their site content widely, but some may prefer to prevent automated site scraping.', 'all-in-one-wp-security-and-firewall').'</p>';
+									/* translators: %s: FAQ URL. */
+									echo '<p class="description">' . sprintf(esc_html__('For more information, check the %s', 'all-in-one-wp-security-and-firewall'), '<a target="_blank" href="https://teamupdraft.com/documentation/all-in-one-security/?utm_source=aios-plugin&utm_medium=referral&utm_campaign=paac&utm_content=php-rules-faq&utm_creative_format=text">' . esc_html__('documentation', 'all-in-one-wp-security-and-firewall').'</a>').'</p>';
+									?>
+								</div>
+							</div>
+						</td>
+					</tr>
+				</table>
+			</div>
+		</div>
@@ -0,0 +1,34 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox">
+		<h3 class="hndle"><label for="title"><?php esc_html_e('Trace and track', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+		<div class="inside">
+			<div id="firewall-disable-trace-track-badge">
+				<?php
+				//Display security info badge
+				global $aiowps_feature_mgr;
+				$aiowps_feature_mgr->output_feature_details_badge("firewall-disable-trace-track");
+				?>
+			</div>
+		<table class="form-table">
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Disable trace and track', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(__('Enable this to disable trace and track.', 'all-in-one-wp-security-and-firewall'), 'aiowps_disable_trace_and_track', '1' == $aio_wp_security->configs->get_value('aiowps_disable_trace_and_track')); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+							<p class="description">
+								<?php
+								esc_html_e('HTTP Trace attack (XST) can be used to return header requests and grab cookies and other information.', 'all-in-one-wp-security-and-firewall');
+								echo '<br />';
+								esc_html_e('This hacking technique is usually used together with cross site scripting attacks (XSS).', 'all-in-one-wp-security-and-firewall');
+								echo '<br />';
+								esc_html_e('Disabling trace and track on your site will help prevent HTTP Trace attacks.', 'all-in-one-wp-security-and-firewall');
+								?>
+							</p>
+						</div>
+					</div>
+				</td>
+			</tr>
+		</table>
+		</div></div>
@@ -0,0 +1,44 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+	<div class="aio_blue_box">
+		<?php
+		$info_msg = '<p>' . esc_html__('This feature allows you to block bots which are impersonating as a Googlebot but actually aren\'t. (In other words they are fake Google bots)', 'all-in-one-wp-security-and-firewall') . '</p>';
+		$info_msg .= '<p>'. esc_html__('Googlebots have a unique identity which cannot easily be forged and this feature will identify any fake Google bots and block them from reading your site\'s pages.', 'all-in-one-wp-security-and-firewall').'</p>';
+		// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Variable already escaped.
+		echo $info_msg;
+		?>
+	</div>
+	<div class="aio_yellow_box">
+		<?php
+		$info_msg_2 = '<p><strong>'. esc_html__('Attention', 'all-in-one-wp-security-and-firewall').'</strong>: '.__('Sometimes non-malicious Internet organizations might have bots which impersonate as a "Googlebot".', 'all-in-one-wp-security-and-firewall').'</p>';
+		$info_msg_2 .= '<p>'.esc_html__('Just be aware that if you activate this feature the plugin will block all bots which use the "Googlebot" string in their User Agent information but are NOT officially from Google (irrespective of whether they are malicious or not).', 'all-in-one-wp-security-and-firewall').'</p>';
+		$info_msg_2 .= '<p>'.esc_html__('All other bots from other organizations such as "Yahoo", "Bing" etc will not be affected by this feature.', 'all-in-one-wp-security-and-firewall').'</p>';
+		// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Variable already escaped.
+		echo $info_msg_2;
+		?>
+	</div>
+	<table class="form-table">
+		<tr valign="top">
+			<div id="firewall-block-fake-googlebots-badge">
+				<?php
+				//Display security info badge
+				$aiowps_feature_mgr->output_feature_details_badge("firewall-block-fake-googlebots");
+				?>
+			</div>
+		</tr>
+		<tr valign="top">
+			<th scope="row"><?php esc_html_e('Block fake Googlebots', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+			<td>
+				<div class="aiowps_switch_container">
+					<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this if you want to block all fake Googlebots.', 'all-in-one-wp-security-and-firewall'), 'aiowps_block_fake_googlebots', $aiowps_block_fake_googlebots); ?>
+					<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+					<div class="aiowps_more_info_body">
+						<?php
+						echo '<p class="description">'.esc_html__('This feature will check if the User Agent information of a bot contains the string "Googlebot".', 'all-in-one-wp-security-and-firewall').'</p>';
+						echo '<p class="description">'.esc_html__('It will then perform a few tests to verify if the bot is legitimately from Google and if so it will allow the bot to proceed.', 'all-in-one-wp-security-and-firewall').'</p>';
+						echo '<p class="description">'.esc_html__('If the bot fails the checks then the plugin will mark it as being a fake Googlebot and it will block it', 'all-in-one-wp-security-and-firewall').'</p>';
+						?>
+				</div>
+				</div>
+			</td>
+		</tr>
+	</table>
@@ -0,0 +1,5 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<form method="POST" style="display: inline;" id="aiowps-firewall-downgrade-form">
+	<input type="hidden" name="action" value="aiowps_firewall_downgrade">
+	<input class="button button-primary" type="submit" name="btn_downgrade_protection" value="<?php esc_html_e('Downgrade firewall', 'all-in-one-wp-security-and-firewall'); ?>">
+</form>
@@ -0,0 +1,5 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<form method="POST"  style="display: inline;" id="aiowpsec-firewall-setup-form">
+	<input type="hidden" name="action" value="aiowps_firewall_setup">
+	<input class="button button-primary" type="submit" name="btn_try_again" value="<?php esc_html_e('Set up firewall', 'all-in-one-wp-security-and-firewall'); ?>">
+</form>
@@ -0,0 +1,30 @@
+<?php if (!defined('ABSPATH')) die('No direct access.'); ?>
+<div class="postbox">
+	<h3 class="hndle"><label for="title"><?php esc_html_e('Firewall setup', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+	<div class="inside">
+		<div class="aio_blue_box">
+			<p>
+				<?php esc_html_e('This option allows you to set up or downgrade the firewall.', 'all-in-one-wp-security-and-firewall'); ?><br>
+				<?php esc_html_e('We recommend you set up the firewall for greater protection, but if for whatever reason you wish to downgrade the firewall, then you can do so here.', 'all-in-one-wp-security-and-firewall'); ?><br>
+			</p>
+		</div>
+		<table class="form-table">
+			<tr valign="row">
+				<th scope="row"><?php esc_html_e('Firewall', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div id="aiowps-firewall-status-container" style="display: inline">
+						<?php AIOWPSecurity_Utility_Firewall::is_firewall_setup() ? $aio_wp_security->include_template('wp-admin/firewall/partials/firewall-downgrade-button.php') : $aio_wp_security->include_template('wp-admin/firewall/partials/firewall-set-up-button.php'); ?>
+					</div>
+					<span style='margin-top: 5px;' class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+					<div class="aiowps_more_info_body">
+						<p class="description"><strong><?php esc_html_e('Set up firewall', 'all-in-one-wp-security-and-firewall');?>: </strong><?php esc_html_e('This will attempt to set up the firewall in order to give you the highest level of protection it has to offer.', 'all-in-one-wp-security-and-firewall');?><p>
+
+						<p class="description"><strong><?php esc_html_e('Downgrade firewall', 'all-in-one-wp-security-and-firewall');?>: </strong><?php esc_html_e('This will undo the changes performed by the set-up mechanism.', 'all-in-one-wp-security-and-firewall');?><p>
+
+						<p class="description"><?php esc_html_e('The firewall will still be active if it is downgraded or not set up, but you will have reduced protection.', 'all-in-one-wp-security-and-firewall');?><p>
+					</div>
+				</td>
+			</tr>
+		</table>
+	</div>
+</div>
@@ -0,0 +1,23 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox aio_hidden" data-template="internet-bots">
+	<h3 class="hndle"><label for="title"><?php esc_html_e('Internet bot settings', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+	<div class="inside">
+		<div class="aio_blue_box">
+			<?php
+			$info_msg = '';
+			$wiki_link = '<a href="http://en.wikipedia.org/wiki/Internet_bot" target="_blank">'.esc_html__('What is an Internet Bot', 'all-in-one-wp-security-and-firewall').'</a>';
+			/* translators: s%: Wiki URL. */
+			$info_msg .= '<p><strong>'.sprintf(__('%s?', 'all-in-one-wp-security-and-firewall'), $wiki_link).'</strong></p>';
+
+			$info_msg .= '<p>'. esc_html__('A bot is a piece of software which runs on the Internet and performs automatic tasks.', 'all-in-one-wp-security-and-firewall') . ' ' . esc_html__('For example when Google indexes your pages it uses bots to achieve this task.', 'all-in-one-wp-security-and-firewall').'</p>';
+			$info_msg .= '<p>'. esc_html__('A lot of bots are legitimate and non-malicious but not all bots are good and often you will find some which try to impersonate legitimate bots such as "Googlebot" but in reality they have nohing to do with Google at all.', 'all-in-one-wp-security-and-firewall').'</p>';
+			$info_msg .= '<p>'. esc_html__('Although most of the bots out there are relatively harmless sometimes website owners want to have more control over which bots they allow into their site.', 'all-in-one-wp-security-and-firewall').'</p>';
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Variable already escaped.
+			echo $info_msg;
+			?>
+		</div>
+
+		<?php $aio_wp_security->include_template('wp-admin/firewall/partials/fake-googlebots.php', false, compact('aiowps_block_fake_googlebots')); ?>
+		<?php $aio_wp_security->include_template('wp-admin/firewall/partials/blank-ref-and-useragent.php', false, compact('aiowps_ban_post_blank_headers')); ?>
+	</div>
+</div>
@@ -0,0 +1,34 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox aio_hidden" data-template="listing-directory-contents">
+		<h3 class="hndle"><label for="title"><?php esc_html_e('Listing of directory contents', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+		<div class="inside">
+			<div id="firewall-disable-index-views-badge">
+				<?php
+				//Display security info badge
+				global $aiowps_feature_mgr;
+				$aiowps_feature_mgr->output_feature_details_badge("firewall-disable-index-views");
+				?>
+			</div>
+		<table class="form-table">
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Disable index views', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this if you want to disable directory and file listing.', 'all-in-one-wp-security-and-firewall'), 'aiowps_disable_index_views', '1' == $aiowps_disable_index_views); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+							<p class="description">
+								<?php
+								esc_html_e('By default, an Apache server will allow the listing of the contents of a directory if it doesn\'t contain an index.php file.', 'all-in-one-wp-security-and-firewall');
+								echo '<br />';
+								esc_html_e('This feature will prevent the listing of contents for all directories.', 'all-in-one-wp-security-and-firewall');
+								echo '<br />';
+								echo esc_html__('NOTE: In order for this feature to work "AllowOverride" of the Indexes directive must be enabled in your httpd.conf file.', 'all-in-one-wp-security-and-firewall') . ' ' . esc_html__('Ask your hosting provider to check this if you don\'t have access to httpd.conf', 'all-in-one-wp-security-and-firewall');
+								?>
+							</p>
+						</div>
+					</div>
+				</td>
+			</tr>
+		</table>
+		</div></div>
@@ -0,0 +1,56 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+
+<div id="aios-6g-firewall-settings-container" class="postbox aio_hidden" data-template="ng">
+	<h3 class="hndle"><label for="title"><?php esc_html_e('6G firewall settings', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+	<div class="inside">
+		<div class="aio_blue_box">
+			<?php
+			/* translators: 1: 8G URL, 2: 5G URL, 3: Perishable Press URL */
+			$info_msg = '<p>'.sprintf(esc_html__('This feature allows you to activate the %1$s (or legacy %2$s) firewall security protection rules designed and produced by %3$s.', 'all-in-one-wp-security-and-firewall'), '<a href="http://perishablepress.com/6g/" target="_blank">6G</a>', '<a href="http://perishablepress.com/5g-blacklist-2013/" target="_blank">5G</a>', '<a href="http://perishablepress.com/" target="_blank">Perishable Press</a>').'</p>';
+			$info_msg .= '<p>'.esc_html__('The 6G firewall is an updated and improved version of the 5G firewall that is PHP-based and doesn\'t use a .htaccess file.', 'all-in-one-wp-security-and-firewall') . ' ' . esc_html__('If you have the 5G firewall active, you might consider activating the 6G firewall instead.', 'all-in-one-wp-security-and-firewall').'</p>';
+			$info_msg .= '<p>'.esc_html__('The 6G firewall is a simple, flexible blacklist that helps reduce the number of malicious URL requests that hit your website.', 'all-in-one-wp-security-and-firewall').'</p>';
+			$info_msg .= '<p>'.esc_html__('The added advantage of applying the 6G firewall to your site is that it has been tested and confirmed by the people at PerishablePress.com to be an optimal and least disruptive set of security rules for general WP sites.', 'all-in-one-wp-security-and-firewall').'</p>';
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Variable already escaped.
+			echo $info_msg;
+			?>
+		</div>
+		<div id="firewall-enable-6g-badge">
+			<?php
+			// Display security info badge
+			$aiowps_feature_mgr->output_feature_details_badge("firewall-enable-6g");
+			?>
+		</div>
+		<table class="form-table">
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Enable 6G firewall protection', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this to apply the recommended 6G firewall protection.', 'all-in-one-wp-security-and-firewall'), 'aiowps_enable_6g_firewall', '1' == $ng_settings['aiowps_enable_6g_firewall']); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+							<?php
+							echo '<p class="description">'.esc_html__('This setting will implement the 6G security firewall protection mechanisms on your site which include the following things:', 'all-in-one-wp-security-and-firewall').'</p>';
+							echo '<p class="description">'.esc_html__('1) Block forbidden characters commonly used in exploitative attacks.', 'all-in-one-wp-security-and-firewall').'</p>';
+							echo '<p class="description">'.esc_html__('2) Block malicious encoded URL characters such as the ".css(" string.', 'all-in-one-wp-security-and-firewall').'</p>';
+							echo '<p class="description">'.esc_html__('3) Guard against the common patterns and specific exploits in the root portion of targeted URLs.', 'all-in-one-wp-security-and-firewall').'</p>';
+							echo '<p class="description">'.esc_html__('4) Stop attackers from manipulating query strings by disallowing illicit characters.', 'all-in-one-wp-security-and-firewall').'</p>';
+							echo '<p class="description">'.esc_html__('....and much more.', 'all-in-one-wp-security-and-firewall').'</p>';
+							?>
+						</div>
+					</div>
+				</td>
+			</tr>
+		</table>
+		<button type="button" class="button button-link aios-toggle-advanced-options<?php if ($ng_settings['advanced_options_disabled']) echo ' advanced-options-disabled';?>">
+				<span class="text">
+					<span class="dashicons dashicons-arrow-down-alt2"></span>
+					<span class="aios-toggle-advanced-options__text-show"><?php esc_html_e('Show advanced options', 'all-in-one-wp-security-and-firewall'); ?></span>
+					<span class="aios-toggle-advanced-options__text-hide"><?php esc_html_e('Hide advanced options', 'all-in-one-wp-security-and-firewall'); ?></span>
+				</span>
+		</button>
+
+		<div class="aios-advanced-options-panel">
+			<?php $aio_wp_security->include_template('wp-admin/firewall/partials/advanced-settings-6g.php', false, array('methods' => $ng_settings['methods'], 'blocked_query' => $ng_settings['blocked_query'], 'blocked_request' => $ng_settings['blocked_request'], 'blocked_referrers' => $ng_settings['blocked_referrers'], 'blocked_agents' => $ng_settings['blocked_agents'], 'block_request_methods' => $ng_settings['block_request_methods'])); ?>
+		</div>
+	</div>
+</div>
@@ -0,0 +1,30 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox aio_hidden" data-template="proxy-comment">
+		<h3 class="hndle"><label for="title"><?php esc_html_e('Proxy comment posting', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+		<div class="inside">
+			<div id="firewall-forbid-proxy-comments-badge">
+				<?php
+				//Display security info badge
+				$aiowps_feature_mgr->output_feature_details_badge("firewall-forbid-proxy-comments");
+				?>
+			</div>
+		<table class="form-table">
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Forbid proxy comment posting', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+							<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this if you want to forbid proxy comment posting.', 'all-in-one-wp-security-and-firewall'), 'aiowps_forbid_proxy_comments', $aiowps_forbid_proxy_comments); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+							<p class="description">
+								<?php
+								esc_html_e('This setting will deny any requests that use a proxy server when posting comments.', 'all-in-one-wp-security-and-firewall');
+								echo '<br>'.esc_html__('By forbidding proxy comments you are in effect eliminating some spam and other proxy requests.', 'all-in-one-wp-security-and-firewall');
+								?>
+							</p>
+						</div>
+					</div>
+				</td>
+			</tr>
+		</table>
+		</div></div>
@@ -0,0 +1,21 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="aio_yellow_box">
+	<p><?php echo sprintf(esc_html__('%s this REST route allows websites to display core content, such as posts, pages, and other WordPress data.', 'all-in-one-wp-security-and-firewall'), '<strong>wp:</strong>') . ' ' . esc_html__('This route is essential for the WordPress block editor and API integrations.', 'all-in-one-wp-security-and-firewall') . ' ' .esc_html__('Disabling it may break plugins and themes.', 'all-in-one-wp-security-and-firewall');?></p>
+	<p><?php echo sprintf(esc_html__('%s this REST route enables embedding content from your site on external platforms (e.g., Twitter, Facebook, and WordPress embeds).', 'all-in-one-wp-security-and-firewall'), '<strong>oembed:</strong>') . ' ' .  esc_html__('Disabling this may prevent your site\'s content from being embedded in social media and other platforms.', 'all-in-one-wp-security-and-firewall');?></p>
+</div>
+<br>
+<table class="form-table">
+	<?php if (!empty($route_namespaces)) { ?>
+	<tr valign="top">
+		<th scope="row"><?php _e('Whitelist REST routes', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+		<td>
+			<?php foreach ($route_namespaces as $route_namespace) { ?>
+			<div class="aiowps_switch_container">
+			<?php AIOWPSecurity_Utility_UI::setting_checkbox($route_namespace, 'aios_whitelisted_rest_routes_'.str_replace('-', '_', $route_namespace), in_array($route_namespace, $aios_whitelisted_rest_routes)); ?>
+			</div>
+			<br>
+			<?php } ?>
+		</td>
+	</tr>
+	<?php } ?>
+</table>
@@ -0,0 +1,48 @@
+<?php if (!defined('ABSPATH')) die('No direct access.'); ?>
+<div class="postbox">
+	<h3 class="hndle"><label for="title"><?php esc_html_e('Upgrade unsafe HTTP calls', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+	<div class="inside">
+		<div id="upgrade-unsafe-http-calls-badge">
+			<?php
+			// Display security info badge
+			$aiowps_feature_mgr->output_feature_details_badge('upgrade-unsafe-http-calls');
+			?>
+		</div>
+		<form action="" id="aios-upgrade-unsafe-http-calls-settings-form">
+			<div class="aio_blue_box">
+				<?php
+					/* translators: 1: Bold unsafe function name, 2: Bold safe function name. */
+					echo '<p>' . sprintf(esc_html__('This feature allows you to upgrade all unsafe HTTP calls on your site using %1$s to %2$s.', 'all-in-one-wp-security-and-firewall'), '<strong>wp_remote_*</strong>', '<strong>wp_safe_remote_*</strong>') . '</p>';
+					/* translators: %s Bold unsafe function name. */
+					echo '<p>' . sprintf(esc_html__('You can also specify a list of URLs that are allowed to be contacted with the unsafe %s calls.', 'all-in-one-wp-security-and-firewall'), '<strong>wp_remote_*</strong>') . '</p>';
+				?>
+			</div>
+			<table class="form-table">
+				<tr valign="top">
+					<th scope="row"><?php esc_html_e('Enable', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+					<td>
+						<div class="aiowps_switch_container">
+							<?php AIOWPSecurity_Utility_UI::setting_checkbox('', 'aiowps_upgrade_unsafe_http_calls', '1' == $aiowps_upgrade_unsafe_http_calls); ?>
+						</div>
+					</td>
+				</tr>
+				<tr valign="top">
+					<th scope="row"><label for="aiowps_upgrade_unsafe_http_calls_url_exceptions"><?php esc_html_e('URL exceptions', 'all-in-one-wp-security-and-firewall'); ?>:</label></th>
+					<td>
+						<textarea id="aiowps_upgrade_unsafe_http_calls_url_exceptions" name="aiowps_upgrade_unsafe_http_calls_url_exceptions" rows="5" cols="50"><?php echo esc_textarea($aiowps_upgrade_unsafe_http_calls_url_exceptions); ?></textarea>
+						<br>
+						<span class="description"><?php esc_html_e('Enter URL exceptions.', 'all-in-one-wp-security-and-firewall'); ?></span>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More Info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+							<?php
+								echo '<p class="description">' . esc_html__('Each URL must be on a new line.', 'all-in-one-wp-security-and-firewall') . '</p>';
+								echo '<p class="description">' . esc_html__('All localhost URLs are already an exception.', 'all-in-one-wp-security-and-firewall') . '</p>';
+							?>
+						</div>
+					</td>
+				</tr>
+			</table>
+			<input type="submit" class="button-primary" value="<?php esc_html_e('Save settings', 'all-in-one-wp-security-and-firewall'); ?>">
+		</form>
+	</div>
+</div>
@@ -0,0 +1,59 @@
+<?php if (!defined('ABSPATH')) die('No direct access.'); ?>
+<?php
+$route_namespaces = AIOWPSecurity_Utility::get_rest_namespaces();
+$user_roles = AIOWPSecurity_Utility_Permissions::get_user_roles();
+?>
+<div class="postbox aio_hidden" data-template="wp-rest-api">
+	<h3 class="hndle"><label for="title"><?php esc_html_e('WP REST API settings', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+	<div class="inside">
+		<div>
+			<div id="disallow-unauthorised-requests-badge">
+				<?php
+				//Display security info badge
+				$aiowps_feature_mgr->output_feature_details_badge("disallow-unauthorised-requests");
+				?>
+			</div>
+				<div class="aio_blue_box">
+					<?php
+					echo '<p>'.esc_html__('This feature allows you to block WordPress REST API access for unauthorized requests.', 'all-in-one-wp-security-and-firewall').'</p>';
+					echo '<p>'.esc_html__('When enabled this feature will only allow REST requests to be processed if the user is logged in.', 'all-in-one-wp-security-and-firewall').'</p>';
+					echo '<p>'.esc_html__('Only REST requests made by logged-in users with a role permitted below will succeed, unless the REST API endpoint has been white-listed for others to also use.', 'all-in-one-wp-security-and-firewall').'</p>';
+					echo '<p>'.esc_html__('You can whitelist REST routes by selecting from the list of all registered rest routes for all users, including those who are not logged in.', 'all-in-one-wp-security-and-firewall').'</p>';
+					?>
+				</div>
+				<?php if (empty($route_namespaces)) { ?>
+				<div class="aio_red_box">
+					<p>
+						<?php
+						echo esc_html__('You do not have any registered REST API routes to block unauthorized access.', 'all-in-one-wp-security-and-firewall');
+						?>
+					</p>
+				</div>
+				<?php } ?>
+				<table class="form-table">
+					<tr valign="top">
+						<th scope="row"><?php esc_html_e('Disallow unauthorized REST requests', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+						<td>
+							<div class="aiowps_switch_container">
+								<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this to stop REST API access for non-logged in requests.', 'all-in-one-wp-security-and-firewall'), 'aiowps_disallow_unauthorized_rest_requests', '1' == $aiowps_disallow_unauthorized_rest_requests); ?>
+							</div>
+						</td>
+					</tr>
+					<tr valign="top">
+						<th scope="row"><?php _e('User roles allowed access when logged in', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+						<td>
+							<?php foreach ($user_roles as $id => $name) { ?>
+							<div class="aiowps_switch_container">
+								<?php AIOWPSecurity_Utility_UI::setting_checkbox($name, 'aios_allowed_roles_rest_requests_'.$id, !in_array($id, $aios_roles_disallowed_rest_requests)); // Default all roles are allowed, only disallowed roles considered ?>
+							</div>
+							<br>
+							<?php } ?>
+						</td>
+					</tr>
+				</table>
+			<div class="aios-rest-white-list-options-panel<?php echo ('1' == $aiowps_disallow_unauthorized_rest_requests) ? "" : " hidden";?>">
+				<?php $aio_wp_security->include_template('wp-admin/firewall/partials/rest-route-whitelist.php', false, compact('route_namespaces', 'aios_whitelisted_rest_routes')); ?>
+			</div>
+		</div>
+	</div>
+</div>
@@ -0,0 +1,52 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+<div class="postbox aio_hidden" data-template="xmlrpc-pingback-protection">
+	<h3 class="hndle"><label for="title"><?php esc_html_e('WordPress XMLRPC and pingback vulnerability protection', 'all-in-one-wp-security-and-firewall'); ?></label></h3>
+	<div class="inside">
+		<div id="firewall-pingback-rules-badge">
+		<?php
+				//Display security info badge
+				$aiowps_feature_mgr->output_feature_details_badge("firewall-pingback-rules");
+				?>
+			</div>
+		<?php $aio_wp_security->include_template('wp-admin/firewall/partials/xmlrpc-warning-notice.php'); ?>
+		<table class="form-table">
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Completely block access to XMLRPC', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('Enable this if you are not using the WP XML-RPC functionality and you want to completely block external access to XMLRPC.', 'all-in-one-wp-security-and-firewall'), 'aiowps_enable_pingback_firewall', $aiowps_enable_pingback_firewall); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+								<?php
+								echo '<p class="description">'.esc_html__('This setting will disable access to the WordPress xmlrpc.php file which is responsible for the XML-RPC functionality in WordPress.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('Hackers can exploit various vulnerabilities in the WordPress XML-RPC API in a number of ways such as:', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('1) Denial of Service (DoS) attacks', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('2) Hacking internal routers.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('3) Scanning ports in internal networks to get info from various hosts.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('Apart from the security protection benefit, this feature may also help reduce load on your server, particularly if your site currently has a lot of unwanted traffic hitting the XML-RPC API on your installation.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('NOTE: You should only enable this feature if you are not currently using the XML-RPC functionality on your WordPress installation.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('Leave this feature disabled and use the feature below if you want pingback protection but you still need XMLRPC.', 'all-in-one-wp-security-and-firewall').'</p>';
+								?>
+						</div>
+					</div>
+				</td>
+			</tr>
+			<tr valign="top">
+				<th scope="row"><?php esc_html_e('Disable pingback functionality from XMLRPC', 'all-in-one-wp-security-and-firewall'); ?>:</th>
+				<td>
+					<div class="aiowps_switch_container">
+						<?php AIOWPSecurity_Utility_UI::setting_checkbox(esc_html__('If you use Jetpack or WP iOS or other apps which need WP XML-RPC functionality then check this.', 'all-in-one-wp-security-and-firewall') . ' ' . esc_html__('This will enable protection against WordPress pingback vulnerabilities.', 'all-in-one-wp-security-and-firewall'), 'aiowps_disable_xmlrpc_pingback_methods', '1' == $aiowps_disable_xmlrpc_pingback_methods); ?>
+						<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php esc_html_e('More info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
+						<div class="aiowps_more_info_body">
+								<?php
+								echo '<p class="description">'.esc_html__('NOTE: If you use Jetpack or the Wordpress iOS or other apps then you should enable this feature but leave the "Completely Block Access To XMLRPC" checkbox unchecked.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('The feature will still allow XMLRPC functionality on your site but will disable the pingback methods.', 'all-in-one-wp-security-and-firewall').'</p>';
+								echo '<p class="description">'.esc_html__('This feature will also remove the "X-Pingback" header if it is present.', 'all-in-one-wp-security-and-firewall').'</p>';
+								?>
+						</div>
+					</div>
+				</td>
+			</tr>
+		</table>
+	</div>
+</div>
@@ -0,0 +1,11 @@
+<?php if (!defined('ABSPATH')) die('Access denied.'); ?>
+
+<div class="xmlrpc_warning_box aio_orange_box <?php if (!$aiowps_firewall_config->get_value('aiowps_enable_pingback_firewall')) echo ' aio_hidden';?>">
+	<p>
+		<?php
+		echo '<p>'.esc_html__('Attention:', 'all-in-one-wp-security-and-firewall').' '.esc_html__('You have enabled the "Completely Block Access To XMLRPC" checkbox which means all XMLRPC functionality will be blocked.', 'all-in-one-wp-security-and-firewall').'</p>';
+		echo '<p>'.esc_html__('By leaving this feature enabled you will prevent Jetpack or Wordpress iOS or other apps which need XMLRPC from working correctly on your site.', 'all-in-one-wp-security-and-firewall').'</p>';
+		echo '<p>'.esc_html__('If you still need XMLRPC then uncheck the "Completely Block Access To XMLRPC" checkbox and enable only the "Disable Pingback Functionality From XMLRPC" checkbox.', 'all-in-one-wp-security-and-firewall').'</p>';
+		?>
+	</p>
+</div>