Version Description
GDPR compliance implemented.
Fixed: ip_in_range() loop $ip overrides itself causing invalid results. https://wordpress.org/support/topic/ip_in_range-loop-ip-overrides-itself-causing-invalid-results/
Fixed: the plugin was locking out the same IP address multiple times, each with a different port. https://wordpress.org/support/topic/same-ip-different-port/
Download this release
Release Info
Developer | wpchefgadget |
Plugin | Limit Login Attempts Reloaded |
Version | 2.7.0 |
Comparing to | |
See all releases |
Code changes from version 2.6.3 to 2.7.0
- core/LimitLoginAttempts.php +1283 -1214
- limit-login-attempts-reloaded.php +1 -1
- readme.txt +20 -10
- views/options-page.php +13 -1
core/LimitLoginAttempts.php
CHANGED
@@ -1,1215 +1,1284 @@
|
|
1 |
-
<?php
|
2 |
-
|
3 |
-
/**
|
4 |
-
* Class Limit_Login_Attempts
|
5 |
-
*/
|
6 |
-
class Limit_Login_Attempts
|
7 |
-
{
|
8 |
-
public $default_options = array(
|
9 |
-
|
10 |
-
|
11 |
-
|
12 |
-
|
13 |
-
|
14 |
-
|
15 |
-
|
16 |
-
|
17 |
-
|
18 |
-
|
19 |
-
|
20 |
-
|
21 |
-
|
22 |
-
|
23 |
-
|
24 |
-
|
25 |
-
|
26 |
-
|
27 |
-
|
28 |
-
|
29 |
-
|
30 |
-
|
31 |
-
|
32 |
-
|
33 |
-
|
34 |
-
|
35 |
-
|
36 |
-
'
|
37 |
-
|
38 |
-
'
|
39 |
-
'
|
40 |
-
|
41 |
-
|
42 |
-
|
43 |
-
|
44 |
-
|
45 |
-
|
46 |
-
|
47 |
-
|
48 |
-
|
49 |
-
|
50 |
-
*
|
51 |
-
|
52 |
-
|
53 |
-
|
54 |
-
public
|
55 |
-
|
56 |
-
|
57 |
-
|
58 |
-
|
59 |
-
|
60 |
-
|
61 |
-
|
62 |
-
|
63 |
-
|
64 |
-
|
65 |
-
|
66 |
-
add_filter( '
|
67 |
-
add_filter( '
|
68 |
-
|
69 |
-
|
70 |
-
|
71 |
-
|
72 |
-
|
73 |
-
|
74 |
-
|
75 |
-
|
76 |
-
|
77 |
-
|
78 |
-
|
79 |
-
|
80 |
-
|
81 |
-
|
82 |
-
|
83 |
-
|
84 |
-
|
85 |
-
|
86 |
-
|
87 |
-
|
88 |
-
|
89 |
-
|
90 |
-
|
91 |
-
|
92 |
-
|
93 |
-
|
94 |
-
|
95 |
-
|
96 |
-
|
97 |
-
|
98 |
-
|
99 |
-
|
100 |
-
|
101 |
-
|
102 |
-
|
103 |
-
|
104 |
-
|
105 |
-
add_filter( '
|
106 |
-
|
107 |
-
|
108 |
-
|
109 |
-
|
110 |
-
|
111 |
-
|
112 |
-
|
113 |
-
|
114 |
-
|
115 |
-
|
116 |
-
|
117 |
-
|
118 |
-
|
119 |
-
|
120 |
-
|
121 |
-
|
122 |
-
|
123 |
-
|
124 |
-
*
|
125 |
-
|
126 |
-
|
127 |
-
|
128 |
-
|
129 |
-
|
130 |
-
|
131 |
-
|
132 |
-
|
133 |
-
|
134 |
-
|
135 |
-
|
136 |
-
|
137 |
-
|
138 |
-
|
139 |
-
|
140 |
-
|
141 |
-
|
142 |
-
|
143 |
-
|
144 |
-
|
145 |
-
|
146 |
-
|
147 |
-
|
148 |
-
|
149 |
-
|
150 |
-
|
151 |
-
|
152 |
-
|
153 |
-
|
154 |
-
|
155 |
-
|
156 |
-
|
157 |
-
|
158 |
-
|
159 |
-
|
160 |
-
|
161 |
-
|
162 |
-
|
163 |
-
|
164 |
-
|
165 |
-
|
166 |
-
|
167 |
-
|
168 |
-
|
169 |
-
|
170 |
-
|
171 |
-
|
172 |
-
|
173 |
-
|
174 |
-
|
175 |
-
|
176 |
-
|
177 |
-
$
|
178 |
-
|
179 |
-
|
180 |
-
|
181 |
-
|
182 |
-
|
183 |
-
|
184 |
-
$
|
185 |
-
|
186 |
-
|
187 |
-
|
188 |
-
|
189 |
-
|
190 |
-
|
191 |
-
|
192 |
-
|
193 |
-
|
194 |
-
|
195 |
-
|
196 |
-
|
197 |
-
* @
|
198 |
-
|
199 |
-
|
200 |
-
|
201 |
-
|
202 |
-
|
203 |
-
|
204 |
-
|
205 |
-
|
206 |
-
|
207 |
-
|
208 |
-
|
209 |
-
|
210 |
-
|
211 |
-
$
|
212 |
-
|
213 |
-
|
214 |
-
|
215 |
-
|
216 |
-
|
217 |
-
|
218 |
-
|
219 |
-
|
220 |
-
|
221 |
-
|
222 |
-
|
223 |
-
|
224 |
-
|
225 |
-
|
226 |
-
|
227 |
-
|
228 |
-
|
229 |
-
|
230 |
-
|
231 |
-
|
232 |
-
|
233 |
-
|
234 |
-
|
235 |
-
|
236 |
-
|
237 |
-
|
238 |
-
|
239 |
-
|
240 |
-
|
241 |
-
|
242 |
-
|
243 |
-
|
244 |
-
|
245 |
-
|
246 |
-
|
247 |
-
|
248 |
-
|
249 |
-
|
250 |
-
|
251 |
-
|
252 |
-
|
253 |
-
|
254 |
-
|
255 |
-
|
256 |
-
|
257 |
-
|
258 |
-
|
259 |
-
|
260 |
-
|
261 |
-
|
262 |
-
|
263 |
-
|
264 |
-
|
265 |
-
|
266 |
-
|
267 |
-
|
268 |
-
|
269 |
-
|
270 |
-
|
271 |
-
|
272 |
-
|
273 |
-
|
274 |
-
|
275 |
-
|
276 |
-
|
277 |
-
|
278 |
-
|
279 |
-
|
280 |
-
|
281 |
-
|
282 |
-
|
283 |
-
|
284 |
-
$
|
285 |
-
|
286 |
-
|
287 |
-
|
288 |
-
|
289 |
-
|
290 |
-
remove_filter( '
|
291 |
-
remove_filter( '
|
292 |
-
|
293 |
-
|
294 |
-
|
295 |
-
|
296 |
-
|
297 |
-
|
298 |
-
|
299 |
-
|
300 |
-
|
301 |
-
|
302 |
-
|
303 |
-
|
304 |
-
|
305 |
-
|
306 |
-
|
307 |
-
|
308 |
-
|
309 |
-
|
310 |
-
|
311 |
-
|
312 |
-
|
313 |
-
|
314 |
-
|
315 |
-
|
316 |
-
|
317 |
-
|
318 |
-
|
319 |
-
|
320 |
-
|
321 |
-
|
322 |
-
|
323 |
-
|
324 |
-
|
325 |
-
|
326 |
-
|
327 |
-
|
328 |
-
|
329 |
-
|
330 |
-
|
331 |
-
|
332 |
-
|
333 |
-
|
334 |
-
|
335 |
-
|
336 |
-
|
337 |
-
|
338 |
-
|
339 |
-
|
340 |
-
|
341 |
-
|
342 |
-
|
343 |
-
|
344 |
-
|
345 |
-
|
346 |
-
|
347 |
-
|
348 |
-
|
349 |
-
|
350 |
-
|
351 |
-
|
352 |
-
|
353 |
-
|
354 |
-
|
355 |
-
|
356 |
-
|
357 |
-
|
358 |
-
|
359 |
-
|
360 |
-
|
361 |
-
|
362 |
-
|
363 |
-
|
364 |
-
|
365 |
-
|
366 |
-
|
367 |
-
|
368 |
-
|
369 |
-
|
370 |
-
|
371 |
-
|
372 |
-
|
373 |
-
|
374 |
-
|
375 |
-
|
376 |
-
|
377 |
-
|
378 |
-
|
379 |
-
|
380 |
-
|
381 |
-
|
382 |
-
|
383 |
-
|
384 |
-
|
385 |
-
|
386 |
-
|
387 |
-
|
388 |
-
|
389 |
-
|
390 |
-
|
391 |
-
|
392 |
-
|
393 |
-
|
394 |
-
|
395 |
-
|
396 |
-
|
397 |
-
|
398 |
-
|
399 |
-
|
400 |
-
|
401 |
-
|
402 |
-
|
403 |
-
|
404 |
-
|
405 |
-
|
406 |
-
|
407 |
-
|
408 |
-
|
409 |
-
|
410 |
-
|
411 |
-
|
412 |
-
|
413 |
-
|
414 |
-
|
415 |
-
|
416 |
-
$
|
417 |
-
|
418 |
-
|
419 |
-
|
420 |
-
|
421 |
-
|
422 |
-
|
423 |
-
|
424 |
-
|
425 |
-
|
426 |
-
|
427 |
-
|
428 |
-
|
429 |
-
|
430 |
-
|
431 |
-
|
432 |
-
|
433 |
-
|
434 |
-
|
435 |
-
|
436 |
-
|
437 |
-
|
438 |
-
|
439 |
-
|
440 |
-
|
441 |
-
|
442 |
-
|
443 |
-
|
444 |
-
|
445 |
-
|
446 |
-
|
447 |
-
|
448 |
-
|
449 |
-
|
450 |
-
|
451 |
-
|
452 |
-
|
453 |
-
|
454 |
-
|
455 |
-
|
456 |
-
|
457 |
-
|
458 |
-
|
459 |
-
|
460 |
-
|
461 |
-
|
462 |
-
|
463 |
-
|
464 |
-
|
465 |
-
|
466 |
-
|
467 |
-
|
468 |
-
$
|
469 |
-
$
|
470 |
-
|
471 |
-
if
|
472 |
-
|
473 |
-
|
474 |
-
|
475 |
-
|
476 |
-
|
477 |
-
|
478 |
-
|
479 |
-
|
480 |
-
|
481 |
-
|
482 |
-
|
483 |
-
|
484 |
-
|
485 |
-
|
486 |
-
|
487 |
-
|
488 |
-
|
489 |
-
|
490 |
-
|
491 |
-
|
492 |
-
|
493 |
-
|
494 |
-
|
495 |
-
|
496 |
-
|
497 |
-
|
498 |
-
|
499 |
-
|
500 |
-
|
501 |
-
|
502 |
-
|
503 |
-
|
504 |
-
$
|
505 |
-
|
506 |
-
/*
|
507 |
-
|
508 |
-
|
509 |
-
|
510 |
-
|
511 |
-
|
512 |
-
|
513 |
-
|
514 |
-
|
515 |
-
}
|
516 |
-
|
517 |
-
|
518 |
-
|
519 |
-
|
520 |
-
|
521 |
-
|
522 |
-
|
523 |
-
|
524 |
-
|
525 |
-
|
526 |
-
|
527 |
-
$
|
528 |
-
|
529 |
-
|
530 |
-
|
531 |
-
|
532 |
-
|
533 |
-
|
534 |
-
|
535 |
-
|
536 |
-
|
537 |
-
|
538 |
-
|
539 |
-
|
540 |
-
|
541 |
-
|
542 |
-
|
543 |
-
|
544 |
-
|
545 |
-
|
546 |
-
|
547 |
-
|
548 |
-
|
549 |
-
|
550 |
-
|
551 |
-
|
552 |
-
$
|
553 |
-
|
554 |
-
|
555 |
-
|
556 |
-
|
557 |
-
|
558 |
-
|
559 |
-
|
560 |
-
|
561 |
-
|
562 |
-
|
563 |
-
|
564 |
-
|
565 |
-
|
566 |
-
|
567 |
-
|
568 |
-
|
569 |
-
|
570 |
-
|
571 |
-
|
572 |
-
|
573 |
-
|
574 |
-
|
575 |
-
|
576 |
-
|
577 |
-
|
578 |
-
|
579 |
-
|
580 |
-
|
581 |
-
|
582 |
-
|
583 |
-
|
584 |
-
|
585 |
-
|
586 |
-
|
587 |
-
|
588 |
-
|
589 |
-
|
590 |
-
|
591 |
-
|
592 |
-
|
593 |
-
|
594 |
-
|
595 |
-
|
596 |
-
|
597 |
-
|
598 |
-
|
599 |
-
|
600 |
-
|
601 |
-
|
602 |
-
|
603 |
-
|
604 |
-
|
605 |
-
|
606 |
-
|
607 |
-
|
608 |
-
|
609 |
-
|
610 |
-
|
611 |
-
|
612 |
-
|
613 |
-
|
614 |
-
|
615 |
-
|
616 |
-
|
617 |
-
|
618 |
-
|
619 |
-
|
620 |
-
|
621 |
-
|
622 |
-
$
|
623 |
-
|
624 |
-
|
625 |
-
|
626 |
-
|
627 |
-
|
628 |
-
|
629 |
-
|
630 |
-
|
631 |
-
|
632 |
-
|
633 |
-
|
634 |
-
|
635 |
-
|
636 |
-
|
637 |
-
|
638 |
-
|
639 |
-
|
640 |
-
|
641 |
-
|
642 |
-
|
643 |
-
|
644 |
-
|
645 |
-
|
646 |
-
|
647 |
-
|
648 |
-
|
649 |
-
|
650 |
-
|
651 |
-
|
652 |
-
|
653 |
-
|
654 |
-
|
655 |
-
|
656 |
-
|
657 |
-
|
658 |
-
|
659 |
-
|
660 |
-
|
661 |
-
|
662 |
-
|
663 |
-
|
664 |
-
|
665 |
-
|
666 |
-
|
667 |
-
|
668 |
-
|
669 |
-
$log
|
670 |
-
|
671 |
-
|
672 |
-
|
673 |
-
|
674 |
-
|
675 |
-
|
676 |
-
|
677 |
-
|
678 |
-
|
679 |
-
|
680 |
-
|
681 |
-
|
682 |
-
|
683 |
-
|
684 |
-
$
|
685 |
-
|
686 |
-
|
687 |
-
|
688 |
-
|
689 |
-
|
690 |
-
|
691 |
-
|
692 |
-
|
693 |
-
|
694 |
-
|
695 |
-
|
696 |
-
|
697 |
-
|
698 |
-
|
699 |
-
|
700 |
-
|
701 |
-
|
702 |
-
|
703 |
-
|
704 |
-
|
705 |
-
|
706 |
-
|
707 |
-
|
708 |
-
|
709 |
-
|
710 |
-
|
711 |
-
|
712 |
-
|
713 |
-
|
714 |
-
|
715 |
-
|
716 |
-
|
717 |
-
|
718 |
-
|
719 |
-
|
720 |
-
|
721 |
-
|
722 |
-
|
723 |
-
|
724 |
-
|
725 |
-
|
726 |
-
|
727 |
-
|
728 |
-
|
729 |
-
|
730 |
-
|
731 |
-
|
732 |
-
|
733 |
-
|
734 |
-
|
735 |
-
|
736 |
-
|
737 |
-
|
738 |
-
|
739 |
-
|
740 |
-
|
741 |
-
|
742 |
-
|
743 |
-
|
744 |
-
|
745 |
-
|
746 |
-
|
747 |
-
|
748 |
-
|
749 |
-
|
750 |
-
|
751 |
-
|
752 |
-
|
753 |
-
|
754 |
-
|
755 |
-
|
756 |
-
|
757 |
-
|
758 |
-
|
759 |
-
|
760 |
-
|
761 |
-
|
762 |
-
|
763 |
-
|
764 |
-
|
765 |
-
|
766 |
-
|
767 |
-
|
768 |
-
|
769 |
-
|
770 |
-
|
771 |
-
|
772 |
-
|
773 |
-
|
774 |
-
|
775 |
-
|
776 |
-
|
777 |
-
|
778 |
-
|
779 |
-
|
780 |
-
|
781 |
-
|
782 |
-
|
783 |
-
|
784 |
-
|
785 |
-
|
786 |
-
|
787 |
-
|
788 |
-
|
789 |
-
|
790 |
-
|
791 |
-
|
792 |
-
|
793 |
-
$
|
794 |
-
|
795 |
-
|
796 |
-
|
797 |
-
|
798 |
-
|
799 |
-
|
800 |
-
|
801 |
-
|
802 |
-
|
803 |
-
|
804 |
-
|
805 |
-
|
806 |
-
|
807 |
-
|
808 |
-
|
809 |
-
|
810 |
-
|
811 |
-
|
812 |
-
|
813 |
-
|
814 |
-
|
815 |
-
|
816 |
-
|
817 |
-
|
818 |
-
|
819 |
-
|
820 |
-
|
821 |
-
|
822 |
-
|
823 |
-
|
824 |
-
|
825 |
-
|
826 |
-
|
827 |
-
|
828 |
-
|
829 |
-
|
830 |
-
|
831 |
-
|
832 |
-
*
|
833 |
-
|
834 |
-
|
835 |
-
|
836 |
-
|
837 |
-
|
838 |
-
|
839 |
-
|
840 |
-
|
841 |
-
|
842 |
-
|
843 |
-
|
844 |
-
|
845 |
-
|
846 |
-
|
847 |
-
|
848 |
-
|
849 |
-
|
850 |
-
|
851 |
-
|
852 |
-
|
853 |
-
|
854 |
-
|
855 |
-
|
856 |
-
|
857 |
-
|
858 |
-
|
859 |
-
|
860 |
-
|
861 |
-
|
862 |
-
|
863 |
-
|
864 |
-
|
865 |
-
|
866 |
-
|
867 |
-
|
868 |
-
|
869 |
-
|
870 |
-
|
871 |
-
|
872 |
-
|
873 |
-
|
874 |
-
|
875 |
-
|
876 |
-
|
877 |
-
|
878 |
-
|
879 |
-
|
880 |
-
|
881 |
-
|
882 |
-
|
883 |
-
|
884 |
-
|
885 |
-
|
886 |
-
|
887 |
-
|
888 |
-
|
889 |
-
|
890 |
-
|
891 |
-
|
892 |
-
|
893 |
-
|
894 |
-
|
895 |
-
|
896 |
-
if (
|
897 |
-
|
898 |
-
|
899 |
-
|
900 |
-
|
901 |
-
|
902 |
-
|
903 |
-
|
904 |
-
|
905 |
-
|
906 |
-
|
907 |
-
|
908 |
-
|
909 |
-
|
910 |
-
|
911 |
-
|
912 |
-
|
913 |
-
|
914 |
-
|
915 |
-
|
916 |
-
|
917 |
-
|
918 |
-
|
919 |
-
|
920 |
-
|
921 |
-
|
922 |
-
|
923 |
-
|
924 |
-
|
925 |
-
|
926 |
-
|
927 |
-
|
928 |
-
|
929 |
-
|
930 |
-
|
931 |
-
|
932 |
-
|
933 |
-
|
934 |
-
|
935 |
-
|
936 |
-
|
937 |
-
|
938 |
-
|
939 |
-
|
940 |
-
|
941 |
-
|
942 |
-
|
943 |
-
|
944 |
-
|
945 |
-
|
946 |
-
|
947 |
-
|
948 |
-
|
949 |
-
|
950 |
-
|
951 |
-
|
952 |
-
|
953 |
-
|
954 |
-
return
|
955 |
-
}
|
956 |
-
|
957 |
-
|
958 |
-
|
959 |
-
|
960 |
-
|
961 |
-
|
962 |
-
|
963 |
-
|
964 |
-
|
965 |
-
|
966 |
-
|
967 |
-
|
968 |
-
|
969 |
-
|
970 |
-
|
971 |
-
|
972 |
-
|
973 |
-
|
974 |
-
|
975 |
-
|
976 |
-
|
977 |
-
|
978 |
-
|
979 |
-
|
980 |
-
|
981 |
-
|
982 |
-
|
983 |
-
|
984 |
-
|
985 |
-
|
986 |
-
|
987 |
-
|
988 |
-
|
989 |
-
|
990 |
-
|
991 |
-
|
992 |
-
|
993 |
-
|
994 |
-
|
995 |
-
|
996 |
-
|
997 |
-
|
998 |
-
|
999 |
-
|
1000 |
-
|
1001 |
-
|
1002 |
-
|
1003 |
-
|
1004 |
-
|
1005 |
-
|
1006 |
-
|
1007 |
-
|
1008 |
-
return
|
1009 |
-
|
1010 |
-
|
1011 |
-
|
1012 |
-
|
1013 |
-
|
1014 |
-
|
1015 |
-
|
1016 |
-
|
1017 |
-
|
1018 |
-
|
1019 |
-
|
1020 |
-
|
1021 |
-
|
1022 |
-
|
1023 |
-
|
1024 |
-
|
1025 |
-
|
1026 |
-
|
1027 |
-
|
1028 |
-
|
1029 |
-
|
1030 |
-
|
1031 |
-
|
1032 |
-
|
1033 |
-
|
1034 |
-
|
1035 |
-
|
1036 |
-
|
1037 |
-
|
1038 |
-
|
1039 |
-
|
1040 |
-
|
1041 |
-
|
1042 |
-
|
1043 |
-
|
1044 |
-
|
1045 |
-
|
1046 |
-
|
1047 |
-
|
1048 |
-
|
1049 |
-
|
1050 |
-
|
1051 |
-
|
1052 |
-
|
1053 |
-
|
1054 |
-
|
1055 |
-
|
1056 |
-
|
1057 |
-
|
1058 |
-
|
1059 |
-
|
1060 |
-
|
1061 |
-
|
1062 |
-
|
1063 |
-
|
1064 |
-
|
1065 |
-
|
1066 |
-
|
1067 |
-
|
1068 |
-
$
|
1069 |
-
|
1070 |
-
|
1071 |
-
|
1072 |
-
|
1073 |
-
|
1074 |
-
|
1075 |
-
|
1076 |
-
|
1077 |
-
|
1078 |
-
|
1079 |
-
|
1080 |
-
|
1081 |
-
|
1082 |
-
|
1083 |
-
|
1084 |
-
|
1085 |
-
|
1086 |
-
|
1087 |
-
|
1088 |
-
|
1089 |
-
|
1090 |
-
|
1091 |
-
|
1092 |
-
|
1093 |
-
|
1094 |
-
|
1095 |
-
|
1096 |
-
|
1097 |
-
|
1098 |
-
|
1099 |
-
|
1100 |
-
|
1101 |
-
|
1102 |
-
|
1103 |
-
|
1104 |
-
|
1105 |
-
|
1106 |
-
|
1107 |
-
|
1108 |
-
|
1109 |
-
|
1110 |
-
|
1111 |
-
|
1112 |
-
|
1113 |
-
|
1114 |
-
|
1115 |
-
|
1116 |
-
|
1117 |
-
|
1118 |
-
|
1119 |
-
|
1120 |
-
|
1121 |
-
|
1122 |
-
$
|
1123 |
-
|
1124 |
-
|
1125 |
-
|
1126 |
-
|
1127 |
-
|
1128 |
-
|
1129 |
-
|
1130 |
-
|
1131 |
-
$this->update_option('
|
1132 |
-
|
1133 |
-
|
1134 |
-
|
1135 |
-
|
1136 |
-
|
1137 |
-
|
1138 |
-
|
1139 |
-
|
1140 |
-
|
1141 |
-
|
1142 |
-
|
1143 |
-
|
1144 |
-
|
1145 |
-
|
1146 |
-
|
1147 |
-
|
1148 |
-
|
1149 |
-
|
1150 |
-
|
1151 |
-
|
1152 |
-
|
1153 |
-
$this->update_option('
|
1154 |
-
|
1155 |
-
$
|
1156 |
-
|
1157 |
-
|
1158 |
-
|
1159 |
-
|
1160 |
-
|
1161 |
-
|
1162 |
-
|
1163 |
-
|
1164 |
-
|
1165 |
-
|
1166 |
-
|
1167 |
-
|
1168 |
-
|
1169 |
-
|
1170 |
-
|
1171 |
-
|
1172 |
-
|
1173 |
-
|
1174 |
-
|
1175 |
-
|
1176 |
-
|
1177 |
-
|
1178 |
-
|
1179 |
-
|
1180 |
-
|
1181 |
-
|
1182 |
-
|
1183 |
-
|
1184 |
-
|
1185 |
-
|
1186 |
-
|
1187 |
-
|
1188 |
-
|
1189 |
-
|
1190 |
-
|
1191 |
-
|
1192 |
-
|
1193 |
-
|
1194 |
-
|
1195 |
-
|
1196 |
-
|
1197 |
-
|
1198 |
-
|
1199 |
-
|
1200 |
-
|
1201 |
-
|
1202 |
-
|
1203 |
-
|
1204 |
-
|
1205 |
-
|
1206 |
-
|
1207 |
-
|
1208 |
-
|
1209 |
-
|
1210 |
-
|
1211 |
-
|
1212 |
-
|
1213 |
-
|
1214 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1215 |
}
|
1 |
+
<?php
|
2 |
+
|
3 |
+
/**
|
4 |
+
* Class Limit_Login_Attempts
|
5 |
+
*/
|
6 |
+
class Limit_Login_Attempts
|
7 |
+
{
|
8 |
+
public $default_options = array(
|
9 |
+
'gdpr' => 0,
|
10 |
+
|
11 |
+
/* Are we behind a proxy? */
|
12 |
+
'client_type' => LLA_DIRECT_ADDR,
|
13 |
+
|
14 |
+
/* Lock out after this many tries */
|
15 |
+
'allowed_retries' => 4,
|
16 |
+
|
17 |
+
/* Lock out for this many seconds */
|
18 |
+
'lockout_duration' => 1200, // 20 minutes
|
19 |
+
|
20 |
+
/* Long lock out after this many lockouts */
|
21 |
+
'allowed_lockouts' => 4,
|
22 |
+
|
23 |
+
/* Long lock out for this many seconds */
|
24 |
+
'long_duration' => 86400, // 24 hours,
|
25 |
+
|
26 |
+
/* Reset failed attempts after this many seconds */
|
27 |
+
'valid_duration' => 43200, // 12 hours
|
28 |
+
|
29 |
+
/* Also limit malformed/forged cookies? */
|
30 |
+
'cookies' => true,
|
31 |
+
|
32 |
+
/* Notify on lockout. Values: '', 'log', 'email', 'log,email' */
|
33 |
+
'lockout_notify' => 'log',
|
34 |
+
|
35 |
+
/* If notify by email, do so after this number of lockouts */
|
36 |
+
'notify_email_after' => 4,
|
37 |
+
|
38 |
+
'whitelist' => array(),
|
39 |
+
'whitelist_usernames' => array(),
|
40 |
+
'blacklist' => array(),
|
41 |
+
'blacklist_usernames' => array(),
|
42 |
+
);
|
43 |
+
/**
|
44 |
+
* Admin options page slug
|
45 |
+
* @var string
|
46 |
+
*/
|
47 |
+
private $_options_page_slug = 'limit-login-attempts';
|
48 |
+
|
49 |
+
/**
|
50 |
+
* Errors messages
|
51 |
+
*
|
52 |
+
* @var array
|
53 |
+
*/
|
54 |
+
public $_errors = array();
|
55 |
+
|
56 |
+
public function __construct() {
|
57 |
+
$this->hooks_init();
|
58 |
+
}
|
59 |
+
|
60 |
+
/**
|
61 |
+
* Register wp hooks and filters
|
62 |
+
*/
|
63 |
+
public function hooks_init() {
|
64 |
+
add_action( 'plugins_loaded', array( $this, 'setup' ), 9999 );
|
65 |
+
add_action( 'admin_enqueue_scripts', array( $this, 'enqueue' ) );
|
66 |
+
add_filter( 'limit_login_whitelist_ip', array( $this, 'check_whitelist_ips' ), 10, 2 );
|
67 |
+
add_filter( 'limit_login_whitelist_usernames', array( $this, 'check_whitelist_usernames' ), 10, 2 );
|
68 |
+
add_filter( 'limit_login_blacklist_ip', array( $this, 'check_blacklist_ips' ), 10, 2 );
|
69 |
+
add_filter( 'limit_login_blacklist_usernames', array( $this, 'check_blacklist_usernames' ), 10, 2 );
|
70 |
+
}
|
71 |
+
|
72 |
+
/**
|
73 |
+
* Hook 'plugins_loaded'
|
74 |
+
*/
|
75 |
+
public function setup() {
|
76 |
+
|
77 |
+
// Load languages files
|
78 |
+
load_plugin_textdomain( 'limit-login-attempts-reloaded', false, plugin_basename( dirname( __FILE__ ) ) . '/../languages' );
|
79 |
+
|
80 |
+
// Check if installed old plugin
|
81 |
+
$this->check_original_installed();
|
82 |
+
|
83 |
+
if ( is_multisite() )
|
84 |
+
require_once ABSPATH.'wp-admin/includes/plugin.php';
|
85 |
+
|
86 |
+
$this->network_mode = is_multisite() && is_plugin_active_for_network('limit-login-attempts-reloaded/limit-login-attempts-reloaded.php');
|
87 |
+
|
88 |
+
|
89 |
+
if ( $this->network_mode )
|
90 |
+
{
|
91 |
+
$this->allow_local_options = get_site_option( 'limit_login_allow_local_options', false );
|
92 |
+
$this->use_local_options = $this->allow_local_options && get_option( 'limit_login_use_local_options', false );
|
93 |
+
}
|
94 |
+
else
|
95 |
+
{
|
96 |
+
$this->allow_local_options = true;
|
97 |
+
$this->use_local_options = true;
|
98 |
+
}
|
99 |
+
|
100 |
+
|
101 |
+
// Setup default plugin options
|
102 |
+
//$this->sanitize_options();
|
103 |
+
|
104 |
+
add_action( 'wp_login_failed', array( $this, 'limit_login_failed' ) );
|
105 |
+
add_filter( 'wp_authenticate_user', array( $this, 'wp_authenticate_user' ), 99999, 2 );
|
106 |
+
|
107 |
+
add_filter( 'shake_error_codes', array( $this, 'failure_shake' ) );
|
108 |
+
add_action( 'login_head', array( $this, 'add_error_message' ) );
|
109 |
+
add_action( 'login_errors', array( $this, 'fixup_error_messages' ) );
|
110 |
+
|
111 |
+
if ( $this->network_mode )
|
112 |
+
add_action( 'network_admin_menu', array( $this, 'network_admin_menu' ) );
|
113 |
+
|
114 |
+
if ( $this->allow_local_options )
|
115 |
+
add_action( 'admin_menu', array( $this, 'admin_menu' ) );
|
116 |
+
|
117 |
+
// Add notices for XMLRPC request
|
118 |
+
add_filter( 'xmlrpc_login_error', array( $this, 'xmlrpc_error_messages' ) );
|
119 |
+
|
120 |
+
// Add notices to woocommerce login page
|
121 |
+
add_action( 'wp_head', array( $this, 'add_wc_notices' ) );
|
122 |
+
|
123 |
+
/*
|
124 |
+
* This action should really be changed to the 'authenticate' filter as
|
125 |
+
* it will probably be deprecated. That is however only available in
|
126 |
+
* later versions of WP.
|
127 |
+
*/
|
128 |
+
add_action( 'wp_authenticate', array( $this, 'track_credentials' ), 10, 2 );
|
129 |
+
add_action( 'authenticate', array( $this, 'authenticate_filter' ), 5, 3 );
|
130 |
+
|
131 |
+
if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST )
|
132 |
+
add_action( 'init', array( $this, 'check_xmlrpc_lock' ) );
|
133 |
+
|
134 |
+
add_action('wp_ajax_limit-login-unlock', array( $this, 'ajax_unlock' ) );
|
135 |
+
}
|
136 |
+
|
137 |
+
public function check_xmlrpc_lock()
|
138 |
+
{
|
139 |
+
if ( is_user_logged_in() || $this->is_ip_whitelisted() )
|
140 |
+
return;
|
141 |
+
|
142 |
+
if ( $this->is_ip_blacklisted() || !$this->is_limit_login_ok() )
|
143 |
+
{
|
144 |
+
header('HTTP/1.0 403 Forbidden');
|
145 |
+
exit;
|
146 |
+
}
|
147 |
+
}
|
148 |
+
|
149 |
+
public function check_whitelist_ips( $allow, $ip ) {
|
150 |
+
return $this->ip_in_range( $ip, (array) $this->get_option( 'whitelist' ) );
|
151 |
+
}
|
152 |
+
|
153 |
+
public function check_whitelist_usernames( $allow, $username ) {
|
154 |
+
return in_array( $username, (array) $this->get_option( 'whitelist_usernames' ) );
|
155 |
+
}
|
156 |
+
|
157 |
+
public function check_blacklist_ips( $allow, $ip ) {
|
158 |
+
return $this->ip_in_range( $ip, (array) $this->get_option( 'blacklist' ) );
|
159 |
+
}
|
160 |
+
|
161 |
+
public function check_blacklist_usernames( $allow, $username ) {
|
162 |
+
return in_array( $username, (array) $this->get_option( 'blacklist_usernames' ) );
|
163 |
+
}
|
164 |
+
|
165 |
+
public function ip_in_range( $ip, $list )
|
166 |
+
{
|
167 |
+
foreach ( $list as $range )
|
168 |
+
{
|
169 |
+
$range = array_map('trim', explode('-', $range) );
|
170 |
+
if ( count( $range ) == 1 )
|
171 |
+
{
|
172 |
+
if ( (string)$ip === (string)$range[0] )
|
173 |
+
return true;
|
174 |
+
}
|
175 |
+
else
|
176 |
+
{
|
177 |
+
$low = ip2long( $range[0] );
|
178 |
+
$high = ip2long( $range[1] );
|
179 |
+
$needle = ip2long( $ip );
|
180 |
+
|
181 |
+
if ( $low === false || $high === false || $needle === false )
|
182 |
+
continue;
|
183 |
+
|
184 |
+
$low = (float)sprintf("%u",$low);
|
185 |
+
$high = (float)sprintf("%u",$high);
|
186 |
+
$needle = (float)sprintf("%u",$needle);
|
187 |
+
|
188 |
+
if ( $needle >= $low && $needle <= $high )
|
189 |
+
return true;
|
190 |
+
}
|
191 |
+
}
|
192 |
+
|
193 |
+
return false;
|
194 |
+
}
|
195 |
+
|
196 |
+
/**
|
197 |
+
* @param $error IXR_Error
|
198 |
+
*
|
199 |
+
* @return IXR_Error
|
200 |
+
*/
|
201 |
+
public function xmlrpc_error_messages( $error ) {
|
202 |
+
|
203 |
+
if ( ! class_exists( 'IXR_Error' ) ) {
|
204 |
+
return $error;
|
205 |
+
}
|
206 |
+
|
207 |
+
if ( ! $this->is_limit_login_ok() ) {
|
208 |
+
return new IXR_Error( 403, $this->error_msg() );
|
209 |
+
}
|
210 |
+
|
211 |
+
$ip = $this->get_address();
|
212 |
+
$retries = $this->get_option( 'retries' );
|
213 |
+
$valid = $this->get_option( 'retries_valid' );
|
214 |
+
|
215 |
+
/* Should we show retries remaining? */
|
216 |
+
|
217 |
+
if ( ! is_array( $retries ) || ! is_array( $valid ) ) {
|
218 |
+
/* no retries at all */
|
219 |
+
return $error;
|
220 |
+
}
|
221 |
+
if (
|
222 |
+
(! isset( $retries[ $ip ] ) && ! isset( $retries[ $this->getHash($ip) ] )) ||
|
223 |
+
(! isset( $valid[ $ip ] ) && ! isset( $valid[ $this->getHash($ip) ] )) ||
|
224 |
+
(time() > $valid[ $ip ] && time() > $valid[ $this->getHash($ip) ])
|
225 |
+
|
226 |
+
) {
|
227 |
+
/* no: no valid retries */
|
228 |
+
return $error;
|
229 |
+
}
|
230 |
+
if (
|
231 |
+
( ((isset($retries[ $ip ]) ? $retries[ $ip ] : 0) + (isset($retries[ $this->getHash($ip) ]) ? $retries[ $this->getHash($ip) ] : 0)) % $this->get_option( 'allowed_retries' ) ) == 0
|
232 |
+
) {
|
233 |
+
//* no: already been locked out for these retries */
|
234 |
+
return $error;
|
235 |
+
}
|
236 |
+
|
237 |
+
$remaining = max( ( $this->get_option( 'allowed_retries' ) - ( ((isset($retries[ $ip ]) ? $retries[ $ip ] : 0) + (isset($retries[ $this->getHash($ip) ]) ? $retries[ $this->getHash($ip) ] : 0)) % $this->get_option( 'allowed_retries' ) ) ), 0 );
|
238 |
+
|
239 |
+
return new IXR_Error( 403, sprintf( _n( "<strong>%d</strong> attempt remaining.", "<strong>%d</strong> attempts remaining.", $remaining, 'limit-login-attempts-reloaded' ), $remaining ) );
|
240 |
+
}
|
241 |
+
|
242 |
+
/**
|
243 |
+
* Errors on WooCommerce account page
|
244 |
+
*/
|
245 |
+
public function add_wc_notices() {
|
246 |
+
|
247 |
+
global $limit_login_just_lockedout, $limit_login_nonempty_credentials, $limit_login_my_error_shown;
|
248 |
+
|
249 |
+
if ( ! function_exists( 'is_account_page' ) || ! function_exists( 'wc_add_notice' ) ) {
|
250 |
+
return;
|
251 |
+
}
|
252 |
+
|
253 |
+
/*
|
254 |
+
* During lockout we do not want to show any other error messages (like
|
255 |
+
* unknown user or empty password).
|
256 |
+
*/
|
257 |
+
if ( empty( $_POST ) && ! $this->is_limit_login_ok() && ! $limit_login_just_lockedout ) {
|
258 |
+
if ( is_account_page() ) {
|
259 |
+
wc_add_notice( $this->error_msg(), 'error' );
|
260 |
+
}
|
261 |
+
}
|
262 |
+
|
263 |
+
}
|
264 |
+
|
265 |
+
/**
|
266 |
+
* @param $user
|
267 |
+
* @param $username
|
268 |
+
* @param $password
|
269 |
+
*
|
270 |
+
* @return WP_Error | WP_User
|
271 |
+
*/
|
272 |
+
public function authenticate_filter( $user, $username, $password ) {
|
273 |
+
|
274 |
+
if ( ! empty( $username ) && ! empty( $password ) ) {
|
275 |
+
|
276 |
+
$ip = $this->get_address();
|
277 |
+
|
278 |
+
// Check if username is blacklisted
|
279 |
+
if ( ! $this->is_username_whitelisted( $username ) && ! $this->is_ip_whitelisted( $ip ) &&
|
280 |
+
( $this->is_username_blacklisted( $username ) || $this->is_ip_blacklisted( $ip ) )
|
281 |
+
) {
|
282 |
+
|
283 |
+
remove_filter( 'login_errors', array( $this, 'fixup_error_messages' ) );
|
284 |
+
remove_filter( 'login_head', array( $this, 'add_error_message' ) );
|
285 |
+
remove_filter( 'wp_login_failed', array( $this, 'limit_login_failed' ) );
|
286 |
+
remove_filter( 'wp_authenticate_user', array( $this, 'wp_authenticate_user' ), 99999 );
|
287 |
+
remove_filter( 'login_head', array( $this, 'add_error_message' ) );
|
288 |
+
remove_filter( 'login_errors', array( $this, 'fixup_error_messages' ) );
|
289 |
+
|
290 |
+
remove_filter( 'authenticate', 'wp_authenticate_username_password', 20 );
|
291 |
+
remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 );
|
292 |
+
|
293 |
+
$user = new WP_Error();
|
294 |
+
$user->add( 'username_blacklisted', "<strong>ERROR:</strong> Too many failed login attempts." );
|
295 |
+
|
296 |
+
} elseif ( $this->is_username_whitelisted( $username ) || $this->is_ip_whitelisted( $ip ) ) {
|
297 |
+
|
298 |
+
remove_filter( 'wp_login_failed', array( $this, 'limit_login_failed' ) );
|
299 |
+
remove_filter( 'wp_authenticate_user', array( $this, 'wp_authenticate_user' ), 99999 );
|
300 |
+
remove_filter( 'login_head', array( $this, 'add_error_message' ) );
|
301 |
+
remove_filter( 'login_errors', array( $this, 'fixup_error_messages' ) );
|
302 |
+
|
303 |
+
}
|
304 |
+
|
305 |
+
}
|
306 |
+
|
307 |
+
return $user;
|
308 |
+
}
|
309 |
+
|
310 |
+
/**
|
311 |
+
* Check if the original plugin is installed
|
312 |
+
*/
|
313 |
+
private function check_original_installed()
|
314 |
+
{
|
315 |
+
require_once( ABSPATH . '/wp-admin/includes/plugin.php' );
|
316 |
+
if ( is_plugin_active('limit-login-attempts/limit-login-attempts.php') )
|
317 |
+
{
|
318 |
+
deactivate_plugins( 'limit-login-attempts/limit-login-attempts.php', true );
|
319 |
+
//add_action('plugins_loaded', 'limit_login_setup', 99999);
|
320 |
+
remove_action( 'plugins_loaded', 'limit_login_setup', 99999 );
|
321 |
+
}
|
322 |
+
}
|
323 |
+
|
324 |
+
/**
|
325 |
+
* Enqueue js and css
|
326 |
+
*/
|
327 |
+
public function enqueue() {
|
328 |
+
wp_enqueue_style( 'lla-main', LLA_PLUGIN_URL . '/assets/css/limit-login-attempts.css' );
|
329 |
+
}
|
330 |
+
|
331 |
+
/**
|
332 |
+
* Add admin options page
|
333 |
+
*/
|
334 |
+
public function network_admin_menu()
|
335 |
+
{
|
336 |
+
add_submenu_page( 'settings.php', 'Limit Login Attempts', 'Limit Login Attempts', 'manage_options', $this->_options_page_slug, array( $this, 'options_page' ) );
|
337 |
+
}
|
338 |
+
|
339 |
+
public function admin_menu()
|
340 |
+
{
|
341 |
+
add_options_page( 'Limit Login Attempts', 'Limit Login Attempts', 'manage_options', $this->_options_page_slug, array( $this, 'options_page' ) );
|
342 |
+
}
|
343 |
+
|
344 |
+
/**
|
345 |
+
* Get the correct options page URI
|
346 |
+
*
|
347 |
+
* @return mixed
|
348 |
+
*/
|
349 |
+
public function get_options_page_uri()
|
350 |
+
{
|
351 |
+
if ( is_network_admin() )
|
352 |
+
return network_admin_url( 'settings.php?page=limit-login-attempts' );
|
353 |
+
|
354 |
+
return menu_page_url( $this->_options_page_slug, false );
|
355 |
+
}
|
356 |
+
|
357 |
+
/**
|
358 |
+
* Get option by name
|
359 |
+
*
|
360 |
+
* @param $option_name
|
361 |
+
*
|
362 |
+
* @return null
|
363 |
+
*/
|
364 |
+
public function get_option( $option_name, $local = null )
|
365 |
+
{
|
366 |
+
if ( is_null( $local ) )
|
367 |
+
$local = $this->use_local_options;
|
368 |
+
|
369 |
+
$option = 'limit_login_'.$option_name;
|
370 |
+
|
371 |
+
$func = $local ? 'get_option' : 'get_site_option';
|
372 |
+
$value = $func( $option, null );
|
373 |
+
|
374 |
+
if ( is_null( $value ) && isset( $this->default_options[ $option_name ] ) )
|
375 |
+
$value = $this->default_options[ $option_name ];
|
376 |
+
|
377 |
+
return $value;
|
378 |
+
}
|
379 |
+
|
380 |
+
public function update_option( $option_name, $value, $local = null )
|
381 |
+
{
|
382 |
+
if ( is_null( $local ) )
|
383 |
+
$local = $this->use_local_options;
|
384 |
+
|
385 |
+
$option = 'limit_login_'.$option_name;
|
386 |
+
|
387 |
+
$func = $local ? 'update_option' : 'update_site_option';
|
388 |
+
|
389 |
+
return $func( $option, $value );
|
390 |
+
}
|
391 |
+
|
392 |
+
public function add_option( $option_name, $value, $local=null )
|
393 |
+
{
|
394 |
+
if ( is_null( $local ) )
|
395 |
+
$local = $this->use_local_options;
|
396 |
+
|
397 |
+
$option = 'limit_login_'.$option_name;
|
398 |
+
|
399 |
+
$func = $local ? 'add_option' : 'add_site_option';
|
400 |
+
|
401 |
+
return $func( $option, $value, '', 'no' );
|
402 |
+
}
|
403 |
+
|
404 |
+
/**
|
405 |
+
* Setup main options
|
406 |
+
*/
|
407 |
+
public function sanitize_options()
|
408 |
+
{
|
409 |
+
$simple_int_options = array( 'allowed_retries', 'lockout_duration', 'valid_duration', 'allowed_lockouts', 'long_duration', 'notify_email_after');
|
410 |
+
foreach ( $simple_int_options as $option )
|
411 |
+
{
|
412 |
+
$val = $this->get_option( $option );
|
413 |
+
if ( (int)$val != $val || (int)$val <= 0 )
|
414 |
+
$this->update_option( $option, 1 );
|
415 |
+
}
|
416 |
+
if ( $this->get_option('notify_email_after') > $this->get_option( 'allowed_lockouts' ) )
|
417 |
+
$this->update_option( 'notify_email_after', $this->get_option( 'allowed_lockouts' ) );
|
418 |
+
|
419 |
+
$args = explode( ',', $this->get_option( 'lockout_notify' ) );
|
420 |
+
$args_allowed = explode( ',', LLA_LOCKOUT_NOTIFY_ALLOWED );
|
421 |
+
$new_args = array_intersect( $args, $args_allowed );
|
422 |
+
|
423 |
+
$this->update_option( 'lockout_notify', implode( ',', $new_args ) );
|
424 |
+
|
425 |
+
$ctype = $this->get_option( 'client_type' );
|
426 |
+
if ( $ctype != LLA_DIRECT_ADDR && $ctype != LLA_PROXY_ADDR )
|
427 |
+
$this->update_option( 'client_type', LLA_DIRECT_ADDR );
|
428 |
+
}
|
429 |
+
|
430 |
+
/**
|
431 |
+
* Check if it is ok to login
|
432 |
+
*
|
433 |
+
* @return bool
|
434 |
+
*/
|
435 |
+
public function is_limit_login_ok() {
|
436 |
+
|
437 |
+
$ip = $this->get_address();
|
438 |
+
|
439 |
+
/* Check external whitelist filter */
|
440 |
+
if ( $this->is_ip_whitelisted( $ip ) ) {
|
441 |
+
return true;
|
442 |
+
}
|
443 |
+
|
444 |
+
/* lockout active? */
|
445 |
+
$lockouts = $this->get_option( 'lockouts' );
|
446 |
+
|
447 |
+
$a = $this->checkKey($lockouts, $ip);
|
448 |
+
$b = $this->checkKey($lockouts, $this->getHash($ip));
|
449 |
+
return (
|
450 |
+
! is_array( $lockouts ) ||
|
451 |
+
(! isset( $lockouts[ $ip ] ) && ! isset( $lockouts[ $this->getHash($ip) ] )) ||
|
452 |
+
(time() >= $a && time() >= $b ));
|
453 |
+
}
|
454 |
+
|
455 |
+
/**
|
456 |
+
* Action when login attempt failed
|
457 |
+
*
|
458 |
+
* Increase nr of retries (if necessary). Reset valid value. Setup
|
459 |
+
* lockout if nr of retries are above threshold. And more!
|
460 |
+
*
|
461 |
+
* A note on external whitelist: retries and statistics are still counted and
|
462 |
+
* notifications done as usual, but no lockout is done.
|
463 |
+
*
|
464 |
+
* @param $username
|
465 |
+
*/
|
466 |
+
public function limit_login_failed( $username ) {
|
467 |
+
|
468 |
+
$ip = $this->get_address();
|
469 |
+
$ipHash = $this->getHash($this->get_address());
|
470 |
+
|
471 |
+
/* if currently locked-out, do not add to retries */
|
472 |
+
$lockouts = $this->get_option( 'lockouts' );
|
473 |
+
|
474 |
+
if ( ! is_array( $lockouts ) ) {
|
475 |
+
$lockouts = array();
|
476 |
+
}
|
477 |
+
|
478 |
+
if ( (isset( $lockouts[ $ip ] ) && time() < $lockouts[ $ip ]) || (isset( $lockouts[ $ipHash ] ) && time() < $lockouts[ $ipHash ] )) {
|
479 |
+
return;
|
480 |
+
}
|
481 |
+
|
482 |
+
/* Get the arrays with retries and retries-valid information */
|
483 |
+
$retries = $this->get_option( 'retries' );
|
484 |
+
$valid = $this->get_option( 'retries_valid' );
|
485 |
+
|
486 |
+
if ( ! is_array( $retries ) ) {
|
487 |
+
$retries = array();
|
488 |
+
$this->add_option( 'retries', $retries );
|
489 |
+
}
|
490 |
+
|
491 |
+
if ( ! is_array( $valid ) ) {
|
492 |
+
$valid = array();
|
493 |
+
$this->add_option( 'retries_valid', $valid );
|
494 |
+
}
|
495 |
+
|
496 |
+
$gdpr = $this->get_option('gdpr');
|
497 |
+
$ip = ($gdpr ? $ipHash : $ip);
|
498 |
+
/* Check validity and add one to retries */
|
499 |
+
if ( isset( $retries[ $ip ] ) && isset( $valid[ $ip ] ) && time() < $valid[ $ip ]) {
|
500 |
+
$retries[ $ip ] ++;
|
501 |
+
} else {
|
502 |
+
$retries[ $ip ] = 1;
|
503 |
+
}
|
504 |
+
$valid[ $ip ] = time() + $this->get_option( 'valid_duration' );
|
505 |
+
|
506 |
+
/* lockout? */
|
507 |
+
if ( $retries[ $ip ] % $this->get_option( 'allowed_retries' ) != 0 ) {
|
508 |
+
/*
|
509 |
+
* Not lockout (yet!)
|
510 |
+
* Do housecleaning (which also saves retry/valid values).
|
511 |
+
*/
|
512 |
+
$this->cleanup( $retries, null, $valid );
|
513 |
+
|
514 |
+
return;
|
515 |
+
}
|
516 |
+
|
517 |
+
/* lockout! */
|
518 |
+
$whitelisted = $this->is_ip_whitelisted( $ip );
|
519 |
+
$retries_long = $this->get_option( 'allowed_retries' ) * $this->get_option( 'allowed_lockouts' );
|
520 |
+
|
521 |
+
/*
|
522 |
+
* Note that retries and statistics are still counted and notifications
|
523 |
+
* done as usual for whitelisted ips , but no lockout is done.
|
524 |
+
*/
|
525 |
+
if ( $whitelisted ) {
|
526 |
+
if ( $retries[ $ip ] >= $retries_long ) {
|
527 |
+
unset( $retries[ $ip ] );
|
528 |
+
unset( $valid[ $ip ] );
|
529 |
+
}
|
530 |
+
} else {
|
531 |
+
global $limit_login_just_lockedout;
|
532 |
+
$limit_login_just_lockedout = true;
|
533 |
+
$gdpr = $this->get_option('gdpr');
|
534 |
+
$index = ($gdpr ? $ipHash : $ip);
|
535 |
+
|
536 |
+
/* setup lockout, reset retries as needed */
|
537 |
+
if ( (isset($retries[ $ip ]) ? $retries[ $ip ] : 0) >= $retries_long || (isset($retries[ $ipHash ]) ? $retries[ $ipHash ] : 0) >= $retries_long ) {
|
538 |
+
/* long lockout */
|
539 |
+
$lockouts[ $index ] = time() + $this->get_option( 'long_duration' );
|
540 |
+
unset( $retries[ $index ] );
|
541 |
+
unset( $valid[ $index ] );
|
542 |
+
} else {
|
543 |
+
/* normal lockout */
|
544 |
+
$lockouts[ $index ] = time() + $this->get_option( 'lockout_duration' );
|
545 |
+
}
|
546 |
+
}
|
547 |
+
|
548 |
+
/* do housecleaning and save values */
|
549 |
+
$this->cleanup( $retries, $lockouts, $valid );
|
550 |
+
|
551 |
+
/* do any notification */
|
552 |
+
$this->notify( $username );
|
553 |
+
|
554 |
+
/* increase statistics */
|
555 |
+
$total = $this->get_option( 'lockouts_total' );
|
556 |
+
if ( $total === false || ! is_numeric( $total ) ) {
|
557 |
+
$this->add_option( 'lockouts_total', 1 );
|
558 |
+
} else {
|
559 |
+
$this->update_option( 'lockouts_total', $total + 1 );
|
560 |
+
}
|
561 |
+
}
|
562 |
+
|
563 |
+
/**
|
564 |
+
* Handle notification in event of lockout
|
565 |
+
*
|
566 |
+
* @param $user
|
567 |
+
*/
|
568 |
+
public function notify( $user ) {
|
569 |
+
$args = explode( ',', $this->get_option( 'lockout_notify' ) );
|
570 |
+
|
571 |
+
if ( empty( $args ) ) {
|
572 |
+
return;
|
573 |
+
}
|
574 |
+
|
575 |
+
foreach ( $args as $mode ) {
|
576 |
+
switch ( trim( $mode ) ) {
|
577 |
+
case 'email':
|
578 |
+
$this->notify_email( $user );
|
579 |
+
break;
|
580 |
+
case 'log':
|
581 |
+
$this->notify_log( $user );
|
582 |
+
break;
|
583 |
+
}
|
584 |
+
}
|
585 |
+
}
|
586 |
+
|
587 |
+
/**
|
588 |
+
* Email notification of lockout to admin (if configured)
|
589 |
+
*
|
590 |
+
* @param $user
|
591 |
+
*/
|
592 |
+
public function notify_email( $user ) {
|
593 |
+
$ip = $this->get_address();
|
594 |
+
$whitelisted = $this->is_ip_whitelisted( $ip );
|
595 |
+
|
596 |
+
$retries = $this->get_option( 'retries' );
|
597 |
+
if ( ! is_array( $retries ) ) {
|
598 |
+
$retries = array();
|
599 |
+
}
|
600 |
+
|
601 |
+
/* check if we are at the right nr to do notification */
|
602 |
+
if (
|
603 |
+
(isset( $retries[ $ip ] ) || isset( $retries[ $this->getHash($ip) ] ))
|
604 |
+
&&
|
605 |
+
( ( intval($retries[ $ip ] + $retries[ $this->getHash($ip) ]) / $this->get_option( 'allowed_retries' ) ) % $this->get_option( 'notify_email_after' ) ) != 0 ) {
|
606 |
+
return;
|
607 |
+
}
|
608 |
+
|
609 |
+
/* Format message. First current lockout duration */
|
610 |
+
if ( !isset( $retries[ $ip ] ) && !isset( $retries[ $this->getHash($ip) ] ) ) {
|
611 |
+
/* longer lockout */
|
612 |
+
$count = $this->get_option( 'allowed_retries' )
|
613 |
+
* $this->get_option( 'allowed_lockouts' );
|
614 |
+
$lockouts = $this->get_option( 'allowed_lockouts' );
|
615 |
+
$time = round( $this->get_option( 'long_duration' ) / 3600 );
|
616 |
+
$when = sprintf( _n( '%d hour', '%d hours', $time, 'limit-login-attempts-reloaded' ), $time );
|
617 |
+
} else {
|
618 |
+
/* normal lockout */
|
619 |
+
$count = $retries[ $ip ] + $retries[ $this->getHash($ip) ];
|
620 |
+
$lockouts = floor( ($count) / $this->get_option( 'allowed_retries' ) );
|
621 |
+
$time = round( $this->get_option( 'lockout_duration' ) / 60 );
|
622 |
+
$when = sprintf( _n( '%d minute', '%d minutes', $time, 'limit-login-attempts-reloaded' ), $time );
|
623 |
+
}
|
624 |
+
|
625 |
+
$blogname = $this->use_local_options ? get_option( 'blogname' ) : get_site_option( 'site_name' );
|
626 |
+
$blogname = htmlspecialchars_decode( $blogname, ENT_QUOTES );
|
627 |
+
|
628 |
+
if ( $whitelisted ) {
|
629 |
+
$subject = sprintf( __( "[%s] Failed login attempts from whitelisted IP"
|
630 |
+
, 'limit-login-attempts-reloaded' )
|
631 |
+
, $blogname );
|
632 |
+
} else {
|
633 |
+
$subject = sprintf( __( "[%s] Too many failed login attempts"
|
634 |
+
, 'limit-login-attempts-reloaded' )
|
635 |
+
, $blogname );
|
636 |
+
}
|
637 |
+
|
638 |
+
$message = sprintf( __( "%d failed login attempts (%d lockout(s)) from IP: %s"
|
639 |
+
, 'limit-login-attempts-reloaded' ) . "\r\n\r\n"
|
640 |
+
, $count, $lockouts, $ip );
|
641 |
+
if ( $user != '' ) {
|
642 |
+
$message .= sprintf( __( "Last user attempted: %s", 'limit-login-attempts-reloaded' )
|
643 |
+
. "\r\n\r\n", $user );
|
644 |
+
}
|
645 |
+
if ( $whitelisted ) {
|
646 |
+
$message .= __( "IP was NOT blocked because of external whitelist.", 'limit-login-attempts-reloaded' );
|
647 |
+
} else {
|
648 |
+
$message .= sprintf( __( "IP was blocked for %s", 'limit-login-attempts-reloaded' ), $when );
|
649 |
+
}
|
650 |
+
|
651 |
+
$admin_email = $this->use_local_options ? get_option( 'admin_email' ) : get_site_option( 'admin_email' );
|
652 |
+
|
653 |
+
@wp_mail( $admin_email, $subject, $message );
|
654 |
+
}
|
655 |
+
|
656 |
+
/**
|
657 |
+
* Logging of lockout (if configured)
|
658 |
+
*
|
659 |
+
* @param $user_login
|
660 |
+
*
|
661 |
+
* @internal param $user
|
662 |
+
*/
|
663 |
+
public function notify_log( $user_login ) {
|
664 |
+
|
665 |
+
if ( ! $user_login ) {
|
666 |
+
return;
|
667 |
+
}
|
668 |
+
|
669 |
+
$log = $option = $this->get_option( 'logged' );
|
670 |
+
if ( ! is_array( $log ) ) {
|
671 |
+
$log = array();
|
672 |
+
}
|
673 |
+
$ip = $this->get_address();
|
674 |
+
|
675 |
+
$index = ($this->get_option('gdpr') ? $this->getHash($ip) : $ip );
|
676 |
+
/* can be written much simpler, if you do not mind php warnings */
|
677 |
+
if ( !isset( $log[ $index ] ) )
|
678 |
+
$log[ $index ] = array();
|
679 |
+
|
680 |
+
if ( !isset( $log[ $index ][ $user_login ] ) )
|
681 |
+
$log[ $index ][ $user_login ] = array( 'counter' => 0 );
|
682 |
+
|
683 |
+
elseif ( !is_array( $log[ $index ][ $user_login ] ) )
|
684 |
+
$log[ $index ][ $user_login ] = array(
|
685 |
+
'counter' => $log[ $index ][ $user_login ],
|
686 |
+
);
|
687 |
+
|
688 |
+
$log[ $index ][ $user_login ]['counter']++;
|
689 |
+
$log[ $index ][ $user_login ]['date'] = time();
|
690 |
+
|
691 |
+
if ( isset( $_POST['woocommerce-login-nonce'] ) ) {
|
692 |
+
$gateway = 'WooCommerce';
|
693 |
+
} elseif ( isset( $GLOBALS['wp_xmlrpc_server'] ) && is_object( $GLOBALS['wp_xmlrpc_server'] ) ) {
|
694 |
+
$gateway = 'XMLRPC';
|
695 |
+
} else {
|
696 |
+
$gateway = 'WP Login';
|
697 |
+
}
|
698 |
+
|
699 |
+
$log[ $index ][ $user_login ]['gateway'] = $gateway;
|
700 |
+
|
701 |
+
if ( $option === false ) {
|
702 |
+
$this->add_option( 'logged', $log );
|
703 |
+
} else {
|
704 |
+
$this->update_option( 'logged', $log );
|
705 |
+
}
|
706 |
+
}
|
707 |
+
|
708 |
+
/**
|
709 |
+
* Check if IP is whitelisted.
|
710 |
+
*
|
711 |
+
* This function allow external ip whitelisting using a filter. Note that it can
|
712 |
+
* be called multiple times during the login process.
|
713 |
+
*
|
714 |
+
* Note that retries and statistics are still counted and notifications
|
715 |
+
* done as usual for whitelisted ips , but no lockout is done.
|
716 |
+
*
|
717 |
+
* Example:
|
718 |
+
* function my_ip_whitelist($allow, $ip) {
|
719 |
+
* return ($ip == 'my-ip') ? true : $allow;
|
720 |
+
* }
|
721 |
+
* add_filter('limit_login_whitelist_ip', 'my_ip_whitelist', 10, 2);
|
722 |
+
*
|
723 |
+
* @param null $ip
|
724 |
+
*
|
725 |
+
* @return bool
|
726 |
+
*/
|
727 |
+
public function is_ip_whitelisted( $ip = null ) {
|
728 |
+
|
729 |
+
if ( is_null( $ip ) ) {
|
730 |
+
$ip = $this->get_address();
|
731 |
+
}
|
732 |
+
|
733 |
+
$whitelisted = apply_filters( 'limit_login_whitelist_ip', false, $ip );
|
734 |
+
|
735 |
+
return ( $whitelisted === true );
|
736 |
+
}
|
737 |
+
|
738 |
+
public function is_username_whitelisted( $username ) {
|
739 |
+
|
740 |
+
if ( empty( $username ) ) {
|
741 |
+
return false;
|
742 |
+
}
|
743 |
+
|
744 |
+
$whitelisted = apply_filters( 'limit_login_whitelist_usernames', false, $username );
|
745 |
+
|
746 |
+
return ( $whitelisted === true );
|
747 |
+
}
|
748 |
+
|
749 |
+
public function is_ip_blacklisted( $ip = null ) {
|
750 |
+
|
751 |
+
if ( is_null( $ip ) ) {
|
752 |
+
$ip = $this->get_address();
|
753 |
+
}
|
754 |
+
|
755 |
+
$whitelisted = apply_filters( 'limit_login_blacklist_ip', false, $ip );
|
756 |
+
|
757 |
+
return ( $whitelisted === true );
|
758 |
+
}
|
759 |
+
|
760 |
+
public function is_username_blacklisted( $username ) {
|
761 |
+
|
762 |
+
if ( empty( $username ) ) {
|
763 |
+
return false;
|
764 |
+
}
|
765 |
+
|
766 |
+
$whitelisted = apply_filters( 'limit_login_blacklist_usernames', false, $username );
|
767 |
+
|
768 |
+
return ( $whitelisted === true );
|
769 |
+
}
|
770 |
+
|
771 |
+
/**
|
772 |
+
* Filter: allow login attempt? (called from wp_authenticate())
|
773 |
+
*
|
774 |
+
* @param $user WP_User
|
775 |
+
* @param $password
|
776 |
+
*
|
777 |
+
* @return \WP_Error
|
778 |
+
*/
|
779 |
+
public function wp_authenticate_user( $user, $password ) {
|
780 |
+
|
781 |
+
if ( is_wp_error( $user ) ||
|
782 |
+
$this->check_whitelist_ips( false, $this->get_address() ) ||
|
783 |
+
$this->check_whitelist_usernames( false, $user->user_login ) ||
|
784 |
+
$this->is_limit_login_ok()
|
785 |
+
) {
|
786 |
+
|
787 |
+
return $user;
|
788 |
+
}
|
789 |
+
|
790 |
+
$error = new WP_Error();
|
791 |
+
|
792 |
+
global $limit_login_my_error_shown;
|
793 |
+
$limit_login_my_error_shown = true;
|
794 |
+
|
795 |
+
if ( $this->is_username_blacklisted( $user->user_login ) || $this->is_ip_blacklisted( $this->get_address() ) ) {
|
796 |
+
$error->add( 'username_blacklisted', "<strong>ERROR:</strong> Too many failed login attempts." );
|
797 |
+
} else {
|
798 |
+
// This error should be the same as in "shake it" filter below
|
799 |
+
$error->add( 'too_many_retries', $this->error_msg() );
|
800 |
+
}
|
801 |
+
|
802 |
+
return $error;
|
803 |
+
}
|
804 |
+
|
805 |
+
/**
|
806 |
+
* Filter: add this failure to login page "Shake it!"
|
807 |
+
*
|
808 |
+
* @param $error_codes
|
809 |
+
*
|
810 |
+
* @return array
|
811 |
+
*/
|
812 |
+
public function failure_shake( $error_codes ) {
|
813 |
+
$error_codes[] = 'too_many_retries';
|
814 |
+
$error_codes[] = 'username_blacklisted';
|
815 |
+
|
816 |
+
return $error_codes;
|
817 |
+
}
|
818 |
+
|
819 |
+
/**
|
820 |
+
* Keep track of if user or password are empty, to filter errors correctly
|
821 |
+
*
|
822 |
+
* @param $user
|
823 |
+
* @param $password
|
824 |
+
*/
|
825 |
+
public function track_credentials( $user, $password ) {
|
826 |
+
global $limit_login_nonempty_credentials;
|
827 |
+
|
828 |
+
$limit_login_nonempty_credentials = ( ! empty( $user ) && ! empty( $password ) );
|
829 |
+
}
|
830 |
+
|
831 |
+
/**
|
832 |
+
* Should we show errors and messages on this page?
|
833 |
+
*
|
834 |
+
* @return bool
|
835 |
+
*/
|
836 |
+
public function login_show_msg() {
|
837 |
+
if ( isset( $_GET['key'] ) ) {
|
838 |
+
/* reset password */
|
839 |
+
return false;
|
840 |
+
}
|
841 |
+
|
842 |
+
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
|
843 |
+
|
844 |
+
return ( $action != 'lostpassword' && $action != 'retrievepassword'
|
845 |
+
&& $action != 'resetpass' && $action != 'rp'
|
846 |
+
&& $action != 'register' );
|
847 |
+
}
|
848 |
+
|
849 |
+
/**
|
850 |
+
* Construct informative error message
|
851 |
+
*
|
852 |
+
* @return string
|
853 |
+
*/
|
854 |
+
public function error_msg() {
|
855 |
+
$ip = $this->get_address();
|
856 |
+
$lockouts = $this->get_option( 'lockouts' );
|
857 |
+
$a = $this->checkKey($lockouts, $ip);
|
858 |
+
$b = $this->checkKey($lockouts, $this->getHash($ip));
|
859 |
+
|
860 |
+
$msg = __( '<strong>ERROR</strong>: Too many failed login attempts.', 'limit-login-attempts-reloaded' ) . ' ';
|
861 |
+
|
862 |
+
if (
|
863 |
+
! is_array( $lockouts ) ||
|
864 |
+
( ! isset( $lockouts[ $ip ] ) && ! isset( $lockouts[$this->getHash($ip)]) ) ||
|
865 |
+
(time() >= $a && time() >= $b)
|
866 |
+
){
|
867 |
+
/* Huh? No timeout active? */
|
868 |
+
$msg .= __( 'Please try again later.', 'limit-login-attempts-reloaded' );
|
869 |
+
|
870 |
+
return $msg;
|
871 |
+
}
|
872 |
+
|
873 |
+
$when = ceil( ( ($a > $b ? $a : $b) - time() ) / 60 );
|
874 |
+
if ( $when > 60 ) {
|
875 |
+
$when = ceil( $when / 60 );
|
876 |
+
$msg .= sprintf( _n( 'Please try again in %d hour.', 'Please try again in %d hours.', $when, 'limit-login-attempts-reloaded' ), $when );
|
877 |
+
} else {
|
878 |
+
$msg .= sprintf( _n( 'Please try again in %d minute.', 'Please try again in %d minutes.', $when, 'limit-login-attempts-reloaded' ), $when );
|
879 |
+
}
|
880 |
+
|
881 |
+
return $msg;
|
882 |
+
}
|
883 |
+
|
884 |
+
/**
|
885 |
+
* Add a message to login page when necessary
|
886 |
+
*/
|
887 |
+
public function add_error_message() {
|
888 |
+
global $error, $limit_login_my_error_shown;
|
889 |
+
|
890 |
+
if ( ! $this->login_show_msg() || $limit_login_my_error_shown ) {
|
891 |
+
return;
|
892 |
+
}
|
893 |
+
|
894 |
+
$msg = $this->get_message();
|
895 |
+
|
896 |
+
if ( $msg != '' ) {
|
897 |
+
$limit_login_my_error_shown = true;
|
898 |
+
$error .= $msg;
|
899 |
+
}
|
900 |
+
|
901 |
+
return;
|
902 |
+
}
|
903 |
+
|
904 |
+
/**
|
905 |
+
* Fix up the error message before showing it
|
906 |
+
*
|
907 |
+
* @param $content
|
908 |
+
*
|
909 |
+
* @return string
|
910 |
+
*/
|
911 |
+
public function fixup_error_messages( $content ) {
|
912 |
+
global $limit_login_just_lockedout, $limit_login_nonempty_credentials, $limit_login_my_error_shown;
|
913 |
+
|
914 |
+
if ( ! $this->login_show_msg() ) {
|
915 |
+
return $content;
|
916 |
+
}
|
917 |
+
|
918 |
+
/*
|
919 |
+
* During lockout we do not want to show any other error messages (like
|
920 |
+
* unknown user or empty password).
|
921 |
+
*/
|
922 |
+
if ( ! $this->is_limit_login_ok() && ! $limit_login_just_lockedout ) {
|
923 |
+
return $this->error_msg();
|
924 |
+
}
|
925 |
+
|
926 |
+
/*
|
927 |
+
* We want to filter the messages 'Invalid username' and
|
928 |
+
* 'Invalid password' as that is an information leak regarding user
|
929 |
+
* account names (prior to WP 2.9?).
|
930 |
+
*
|
931 |
+
* Also, if more than one error message, put an extra <br /> tag between
|
932 |
+
* them.
|
933 |
+
*/
|
934 |
+
$msgs = explode( "<br />\n", $content );
|
935 |
+
|
936 |
+
if ( strlen( end( $msgs ) ) == 0 ) {
|
937 |
+
/* remove last entry empty string */
|
938 |
+
array_pop( $msgs );
|
939 |
+
}
|
940 |
+
|
941 |
+
$count = count( $msgs );
|
942 |
+
$my_warn_count = $limit_login_my_error_shown ? 1 : 0;
|
943 |
+
|
944 |
+
if ( $limit_login_nonempty_credentials && $count > $my_warn_count ) {
|
945 |
+
/* Replace error message, including ours if necessary */
|
946 |
+
$content = __( '<strong>ERROR</strong>: Incorrect username or password.', 'limit-login-attempts-reloaded' ) . "<br />\n";
|
947 |
+
|
948 |
+
if ( $limit_login_my_error_shown || $this->get_message() ) {
|
949 |
+
$content .= "<br />\n" . $this->get_message() . "<br />\n";
|
950 |
+
}
|
951 |
+
|
952 |
+
return $content;
|
953 |
+
} elseif ( $count <= 1 ) {
|
954 |
+
return $content;
|
955 |
+
}
|
956 |
+
|
957 |
+
$new = '';
|
958 |
+
while ( $count -- > 0 ) {
|
959 |
+
$new .= array_shift( $msgs ) . "<br />\n";
|
960 |
+
if ( $count > 0 ) {
|
961 |
+
$new .= "<br />\n";
|
962 |
+
}
|
963 |
+
}
|
964 |
+
|
965 |
+
return $new;
|
966 |
+
}
|
967 |
+
|
968 |
+
public function fixup_error_messages_wc( \WP_Error $error ) {
|
969 |
+
$error->add( 1, __( 'WC Error' ) );
|
970 |
+
}
|
971 |
+
|
972 |
+
/**
|
973 |
+
* Return current (error) message to show, if any
|
974 |
+
*
|
975 |
+
* @return string
|
976 |
+
*/
|
977 |
+
public function get_message() {
|
978 |
+
/* Check external whitelist */
|
979 |
+
if ( $this->is_ip_whitelisted() ) {
|
980 |
+
return '';
|
981 |
+
}
|
982 |
+
|
983 |
+
/* Is lockout in effect? */
|
984 |
+
if ( ! $this->is_limit_login_ok() ) {
|
985 |
+
return $this->error_msg();
|
986 |
+
}
|
987 |
+
|
988 |
+
return $this->retries_remaining_msg();
|
989 |
+
}
|
990 |
+
|
991 |
+
/**
|
992 |
+
* Construct retries remaining message
|
993 |
+
*
|
994 |
+
* @return string
|
995 |
+
*/
|
996 |
+
public function retries_remaining_msg() {
|
997 |
+
$ip = $this->get_address();
|
998 |
+
$retries = $this->get_option( 'retries' );
|
999 |
+
$valid = $this->get_option( 'retries_valid' );
|
1000 |
+
$a = $this->checkKey($retries, $ip);
|
1001 |
+
$b = $this->checkKey($retries, $this->getHash($ip));
|
1002 |
+
$c = $this->checkKey($valid, $ip);
|
1003 |
+
$d = $this->checkKey($valid, $this->getHash($ip));
|
1004 |
+
|
1005 |
+
/* Should we show retries remaining? */
|
1006 |
+
if ( ! is_array( $retries ) || ! is_array( $valid ) ) {
|
1007 |
+
/* no retries at all */
|
1008 |
+
return '';
|
1009 |
+
}
|
1010 |
+
if (
|
1011 |
+
(! isset( $retries[ $ip ] ) && ! isset( $retries[ $this->getHash($ip) ] )) ||
|
1012 |
+
(! isset( $valid[ $ip ] ) && ! isset( $valid[ $this->getHash($ip) ] )) ||
|
1013 |
+
( time() > $c && time() > $d )
|
1014 |
+
) {
|
1015 |
+
/* no: no valid retries */
|
1016 |
+
return '';
|
1017 |
+
}
|
1018 |
+
if (
|
1019 |
+
( $a % $this->get_option( 'allowed_retries' ) ) == 0 &&
|
1020 |
+
( $b % $this->get_option( 'allowed_retries' ) ) == 0
|
1021 |
+
) {
|
1022 |
+
/* no: already been locked out for these retries */
|
1023 |
+
return '';
|
1024 |
+
}
|
1025 |
+
|
1026 |
+
$remaining = max( ( $this->get_option( 'allowed_retries' ) - ( ($a + $b) % $this->get_option( 'allowed_retries' ) ) ), 0 );
|
1027 |
+
|
1028 |
+
return sprintf( _n( "<strong>%d</strong> attempt remaining.", "<strong>%d</strong> attempts remaining.", $remaining, 'limit-login-attempts-reloaded' ), $remaining );
|
1029 |
+
}
|
1030 |
+
|
1031 |
+
/**
|
1032 |
+
* Get correct remote address
|
1033 |
+
*
|
1034 |
+
* @param string $type_name
|
1035 |
+
*
|
1036 |
+
* @return string
|
1037 |
+
*/
|
1038 |
+
public function get_address() {
|
1039 |
+
|
1040 |
+
if ( !empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) )
|
1041 |
+
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
|
1042 |
+
|
1043 |
+
elseif ( !empty( $_SERVER['HTTP_X_SUCURI_CLIENTIP'] ) )
|
1044 |
+
$ip = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
|
1045 |
+
|
1046 |
+
elseif ( isset( $_SERVER['REMOTE_ADDR'] ) )
|
1047 |
+
$ip = $_SERVER['REMOTE_ADDR'];
|
1048 |
+
|
1049 |
+
else
|
1050 |
+
$ip = '';
|
1051 |
+
|
1052 |
+
$ip = preg_replace('/^(\d+\.\d+\.\d+\.\d+):\d+$/', '\1', $ip);
|
1053 |
+
return $ip;
|
1054 |
+
}
|
1055 |
+
|
1056 |
+
/**
|
1057 |
+
* Clean up old lockouts and retries, and save supplied arrays
|
1058 |
+
*
|
1059 |
+
* @param null $retries
|
1060 |
+
* @param null $lockouts
|
1061 |
+
* @param null $valid
|
1062 |
+
*/
|
1063 |
+
public function cleanup( $retries = null, $lockouts = null, $valid = null ) {
|
1064 |
+
$now = time();
|
1065 |
+
$lockouts = ! is_null( $lockouts ) ? $lockouts : $this->get_option( 'lockouts' );
|
1066 |
+
|
1067 |
+
/* remove old lockouts */
|
1068 |
+
if ( is_array( $lockouts ) ) {
|
1069 |
+
foreach ( $lockouts as $ip => $lockout ) {
|
1070 |
+
if ( $lockout < $now ) {
|
1071 |
+
unset( $lockouts[ $ip ] );
|
1072 |
+
}
|
1073 |
+
}
|
1074 |
+
$this->update_option( 'lockouts', $lockouts );
|
1075 |
+
}
|
1076 |
+
|
1077 |
+
/* remove retries that are no longer valid */
|
1078 |
+
$valid = ! is_null( $valid ) ? $valid : $this->get_option( 'retries_valid' );
|
1079 |
+
$retries = ! is_null( $retries ) ? $retries : $this->get_option( 'retries' );
|
1080 |
+
if ( ! is_array( $valid ) || ! is_array( $retries ) ) {
|
1081 |
+
return;
|
1082 |
+
}
|
1083 |
+
|
1084 |
+
foreach ( $valid as $ip => $lockout ) {
|
1085 |
+
if ( $lockout < $now ) {
|
1086 |
+
unset( $valid[ $ip ] );
|
1087 |
+
unset( $retries[ $ip ] );
|
1088 |
+
}
|
1089 |
+
}
|
1090 |
+
|
1091 |
+
/* go through retries directly, if for some reason they've gone out of sync */
|
1092 |
+
foreach ( $retries as $ip => $retry ) {
|
1093 |
+
if ( ! isset( $valid[ $ip ] ) ) {
|
1094 |
+
unset( $retries[ $ip ] );
|
1095 |
+
}
|
1096 |
+
}
|
1097 |
+
|
1098 |
+
$this->update_option( 'retries', $retries );
|
1099 |
+
$this->update_option( 'retries_valid', $valid );
|
1100 |
+
}
|
1101 |
+
|
1102 |
+
/**
|
1103 |
+
* Render admin options page
|
1104 |
+
*/
|
1105 |
+
public function options_page() {
|
1106 |
+
$this->use_local_options = !is_network_admin();
|
1107 |
+
$this->cleanup();
|
1108 |
+
|
1109 |
+
if( !empty( $_POST ) )
|
1110 |
+
{
|
1111 |
+
check_admin_referer( 'limit-login-attempts-options' );
|
1112 |
+
|
1113 |
+
if ( is_network_admin() )
|
1114 |
+
$this->update_option( 'allow_local_options', !empty($_POST['allow_local_options']) );
|
1115 |
+
|
1116 |
+
elseif ( $this->network_mode )
|
1117 |
+
$this->update_option( 'use_local_options', empty($_POST['use_global_options']) );
|
1118 |
+
|
1119 |
+
/* Should we support GDPR */
|
1120 |
+
if( isset( $_POST[ 'gdpr' ] ) )
|
1121 |
+
{
|
1122 |
+
$this->update_option( 'gdpr', 1 );
|
1123 |
+
}
|
1124 |
+
else {
|
1125 |
+
$this->update_option( 'gdpr', 0 );
|
1126 |
+
}
|
1127 |
+
|
1128 |
+
/* Should we clear log? */
|
1129 |
+
if( isset( $_POST[ 'clear_log' ] ) )
|
1130 |
+
{
|
1131 |
+
$this->update_option( 'logged', '' );
|
1132 |
+
$this->show_error( __( 'Cleared IP log', 'limit-login-attempts-reloaded' ) );
|
1133 |
+
}
|
1134 |
+
|
1135 |
+
/* Should we reset counter? */
|
1136 |
+
if( isset( $_POST[ 'reset_total' ] ) )
|
1137 |
+
{
|
1138 |
+
$this->update_option( 'lockouts_total', 0 );
|
1139 |
+
$this->show_error( __( 'Reset lockout count', 'limit-login-attempts-reloaded' ) );
|
1140 |
+
}
|
1141 |
+
|
1142 |
+
/* Should we restore current lockouts? */
|
1143 |
+
if( isset( $_POST[ 'reset_current' ] ) )
|
1144 |
+
{
|
1145 |
+
$this->update_option( 'lockouts', array() );
|
1146 |
+
$this->show_error( __( 'Cleared current lockouts', 'limit-login-attempts-reloaded' ) );
|
1147 |
+
}
|
1148 |
+
|
1149 |
+
/* Should we update options? */
|
1150 |
+
if( isset( $_POST[ 'update_options' ] ) )
|
1151 |
+
{
|
1152 |
+
$this->update_option('allowed_retries', (int)$_POST['allowed_retries'] );
|
1153 |
+
$this->update_option('lockout_duration', (int)$_POST['lockout_duration'] * 60 );
|
1154 |
+
$this->update_option('valid_duration', (int)$_POST['valid_duration'] * 3600 );
|
1155 |
+
$this->update_option('allowed_lockouts', (int)$_POST['allowed_lockouts'] );
|
1156 |
+
$this->update_option('long_duration', (int)$_POST['long_duration'] * 3600 );
|
1157 |
+
$this->update_option('notify_email_after', (int)$_POST['email_after'] );
|
1158 |
+
|
1159 |
+
$white_list_ips = ( !empty( $_POST['lla_whitelist_ips'] ) ) ? explode("\n", str_replace("\r", "", stripslashes($_POST['lla_whitelist_ips']) ) ) : array();
|
1160 |
+
|
1161 |
+
if( !empty( $white_list_ips ) ) {
|
1162 |
+
foreach( $white_list_ips as $key => $ip ) {
|
1163 |
+
if( '' == $ip ) {
|
1164 |
+
unset( $white_list_ips[ $key ] );
|
1165 |
+
}
|
1166 |
+
}
|
1167 |
+
}
|
1168 |
+
$this->update_option('whitelist', $white_list_ips );
|
1169 |
+
|
1170 |
+
$white_list_usernames = ( !empty( $_POST['lla_whitelist_usernames'] ) ) ? explode("\n", str_replace("\r", "", stripslashes($_POST['lla_whitelist_usernames']) ) ) : array();
|
1171 |
+
|
1172 |
+
if( !empty( $white_list_usernames ) ) {
|
1173 |
+
foreach( $white_list_usernames as $key => $ip ) {
|
1174 |
+
if( '' == $ip ) {
|
1175 |
+
unset( $white_list_usernames[ $key ] );
|
1176 |
+
}
|
1177 |
+
}
|
1178 |
+
}
|
1179 |
+
$this->update_option('whitelist_usernames', $white_list_usernames );
|
1180 |
+
|
1181 |
+
$black_list_ips = ( !empty( $_POST['lla_blacklist_ips'] ) ) ? explode("\n", str_replace("\r", "", stripslashes($_POST['lla_blacklist_ips']) ) ) : array();
|
1182 |
+
|
1183 |
+
if( !empty( $black_list_ips ) ) {
|
1184 |
+
foreach( $black_list_ips as $key => $ip ) {
|
1185 |
+
$range = array_map('trim', explode('-', $ip) );
|
1186 |
+
if ( count( $range ) > 1 && (float)sprintf("%u",ip2long($range[0])) > (float)sprintf("%u",ip2long($range[1]))) {
|
1187 |
+
$this->show_error( __( 'The "'. $ip .'" IP range is invalid', 'limit-login-attempts-reloaded' ) );
|
1188 |
+
}
|
1189 |
+
if( '' == $ip ) {
|
1190 |
+
unset( $black_list_ips[ $key ] );
|
1191 |
+
}
|
1192 |
+
}
|
1193 |
+
}
|
1194 |
+
$this->update_option('blacklist', $black_list_ips );
|
1195 |
+
|
1196 |
+
$black_list_usernames = ( !empty( $_POST['lla_blacklist_usernames'] ) ) ? explode("\n", str_replace("\r", "", stripslashes($_POST['lla_blacklist_usernames']) ) ) : array();
|
1197 |
+
|
1198 |
+
if( !empty( $black_list_usernames ) ) {
|
1199 |
+
foreach( $black_list_usernames as $key => $ip ) {
|
1200 |
+
if( '' == $ip ) {
|
1201 |
+
unset( $black_list_usernames[ $key ] );
|
1202 |
+
}
|
1203 |
+
}
|
1204 |
+
}
|
1205 |
+
$this->update_option('blacklist_usernames', $black_list_usernames );
|
1206 |
+
|
1207 |
+
$notify_methods = array();
|
1208 |
+
if( isset( $_POST[ 'lockout_notify_log' ] ) ) {
|
1209 |
+
$notify_methods[] = 'log';
|
1210 |
+
}
|
1211 |
+
if( isset( $_POST[ 'lockout_notify_email' ] ) ) {
|
1212 |
+
$notify_methods[] = 'email';
|
1213 |
+
}
|
1214 |
+
$this->update_option('lockout_notify', implode( ',', $notify_methods ) );
|
1215 |
+
|
1216 |
+
$this->sanitize_options();
|
1217 |
+
|
1218 |
+
$this->show_error( __( 'Options saved.', 'limit-login-attempts-reloaded' ) );
|
1219 |
+
}
|
1220 |
+
}
|
1221 |
+
|
1222 |
+
include_once( LLA_PLUGIN_DIR . '/views/options-page.php' );
|
1223 |
+
}
|
1224 |
+
|
1225 |
+
public function ajax_unlock()
|
1226 |
+
{
|
1227 |
+
check_ajax_referer('limit-login-unlock', 'sec');
|
1228 |
+
$ip = (string)@$_POST['ip'];
|
1229 |
+
|
1230 |
+
$lockouts = (array)$this->get_option('lockouts');
|
1231 |
+
|
1232 |
+
if ( isset( $lockouts[ $ip ] ) )
|
1233 |
+
{
|
1234 |
+
unset( $lockouts[ $ip ] );
|
1235 |
+
$this->update_option( 'lockouts', $lockouts );
|
1236 |
+
}
|
1237 |
+
|
1238 |
+
//save to log
|
1239 |
+
$user_login = @(string)$_POST['username'];
|
1240 |
+
$log = $this->get_option( 'logged' );
|
1241 |
+
|
1242 |
+
if ( @$log[ $ip ][ $user_login ] )
|
1243 |
+
{
|
1244 |
+
if ( !is_array( $log[ $ip ][ $user_login ] ) )
|
1245 |
+
$log[ $ip ][ $user_login ] = array(
|
1246 |
+
'counter' => $log[ $ip ][ $user_login ],
|
1247 |
+
);
|
1248 |
+
$log[ $ip ][ $user_login ]['unlocked'] = true;
|
1249 |
+
|
1250 |
+
$this->update_option( 'logged', $log );
|
1251 |
+
}
|
1252 |
+
|
1253 |
+
header('Content-Type: application/json');
|
1254 |
+
echo 'true';
|
1255 |
+
exit;
|
1256 |
+
}
|
1257 |
+
|
1258 |
+
/**
|
1259 |
+
* Show error message
|
1260 |
+
*
|
1261 |
+
* @param $msg
|
1262 |
+
*/
|
1263 |
+
public function show_error( $msg ) {
|
1264 |
+
LLA_Helpers::show_error( $msg );
|
1265 |
+
}
|
1266 |
+
|
1267 |
+
/**
|
1268 |
+
* returns IP with its md5 value
|
1269 |
+
*/
|
1270 |
+
private function getHash($str)
|
1271 |
+
{
|
1272 |
+
return md5($str);
|
1273 |
+
}
|
1274 |
+
|
1275 |
+
/**
|
1276 |
+
* @param $arr - array
|
1277 |
+
* @param $k - key
|
1278 |
+
* @return int array value at given index or zero
|
1279 |
+
*/
|
1280 |
+
private function checkKey($arr, $k)
|
1281 |
+
{
|
1282 |
+
return isset($arr[$k]) ? $arr[$k] : 0;
|
1283 |
+
}
|
1284 |
}
|
limit-login-attempts-reloaded.php
CHANGED
@@ -4,7 +4,7 @@
|
|
4 |
Description: Limit the rate of login attempts, including by way of cookies and for each IP address.
|
5 |
Author: wpchefgadget
|
6 |
Text Domain: limit-login-attempts-reloaded
|
7 |
-
Version: 2.
|
8 |
|
9 |
Copyright 2008 - 2012 Johan Eenfeldt, 2016 - 2017 WPChef
|
10 |
|
4 |
Description: Limit the rate of login attempts, including by way of cookies and for each IP address.
|
5 |
Author: wpchefgadget
|
6 |
Text Domain: limit-login-attempts-reloaded
|
7 |
+
Version: 2.7.0
|
8 |
|
9 |
Copyright 2008 - 2012 Johan Eenfeldt, 2016 - 2017 WPChef
|
10 |
|
readme.txt
CHANGED
@@ -1,11 +1,11 @@
|
|
1 |
=== Limit Login Attempts Reloaded ===
|
2 |
Contributors: wpchefgadget
|
3 |
-
Tags: login, security, authentication, Limit Login Attempts,
|
4 |
Requires at least: 3.0
|
5 |
-
Tested up to: 4.9.
|
6 |
-
Stable tag: 2.
|
7 |
|
8 |
-
Reloaded version of the original Limit Login Attempts plugin for Login Protection by a team of WordPress developers.
|
9 |
|
10 |
== Description ==
|
11 |
|
@@ -25,6 +25,7 @@ Features:
|
|
25 |
* **XMLRPC** gateway protection.
|
26 |
* **Woocommerce** login page protection.
|
27 |
* **Multi-site** compatibility with extra MU settings.
|
|
|
28 |
|
29 |
= Upgrading from the old Limit Login Attempts plugin =
|
30 |
1. Go to the Plugins section in your site's backend.
|
@@ -50,20 +51,29 @@ Based on the original code from Limit Login Attemps plugin by Johan Eenfeldt.
|
|
50 |
|
51 |
== Changelog ==
|
52 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
53 |
= 2.6.3 =
|
54 |
-
Added support of Sucuri Website Firewall.
|
55 |
|
56 |
= 2.6.2 =
|
57 |
-
Fixed the issue with backslashes in usernames.
|
58 |
|
59 |
= 2.6.1 =
|
60 |
-
Plugin returns the 403 Forbidden header after the limit of login attempts via XMLRPC is reached.
|
61 |
|
62 |
-
Added support of IP ranges in white/black lists.
|
63 |
|
64 |
-
Lockouts now can be released selectively.
|
65 |
|
66 |
-
Fixed the issue with encoding of special symbols in email notifications.
|
67 |
|
68 |
= 2.5.0 =
|
69 |
* Added Multi-site Compatibility and additional MU settings. https://wordpress.org/support/topic/multisite-compatibility-47/
|
1 |
=== Limit Login Attempts Reloaded ===
|
2 |
Contributors: wpchefgadget
|
3 |
+
Tags: login, security, authentication, Limit Login Attempts, GDPR, brute-force attack, brute force, login abuse, ddos protection
|
4 |
Requires at least: 3.0
|
5 |
+
Tested up to: 4.9.5
|
6 |
+
Stable tag: 2.7.0
|
7 |
|
8 |
+
Reloaded version of the original Limit Login Attempts plugin for Login Protection by a team of WordPress developers. GDPR compliant.
|
9 |
|
10 |
== Description ==
|
11 |
|
25 |
* **XMLRPC** gateway protection.
|
26 |
* **Woocommerce** login page protection.
|
27 |
* **Multi-site** compatibility with extra MU settings.
|
28 |
+
* **GDPR** compliant. With this feature turned on, all logged IPs get obfuscated (md5-hashed).
|
29 |
|
30 |
= Upgrading from the old Limit Login Attempts plugin =
|
31 |
1. Go to the Plugins section in your site's backend.
|
51 |
|
52 |
== Changelog ==
|
53 |
|
54 |
+
= 2.7.0 =
|
55 |
+
* GDPR compliance implemented.
|
56 |
+
|
57 |
+
* Fixed: ip_in_range() loop $ip overrides itself causing invalid results.
|
58 |
+
https://wordpress.org/support/topic/ip_in_range-loop-ip-overrides-itself-causing-invalid-results/
|
59 |
+
|
60 |
+
* Fixed: the plugin was locking out the same IP address multiple times, each with a different port.
|
61 |
+
https://wordpress.org/support/topic/same-ip-different-port/
|
62 |
+
|
63 |
= 2.6.3 =
|
64 |
+
* Added support of Sucuri Website Firewall.
|
65 |
|
66 |
= 2.6.2 =
|
67 |
+
* Fixed the issue with backslashes in usernames.
|
68 |
|
69 |
= 2.6.1 =
|
70 |
+
* Plugin returns the 403 Forbidden header after the limit of login attempts via XMLRPC is reached.
|
71 |
|
72 |
+
* Added support of IP ranges in white/black lists.
|
73 |
|
74 |
+
* Lockouts now can be released selectively.
|
75 |
|
76 |
+
* Fixed the issue with encoding of special symbols in email notifications.
|
77 |
|
78 |
= 2.5.0 =
|
79 |
* Added Multi-site Compatibility and additional MU settings. https://wordpress.org/support/topic/multisite-compatibility-47/
|
views/options-page.php
CHANGED
@@ -7,6 +7,8 @@ if( !defined( 'ABSPATH' ) )
|
|
7 |
* @var $this Limit_Login_Attempts
|
8 |
*/
|
9 |
|
|
|
|
|
10 |
$lockouts_total = $this->get_option( 'lockouts_total', 0 );
|
11 |
$lockouts = $this->get_option( 'login_lockouts' );
|
12 |
$lockouts_now = is_array( $lockouts ) ? count( $lockouts ) : 0;
|
@@ -86,6 +88,14 @@ $black_list_usernames = ( is_array( $black_list_usernames ) && !empty( $black_li
|
|
86 |
</script>
|
87 |
<?php endif ?>
|
88 |
<table class="form-table">
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
89 |
<tr>
|
90 |
<th scope="row" valign="top"><?php echo __( 'Lockout', 'limit-login-attempts-reloaded' ); ?></th>
|
91 |
<td>
|
@@ -186,7 +196,9 @@ $black_list_usernames = ( is_array( $black_list_usernames ) && !empty( $black_li
|
|
186 |
<?php foreach ( $log as $date => $user_info ) : ?>
|
187 |
<tr>
|
188 |
<td class="limit-login-date"><?php echo date_i18n( 'F d, Y H:i', $date ); ?></td>
|
189 |
-
<td class="limit-login-ip"
|
|
|
|
|
190 |
<td class="limit-login-max"><?php echo $user_info['username'] . ' (' . $user_info['counter'] .' lockouts)'; ?></td>
|
191 |
<td class="limit-login-gateway"><?php echo $user_info['gateway']; ?></td>
|
192 |
<td>
|
7 |
* @var $this Limit_Login_Attempts
|
8 |
*/
|
9 |
|
10 |
+
$gdpr = $this->get_option( 'gdpr', 0 );
|
11 |
+
|
12 |
$lockouts_total = $this->get_option( 'lockouts_total', 0 );
|
13 |
$lockouts = $this->get_option( 'login_lockouts' );
|
14 |
$lockouts_now = is_array( $lockouts ) ? count( $lockouts ) : 0;
|
88 |
</script>
|
89 |
<?php endif ?>
|
90 |
<table class="form-table">
|
91 |
+
<tr>
|
92 |
+
<th scope="row"
|
93 |
+
valign="top"><?php echo __( 'GDPR compliance', 'limit-login-attempts-reloaded' ); ?></th>
|
94 |
+
<td>
|
95 |
+
<input type="checkbox" name="gdpr" value="1" <?php if($gdpr): ?> checked <?php endif; ?>/>
|
96 |
+
<?php echo __( 'this makes the plugin <a href="https://gdpr-info.eu/" target="_blank" >GDPR</a> compliant', 'limit-login-attempts-reloaded' ); ?> <br/>
|
97 |
+
</td>
|
98 |
+
</tr>
|
99 |
<tr>
|
100 |
<th scope="row" valign="top"><?php echo __( 'Lockout', 'limit-login-attempts-reloaded' ); ?></th>
|
101 |
<td>
|
196 |
<?php foreach ( $log as $date => $user_info ) : ?>
|
197 |
<tr>
|
198 |
<td class="limit-login-date"><?php echo date_i18n( 'F d, Y H:i', $date ); ?></td>
|
199 |
+
<td class="limit-login-ip">
|
200 |
+
<?php echo $user_info['ip']; ?>
|
201 |
+
</td>
|
202 |
<td class="limit-login-max"><?php echo $user_info['username'] . ' (' . $user_info['counter'] .' lockouts)'; ?></td>
|
203 |
<td class="limit-login-gateway"><?php echo $user_info['gateway']; ?></td>
|
204 |
<td>
|