Limit Login Attempts Reloaded

Version Description

The plugin doesn't trust any IP addresses other than SERVER["REMOTE_ADDR"] anymore. Trusting other IP origins make protection useless b/c they can be easily faked. This new version provides a way of secure IP unlocking for those sites that use a reverse proxy coupled with misconfigurated servers that populate _SERVER["REMOTEADDR"] with wrong IPs which leads to mass blocking of users.

Release Info

Developer	wpchefgadget
Plugin	Limit Login Attempts Reloaded
Version	2.8.0
Comparing to
See all releases

Code changes from version 2.7.4 to 2.8.0

Files changed (4) hide show

core/LimitLoginAttempts.php +150 -22
limit-login-attempts-reloaded.php +1 -3
readme.txt +4 -2
views/options-page.php +2 -0

core/LimitLoginAttempts.php CHANGED Viewed

@@ -63,6 +63,7 @@ class Limit_Login_Attempts
             	public function hooks_init() {
             		add_action( 'plugins_loaded', array( $this, 'setup' ), 9999 );
             		add_action( 'admin_enqueue_scripts', array( $this, 'enqueue' ) );
             		add_filter( 'limit_login_whitelist_ip', array( $this, 'check_whitelist_ips' ), 10, 2 );
             		add_filter( 'limit_login_whitelist_usernames', array( $this, 'check_whitelist_usernames' ), 10, 2 );
             		add_filter( 'limit_login_blacklist_ip', array( $this, 'check_blacklist_ips' ), 10, 2 );
@@ -133,7 +134,132 @@ class Limit_Login_Attempts
             		add_action('wp_ajax_limit-login-unlock', array( $this, 'ajax_unlock' ) );
+            	}
-            -
             	public function check_xmlrpc_lock()
+            	{
             		if ( is_user_logged_in() || $this->is_ip_whitelisted() )
@@ -159,7 +285,7 @@ class Limit_Login_Attempts
+            	}
             	public function check_blacklist_usernames( $allow, $username ) {
-            -
                        return in_array( $username, (array) $this->get_option( 'blacklist_usernames' ) );
+            	}
             	public function ip_in_range( $ip, $list )
@@ -884,6 +1010,8 @@ class Limit_Login_Attempts
             			$msg .= sprintf( _n( 'Please try again in %d minute.', 'Please try again in %d minutes.', $when, 'limit-login-attempts-reloaded' ), $when );
+            		}
             		return $msg;
+            	}
@@ -1040,25 +1168,14 @@ class Limit_Login_Attempts
+            	}
             	/**
-            -
            	* Get correct remote address
-            -
            	*
-            -
            	* @param string $type_name
-            -
            	*
-            -
            	* @return string
-            -
            	*/
             	public function get_address() {
-            -
            		if ( !empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) && filter_var( $_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP ) )
-            -
            			$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
-            -
-            -
            		elseif ( !empty( $_SERVER['HTTP_X_SUCURI_CLIENTIP'] ) && filter_var( $_SERVER['HTTP_X_SUCURI_CLIENTIP'], FILTER_VALIDATE_IP ) )
-            -
            			$ip = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
-            -
-            -
            		elseif ( isset( $_SERVER['REMOTE_ADDR'] ) )
-            -
            			$ip = $_SERVER['REMOTE_ADDR'];
-            -
-            -
            		else
-            -
            			$ip = '';
             		$ip = preg_replace('/^(\d+\.\d+\.\d+\.\d+):\d+$/', '\1', $ip);
@@ -1076,16 +1193,27 @@ class Limit_Login_Attempts
             		$now      = time();
             		$lockouts = ! is_null( $lockouts ) ? $lockouts : $this->get_option( 'lockouts' );
             		/* remove old lockouts */
             		if ( is_array( $lockouts ) ) {
             			foreach ( $lockouts as $ip => $lockout ) {
             				if ( $lockout < $now ) {
             					unset( $lockouts[ $ip ] );
+            				}
+            			}
             			$this->update_option( 'lockouts', $lockouts );
+            		}
             		/* remove retries that are no longer valid */
             		$valid   = ! is_null( $valid ) ? $valid : $this->get_option( 'retries_valid' );
             		$retries = ! is_null( $retries ) ? $retries : $this->get_option( 'retries' );
@@ -1163,9 +1291,9 @@ class Limit_Login_Attempts
+            			{
             				$this->update_option('allowed_retries',    (int)$_POST['allowed_retries'] );
             				$this->update_option('lockout_duration',   (int)$_POST['lockout_duration'] * 60 );
-            -
            				$this->update_option('valid_duration',     (int)$_POST['valid_duration'] * 3600 );
-            -
            				$this->update_option('allowed_lockouts',   (int)$_POST['allowed_lockouts'] );
-            -
            				$this->update_option('long_duration',      (int)$_POST['long_duration'] * 3600 );
             				$this->update_option('notify_email_after', (int)$_POST['email_after'] );
             				$this->update_option('admin_notify_email', sanitize_email( $_POST['admin_notify_email'] ) );


63	public function hooks_init() {
64	add_action( 'plugins_loaded', array( $this, 'setup' ), 9999 );
65	add_action( 'admin_enqueue_scripts', array( $this, 'enqueue' ) );
66	+ add_action( 'after_password_reset', array( $this, 'after_password_reset' ) );
67	add_filter( 'limit_login_whitelist_ip', array( $this, 'check_whitelist_ips' ), 10, 2 );
68	add_filter( 'limit_login_whitelist_usernames', array( $this, 'check_whitelist_usernames' ), 10, 2 );
69	add_filter( 'limit_login_blacklist_ip', array( $this, 'check_blacklist_ips' ), 10, 2 );

134
135	add_action('wp_ajax_limit-login-unlock', array( $this, 'ajax_unlock' ) );
136	}
137	+
138	+ /**
139	+ * @param $user Wp_User
140	+ */
141	+ public function after_password_reset( $user ) {
142	+
143	+ $lockouts = $this->get_option( 'lockouts' );
144	+ $lockouts_log = $this->get_option( 'logged' );
145	+
146	+ if( $user->has_cap( 'administrator' ) ) {
147	+
148	+ if( $this->is_ip_blacklisted() ) {
149	+
150	+ $black_list_ips = $this->get_option( 'blacklist' );
151	+
152	+ if( !empty( $black_list_ips ) ) {
153	+
154	+ foreach ( $black_list_ips as $key => $ip ) {
155	+
156	+ if( $ip === $this->get_address() ) {
157	+
158	+ unset($black_list_ips[$key]);
159	+ }
160	+ }
161	+
162	+ }
163	+
164	+ $this->update_option( 'blacklist', $black_list_ips );
165	+ }
166	+
167	+ if( $this->is_username_blacklisted( $user->data->user_login ) ) {
168	+
169	+ $black_list_usernames = $this->get_option( 'blacklist_usernames' );
170	+
171	+ if( !empty( $black_list_usernames ) ) {
172	+
173	+ foreach ( $black_list_usernames as $key => $login ) {
174	+
175	+ if( $login === $user->data->user_login ) {
176	+
177	+ unset($black_list_usernames[$key]);
178	+ }
179	+ }
180	+
181	+ }
182	+
183	+ $this->update_option( 'blacklist_usernames', $black_list_usernames );
184	+ }
185	+
186	+ $admin_ip = $this->get_address();
187	+ $admin_ip = ($this->get_option('gdpr') ? $this->getHash( $admin_ip ) : $admin_ip );
188	+
189	+ if ( is_array( $lockouts ) && isset( $lockouts[ $admin_ip ] ) ) {
190	+
191	+ unset( $lockouts[ $admin_ip ] );
192	+
193	+ $this->update_option( 'lockouts', $lockouts );
194	+
195	+ if( is_array( $lockouts_log ) && isset( $lockouts_log[ $admin_ip ] ) ) {
196	+
197	+ foreach ( $lockouts_log[ $admin_ip ] as $user_login => &$data ) {
198	+
199	+ $data['unlocked'] = true;
200	+ }
201	+
202	+ $this->update_option( 'logged', $lockouts_log );
203	+ }
204	+ }
205	+
206	+ $valid = $this->get_option( 'retries_valid' );
207	+
208	+ if ( is_array( $valid ) && isset( $valid[ $admin_ip ] ) ) {
209	+
210	+ unset( $valid[ $admin_ip ] );
211	+
212	+ $this->update_option( 'retries_valid', $valid );
213	+ }
214	+
215	+ $retries = $this->get_option( 'retries' );
216	+
217	+ if ( is_array( $retries ) && isset( $retries[ $admin_ip ] ) ) {
218	+
219	+ unset( $retries[ $admin_ip ] );
220	+
221	+ $this->update_option( 'retries', $retries );
222	+ }
223	+
224	+ } else {
225	+
226	+ $user_ip = $this->get_address();
227	+ $user_ip = ($this->get_option('gdpr') ? $this->getHash( $user_ip ) : $user_ip );
228	+
229	+ if ( isset( $lockouts_log[ $user_ip ] ) && is_array( $lockouts_log[ $user_ip ] ) ) {
230	+
231	+ $last_unlocked_time = 0;
232	+ foreach ( $lockouts_log[ $user_ip ] as $user_login => $data ) {
233	+
234	+ if( !isset( $data['unlocked'] ) \|\| !$data['unlocked'] ) continue;
235	+
236	+ if( $data['date'] > $last_unlocked_time )
237	+ $last_unlocked_time = $data['date'];
238	+ }
239	+
240	+ if ( is_array( $lockouts ) && isset( $lockouts[ $user_ip ] ) &&
241	+ ( $last_unlocked_time === 0 \|\|
242	+ ( ( time() - $last_unlocked_time ) ) > ( $this->get_option( 'lockout_duration' ) ) ) ) {
243	+
244	+ unset( $lockouts[ $user_ip ] );
245	+
246	+ if( is_array( $lockouts_log ) && isset( $lockouts_log[ $user_ip ] ) ) {
247	+
248	+ foreach ( $lockouts_log[ $user_ip ] as $user_login => &$data ) {
249	+
250	+ $data['unlocked'] = true;
251	+ }
252	+
253	+ $this->update_option( 'logged', $lockouts_log );
254	+ }
255	+
256	+ $this->update_option( 'lockouts', $lockouts );
257	+ }
258	+
259	+ }
260	+ }
261	+ }
262	+
263	public function check_xmlrpc_lock()
264	{
265	if ( is_user_logged_in() \|\| $this->is_ip_whitelisted() )

285	}
286
287	public function check_blacklist_usernames( $allow, $username ) {
288	+ return in_array( $username, (array) $this->get_option( 'blacklist_usernames' ) );
289	}
290
291	public function ip_in_range( $ip, $list )

1010	$msg .= sprintf( _n( 'Please try again in %d minute.', 'Please try again in %d minutes.', $when, 'limit-login-attempts-reloaded' ), $when );
1011	}
1012
1013	+ $msg .= '<br><br>'. sprintf( __( 'You can also try <a href="%s">resetting your password</a> and that should help you to log in.', 'limit-login-attempts-reloaded' ), wp_lostpassword_url() );
1014	+
1015	return $msg;
1016	}
1017

1168	}
1169
1170	/**
1171	+ * Get correct remote address
1172	+ *
1173	+ * @return string
1174	+ *
1175	+ */

1176	public function get_address() {
1177
1178	+ $ip = ( isset( $_SERVER['REMOTE_ADDR'] ) && !empty( $_SERVER['REMOTE_ADDR'] ) ) ? $_SERVER['REMOTE_ADDR'] : '';










1179
1180	$ip = preg_replace('/^(\d+\.\d+\.\d+\.\d+):\d+$/', '\1', $ip);
1181

1193	$now = time();
1194	$lockouts = ! is_null( $lockouts ) ? $lockouts : $this->get_option( 'lockouts' );
1195
1196	+ $log = $this->get_option( 'logged' );
1197	+
1198	/* remove old lockouts */
1199	if ( is_array( $lockouts ) ) {
1200	foreach ( $lockouts as $ip => $lockout ) {
1201	if ( $lockout < $now ) {
1202	unset( $lockouts[ $ip ] );
1203	+
1204	+ if( is_array( $log ) && isset( $log[ $ip ] ) ) {
1205	+ foreach ( $log[ $ip ] as $user_login => &$data ) {
1206	+
1207	+ $data['unlocked'] = true;
1208	+ }
1209	+ }
1210	}
1211	}
1212	$this->update_option( 'lockouts', $lockouts );
1213	}
1214
1215	+ $this->update_option( 'logged', $log );
1216	+
1217	/* remove retries that are no longer valid */
1218	$valid = ! is_null( $valid ) ? $valid : $this->get_option( 'retries_valid' );
1219	$retries = ! is_null( $retries ) ? $retries : $this->get_option( 'retries' );

1291	{
1292	$this->update_option('allowed_retries', (int)$_POST['allowed_retries'] );
1293	$this->update_option('lockout_duration', (int)$_POST['lockout_duration'] * 60 );
1294	+ // $this->update_option('valid_duration', (int)$_POST['valid_duration'] * 3600 );
1295	+ // $this->update_option('allowed_lockouts', (int)$_POST['allowed_lockouts'] );
1296	+ // $this->update_option('long_duration', (int)$_POST['long_duration'] * 3600 );
1297	$this->update_option('notify_email_after', (int)$_POST['email_after'] );
1298
1299	$this->update_option('admin_notify_email', sanitize_email( $_POST['admin_notify_email'] ) );

limit-login-attempts-reloaded.php CHANGED Viewed

	@@ -5,11 +5,9 @@ Description: Limit the rate of login attempts, including by way of cookies and f
5	Author: WPChef
6	Author URI: https://wpchef.org
7	Text Domain: limit-login-attempts-reloaded
8	- Version: 2.7.4
9
10	Copyright 2008 - 2012 Johan Eenfeldt, 2016 - 2019 WPChef
11	-
12	- Thanks to Michael Skerwiderski for reverse proxy handling suggestions.
13	*/
14
15	/***************************************************************************************


5	Author: WPChef
6	Author URI: https://wpchef.org
7	Text Domain: limit-login-attempts-reloaded
8	+ Version: 2.8.0
9
10	Copyright 2008 - 2012 Johan Eenfeldt, 2016 - 2019 WPChef


11	*/
12
13	/***************************************************************************************

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: wpchefgadget
3	Tags: brute force, login, security, GDPR, protection
4	Requires at least: 3.0
5	Tested up to: 5.1.1
6	- Stable tag: 2.7.4
7
8	Reloaded version of the original Limit Login Attempts plugin for Login Protection by a team of WordPress developers. GDPR compliant.
9
	@@ -19,7 +19,6 @@ Features:
19	* Limit the number of attempts to log in using authorization cookies in the same way.
20	* Informs the user about the remaining retries or lockout time on the login page.
21	* Optional logging and optional email notification.
22	- * Handles server behind the reverse proxy.
23	* It is possible to whitelist/blacklist IPs and Usernames.
24	* Sucuri Website Firewall compatibility.
25	* XMLRPC gateway protection.
	@@ -51,6 +50,9 @@ Based on the original code from Limit Login Attemps plugin by Johan Eenfeldt.
51
52	== Changelog ==
53



54	= 2.7.4 =
55	* The lockout alerts can be sent to a configurable email address now.
56


3	Tags: brute force, login, security, GDPR, protection
4	Requires at least: 3.0
5	Tested up to: 5.1.1
6	+ Stable tag: 2.8.0
7
8	Reloaded version of the original Limit Login Attempts plugin for Login Protection by a team of WordPress developers. GDPR compliant.
9

19	* Limit the number of attempts to log in using authorization cookies in the same way.
20	* Informs the user about the remaining retries or lockout time on the login page.
21	* Optional logging and optional email notification.

22	* It is possible to whitelist/blacklist IPs and Usernames.
23	* Sucuri Website Firewall compatibility.
24	* XMLRPC gateway protection.

50
51	== Changelog ==
52
53	+ = 2.8.0 =
54	+ * The plugin doesn't trust any IP addresses other than _SERVER["REMOTE_ADDR"] anymore. Trusting other IP origins make protection useless b/c they can be easily faked. This new version provides a way of secure IP unlocking for those sites that use a reverse proxy coupled with misconfigurated servers that populate _SERVER["REMOTE_ADDR"] with wrong IPs which leads to mass blocking of users.
55	+
56	= 2.7.4 =
57	* The lockout alerts can be sent to a configurable email address now.
58

views/options-page.php CHANGED Viewed

	@@ -111,6 +111,7 @@ $admin_email_placeholder = (!is_multisite()) ? get_option( 'admin_email' ) : get
111	value="<?php echo( $this->get_option( 'lockout_duration' ) / 60 ); ?>"
112	name="lockout_duration"/> <?php echo __( 'minutes lockout', 'limit-login-attempts-reloaded' ); ?>
113	<br/>

114	<input type="text" size="3" maxlength="4"
115	value="<?php echo( $this->get_option( 'allowed_lockouts' ) ); ?>"
116	name="allowed_lockouts"/> <?php echo __( 'lockouts increase lockout time to', 'limit-login-attempts-reloaded' ); ?>
	@@ -120,6 +121,7 @@ $admin_email_placeholder = (!is_multisite()) ? get_option( 'admin_email' ) : get
120	<input type="text" size="3" maxlength="4"
121	value="<?php echo( $this->get_option( 'valid_duration' ) / 3600 ); ?>"
122	name="valid_duration"/> <?php echo __( 'hours until retries are reset', 'limit-login-attempts-reloaded' ); ?>

123	</td>
124	</tr>
125	<tr>


111	value="<?php echo( $this->get_option( 'lockout_duration' ) / 60 ); ?>"
112	name="lockout_duration"/> <?php echo __( 'minutes lockout', 'limit-login-attempts-reloaded' ); ?>
113	<br/>
114	+ <?php /*
115	<input type="text" size="3" maxlength="4"
116	value="<?php echo( $this->get_option( 'allowed_lockouts' ) ); ?>"
117	name="allowed_lockouts"/> <?php echo __( 'lockouts increase lockout time to', 'limit-login-attempts-reloaded' ); ?>

121	<input type="text" size="3" maxlength="4"
122	value="<?php echo( $this->get_option( 'valid_duration' ) / 3600 ); ?>"
123	name="valid_duration"/> <?php echo __( 'hours until retries are reset', 'limit-login-attempts-reloaded' ); ?>
124	+ */ ?>
125	</td>
126	</tr>
127	<tr>

Limit Login Attempts Reloaded - Version 2.8.0

Version Description

Release Info

Code changes from version 2.7.4 to 2.8.0