Limit Login Attempts Reloaded - Version 2.9.0

Version Description

  • Trusted IP origins option has been added.
Download this release

Release Info

Developer wpchefgadget
Plugin Icon 128x128 Limit Login Attempts Reloaded
Version 2.9.0
Comparing to
See all releases

Code changes from version 2.8.1 to 2.9.0

Files changed (4) hide show
  1. core/LimitLoginAttempts.php +34 -1
  2. limit-login-attempts-reloaded.php +1 -1
  3. readme.txt +7 -3
  4. views/options-page.php +14 -0
core/LimitLoginAttempts.php CHANGED
@@ -1175,7 +1175,27 @@ class Limit_Login_Attempts
1175
  */
1176
  public function get_address() {
1177
 
1178
- $ip = ( isset( $_SERVER['REMOTE_ADDR'] ) && !empty( $_SERVER['REMOTE_ADDR'] ) ) ? $_SERVER['REMOTE_ADDR'] : '';
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1179
 
1180
  $ip = preg_replace('/^(\d+\.\d+\.\d+\.\d+):\d+$/', '\1', $ip);
1181
 
@@ -1346,6 +1366,19 @@ class Limit_Login_Attempts
1346
  }
1347
  $this->update_option('blacklist_usernames', $black_list_usernames );
1348
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1349
  $notify_methods = array();
1350
  if( isset( $_POST[ 'lockout_notify_log' ] ) ) {
1351
  $notify_methods[] = 'log';
1175
  */
1176
  public function get_address() {
1177
 
1178
+ $trusted_ip_origins = $this->get_option( 'trusted_ip_origins' );
1179
+
1180
+ if( empty( $trusted_ip_origins ) || !is_array( $trusted_ip_origins ) ) {
1181
+
1182
+ $trusted_ip_origins = array();
1183
+ }
1184
+
1185
+ if( !in_array( 'REMOTE_ADDR', $trusted_ip_origins ) ) {
1186
+
1187
+ $trusted_ip_origins[] = 'REMOTE_ADDR';
1188
+ }
1189
+
1190
+ $ip = '';
1191
+ foreach ( $trusted_ip_origins as $origin ) {
1192
+
1193
+ if( isset( $_SERVER[$origin] ) && !empty( $_SERVER[$origin] ) ) {
1194
+
1195
+ $ip = $_SERVER[$origin];
1196
+ break;
1197
+ }
1198
+ }
1199
 
1200
  $ip = preg_replace('/^(\d+\.\d+\.\d+\.\d+):\d+$/', '\1', $ip);
1201
 
1366
  }
1367
  $this->update_option('blacklist_usernames', $black_list_usernames );
1368
 
1369
+
1370
+ $trusted_ip_origins = ( !empty( $_POST['lla_trusted_ip_origins'] ) )
1371
+ ? array_map( 'trim', explode( ',', sanitize_text_field( $_POST['lla_trusted_ip_origins'] ) ) )
1372
+ : array();
1373
+
1374
+ if( !in_array( 'REMOTE_ADDR', $trusted_ip_origins ) ) {
1375
+
1376
+ $trusted_ip_origins[] = 'REMOTE_ADDR';
1377
+ }
1378
+
1379
+ $this->update_option('trusted_ip_origins', $trusted_ip_origins );
1380
+
1381
+
1382
  $notify_methods = array();
1383
  if( isset( $_POST[ 'lockout_notify_log' ] ) ) {
1384
  $notify_methods[] = 'log';
limit-login-attempts-reloaded.php CHANGED
@@ -5,7 +5,7 @@ Description: Limit the rate of login attempts, including by way of cookies and f
5
  Author: WPChef
6
  Author URI: https://wpchef.org
7
  Text Domain: limit-login-attempts-reloaded
8
- Version: 2.8.1
9
 
10
  Copyright 2008 - 2012 Johan Eenfeldt, 2016 - 2019 WPChef
11
  */
5
  Author: WPChef
6
  Author URI: https://wpchef.org
7
  Text Domain: limit-login-attempts-reloaded
8
+ Version: 2.9.0
9
 
10
  Copyright 2008 - 2012 Johan Eenfeldt, 2016 - 2019 WPChef
11
  */
readme.txt CHANGED
@@ -2,8 +2,8 @@
2
  Contributors: wpchefgadget
3
  Tags: brute force, login, security, GDPR, protection
4
  Requires at least: 3.0
5
- Tested up to: 5.1.1
6
- Stable tag: 2.8.1
7
 
8
  Reloaded version of the original Limit Login Attempts plugin for Login Protection by a team of WordPress developers. GDPR compliant.
9
 
@@ -25,6 +25,7 @@ Features:
25
  * **Woocommerce** login page protection.
26
  * **Multi-site** compatibility with extra MU settings.
27
  * **GDPR** compliant. With this feature turned on, all logged IPs get obfuscated (md5-hashed).
 
28
 
29
  = Upgrading from the old Limit Login Attempts plugin =
30
  1. Go to the Plugins section in your site's backend.
@@ -46,10 +47,13 @@ Based on the original code from Limit Login Attemps plugin by Johan Eenfeldt.
46
 
47
  1. Loginscreen after a failed login with remaining retries
48
  2. Lockout loginscreen
49
- 3. Administration interface in WordPress 4.5.3
50
 
51
  == Changelog ==
52
 
 
 
 
53
  = 2.8.1 =
54
  * Extra lockout options are back.
55
 
2
  Contributors: wpchefgadget
3
  Tags: brute force, login, security, GDPR, protection
4
  Requires at least: 3.0
5
+ Tested up to: 5.2.1
6
+ Stable tag: 2.9.0
7
 
8
  Reloaded version of the original Limit Login Attempts plugin for Login Protection by a team of WordPress developers. GDPR compliant.
9
 
25
  * **Woocommerce** login page protection.
26
  * **Multi-site** compatibility with extra MU settings.
27
  * **GDPR** compliant. With this feature turned on, all logged IPs get obfuscated (md5-hashed).
28
+ * **Custom IP origins** support (Cloudflare, Sucuri, etc.)
29
 
30
  = Upgrading from the old Limit Login Attempts plugin =
31
  1. Go to the Plugins section in your site's backend.
47
 
48
  1. Loginscreen after a failed login with remaining retries
49
  2. Lockout loginscreen
50
+ 3. Administration interface in WordPress 5.2.1
51
 
52
  == Changelog ==
53
 
54
+ = 2.9.0 =
55
+ * Trusted IP origins option has been added.
56
+
57
  = 2.8.1 =
58
  * Extra lockout options are back.
59
 
views/options-page.php CHANGED
@@ -31,6 +31,10 @@ $black_list_usernames = ( is_array( $black_list_usernames ) && !empty( $black_li
31
 
32
  $admin_notify_email = $this->get_option( 'admin_notify_email' );
33
  $admin_email_placeholder = (!is_multisite()) ? get_option( 'admin_email' ) : get_site_option( 'admin_email' );
 
 
 
 
34
  ?>
35
  <div class="wrap limit-login-page-settings">
36
  <h2><?php echo __( 'Limit Login Attempts Settings', 'limit-login-attempts-reloaded' ); ?></h2>
@@ -166,6 +170,16 @@ $admin_email_placeholder = (!is_multisite()) ? get_option( 'admin_email' ) : get
166
  </div>
167
  </td>
168
  </tr>
 
 
 
 
 
 
 
 
 
 
169
  </table>
170
  <p class="submit">
171
  <input class="button button-primary" name="update_options" value="<?php echo __( 'Save Options', 'limit-login-attempts-reloaded' ); ?>"
31
 
32
  $admin_notify_email = $this->get_option( 'admin_notify_email' );
33
  $admin_email_placeholder = (!is_multisite()) ? get_option( 'admin_email' ) : get_site_option( 'admin_email' );
34
+
35
+ $trusted_ip_origins = $this->get_option( 'trusted_ip_origins' );
36
+ $trusted_ip_origins = ( is_array( $trusted_ip_origins ) && !empty( $trusted_ip_origins ) ) ? implode( ", ", $trusted_ip_origins ) : 'REMOTE_ADDR';
37
+
38
  ?>
39
  <div class="wrap limit-login-page-settings">
40
  <h2><?php echo __( 'Limit Login Attempts Settings', 'limit-login-attempts-reloaded' ); ?></h2>
170
  </div>
171
  </td>
172
  </tr>
173
+ <tr>
174
+ <th scope="row"
175
+ valign="top"><?php echo __( 'Trusted IP Origins', 'limit-login-attempts-reloaded' ); ?></th>
176
+ <td>
177
+ <div class="field-col">
178
+ <input type="text" class="regular-text" style="width: 100%;max-width: 431px;" name="lla_trusted_ip_origins" value="<?php echo esc_attr( $trusted_ip_origins ); ?>">
179
+ <p class="description"><?php _e( 'Specify the origins you trust in order of priority, separated by commas. We strongly recommend that you <b>do not</b> use anything other than REMOTE_ADDR since other origins can be easily faked. Examples: HTTP_X_FORWARDED_FOR, HTTP_CF_CONNECTING_IP, HTTP_X_SUCURI_CLIENTIP', 'limit-login-attempts-reloaded' ); ?></p>
180
+ </div>
181
+ </td>
182
+ </tr>
183
  </table>
184
  <p class="submit">
185
  <input class="button button-primary" name="update_options" value="<?php echo __( 'Save Options', 'limit-login-attempts-reloaded' ); ?>"