Version Description
Download this release
Release Info
Developer | mvandemar |
Plugin | Login LockDown |
Version | 1.5 |
Comparing to | |
See all releases |
Code changes from version 1.4 to 1.5
- loginlockdown.php +38 -16
- readme.txt +1 -1
- version.txt +1 -1
loginlockdown.php
CHANGED
@@ -2,7 +2,7 @@
|
|
2 |
/*
|
3 |
Plugin Name: Login LockDown
|
4 |
Plugin URI: http://www.bad-neighborhood.com/
|
5 |
-
Version: v1.
|
6 |
Author: Michael VanDeMar
|
7 |
Description: Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Distributed through <a href="http://www.bad-neighborhood.com/" target="_blank">Bad Neighborhood</a>.
|
8 |
*/
|
@@ -10,6 +10,12 @@ Description: Adds some extra security to WordPress by restricting the rate at wh
|
|
10 |
/*
|
11 |
* Change Log
|
12 |
*
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
* ver. 1.4 29-Aug-2009
|
14 |
* - removed erroneous error affecting WP 2.8+
|
15 |
* - fixed activation error caused by customizing the location of the wp-content folder
|
@@ -118,7 +124,7 @@ function countFails($username = "") {
|
|
118 |
$numFails = $wpdb->get_var("SELECT COUNT(login_attempt_ID) FROM $table_name " .
|
119 |
"WHERE login_attempt_date + INTERVAL " .
|
120 |
$loginlockdownOptions['retries_within'] . " MINUTE > now() AND " .
|
121 |
-
"login_attempt_IP LIKE '$class_c%'");
|
122 |
return $numFails;
|
123 |
}
|
124 |
|
@@ -132,7 +138,7 @@ function incrementFails($username = "") {
|
|
132 |
$user = get_userdatabylogin($username);
|
133 |
if ( $user || "yes" == $loginlockdownOptions['lockout_invalid_usernames'] ) {
|
134 |
$insert = "INSERT INTO " . $table_name . " (user_id, login_attempt_date, login_attempt_IP) " .
|
135 |
-
"VALUES ('" . $user->ID . "', now(), '" .
|
136 |
$results = $wpdb->query($insert);
|
137 |
}
|
138 |
}
|
@@ -148,7 +154,7 @@ function lockDown($username = "") {
|
|
148 |
if ( $user || "yes" == $loginlockdownOptions['lockout_invalid_usernames'] ) {
|
149 |
$insert = "INSERT INTO " . $table_name . " (user_id, lockdown_date, release_date, lockdown_IP) " .
|
150 |
"VALUES ('" . $user->ID . "', now(), date_add(now(), INTERVAL " .
|
151 |
-
$loginlockdownOptions['lockout_length'] . " MINUTE), '" . $ip . "')";
|
152 |
$results = $wpdb->query($insert);
|
153 |
}
|
154 |
}
|
@@ -161,7 +167,7 @@ function isLockedDown() {
|
|
161 |
|
162 |
$stillLocked = $wpdb->get_var("SELECT user_id FROM $table_name " .
|
163 |
"WHERE release_date > now() AND " .
|
164 |
-
"lockdown_IP LIKE '$class_c%'");
|
165 |
|
166 |
return $stillLocked;
|
167 |
}
|
@@ -196,9 +202,13 @@ function get_loginlockdownOptions() {
|
|
196 |
function print_loginlockdownAdminPage() {
|
197 |
global $wpdb;
|
198 |
$table_name = $wpdb->prefix . "lockdowns";
|
199 |
-
$loginlockdownAdminOptions = get_loginlockdownOptions();
|
200 |
-
|
201 |
if (isset($_POST['update_loginlockdownSettings'])) {
|
|
|
|
|
|
|
|
|
202 |
if (isset($_POST['ll_max_login_retries'])) {
|
203 |
$loginlockdownAdminOptions['max_login_retries'] = $_POST['ll_max_login_retries'];
|
204 |
}
|
@@ -219,12 +229,16 @@ function print_loginlockdownAdminPage() {
|
|
219 |
<div class="updated"><p><strong><?php _e("Settings Updated.", "loginlockdown");?></strong></p></div>
|
220 |
<?php
|
221 |
}
|
222 |
-
if (isset($_POST['release_lockdowns'])) {
|
|
|
|
|
|
|
|
|
223 |
if (isset($_POST['releaseme'])) {
|
224 |
$released = $_POST['releaseme'];
|
225 |
foreach ( $released as $release_id ) {
|
226 |
$results = $wpdb->query("UPDATE $table_name SET release_date = now() " .
|
227 |
-
"WHERE lockdown_ID = $release_id");
|
228 |
}
|
229 |
}
|
230 |
update_option("loginlockdownAdminOptions", $loginlockdownAdminOptions);
|
@@ -235,14 +249,18 @@ function print_loginlockdownAdminPage() {
|
|
235 |
$dalist = listLockedDown();
|
236 |
?>
|
237 |
<div class=wrap>
|
238 |
-
<form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
|
|
|
|
|
|
|
|
|
239 |
<h2><?php _e('Login LockDown Options', 'loginlockdown') ?></h2>
|
240 |
<h3><?php _e('Max Login Retries', 'loginlockdown') ?></h3>
|
241 |
-
<input type="text" name="ll_max_login_retries" size="8" value="<?php echo $loginlockdownAdminOptions['max_login_retries']; ?>">
|
242 |
<h3><?php _e('Retry Time Period Restriction (minutes)', 'loginlockdown') ?></h3>
|
243 |
-
<input type="text" name="ll_retries_within" size="8" value="<?php echo $loginlockdownAdminOptions['retries_within']; ?>">
|
244 |
<h3><?php _e('Lockout Length (minutes)', 'loginlockdown') ?></h3>
|
245 |
-
<input type="text" name="ll_lockout_length" size="8" value="<?php echo $loginlockdownAdminOptions['lockout_length']; ?>">
|
246 |
<h3><?php _e('Lockout Invalid Usernames?', 'loginlockdown') ?></h3>
|
247 |
<input type="radio" name="ll_lockout_invalid_usernames" value="yes" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "yes" ) echo "checked"; ?>> Yes <input type="radio" name="ll_lockout_invalid_usernames" value="no" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "no" ) echo "checked"; ?>> No
|
248 |
<h3><?php _e('Mask Login Errors?', 'loginlockdown') ?></h3>
|
@@ -251,7 +269,11 @@ function print_loginlockdownAdminPage() {
|
|
251 |
<input type="submit" name="update_loginlockdownSettings" value="<?php _e('Update Settings', 'loginlockdown') ?>" /></div>
|
252 |
</form>
|
253 |
<br />
|
254 |
-
<form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
|
|
|
|
|
|
|
|
|
255 |
<h3><?php _e('Currently Locked Out', 'loginlockdown') ?></h3>
|
256 |
<?php
|
257 |
$num_lockedout = count($dalist);
|
@@ -260,7 +282,7 @@ function print_loginlockdownAdminPage() {
|
|
260 |
} else {
|
261 |
foreach ( $dalist as $key => $option ) {
|
262 |
?>
|
263 |
-
<li><input type="checkbox" name="releaseme[]" value="<?php echo $option['lockdown_ID']; ?>"> <?php echo $option['lockdown_IP']; ?> (<?php echo $option['minutes_left']; ?> minutes left)</li>
|
264 |
<?php
|
265 |
}
|
266 |
}
|
@@ -340,7 +362,7 @@ if ( isset($loginlockdown_db_version) ) {
|
|
340 |
$username = sanitize_user($username);
|
341 |
$password = trim($password);
|
342 |
|
343 |
-
if (
|
344 |
return new WP_Error('incorrect_password', "<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent " .
|
345 |
"failed login attempts.<br /><br />Please try again later.");
|
346 |
}
|
2 |
/*
|
3 |
Plugin Name: Login LockDown
|
4 |
Plugin URI: http://www.bad-neighborhood.com/
|
5 |
+
Version: v1.5
|
6 |
Author: Michael VanDeMar
|
7 |
Description: Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Distributed through <a href="http://www.bad-neighborhood.com/" target="_blank">Bad Neighborhood</a>.
|
8 |
*/
|
10 |
/*
|
11 |
* Change Log
|
12 |
*
|
13 |
+
* ver. 1.5 17-Sep-2009
|
14 |
+
* - implemented wp_nonce security in the options and lockdown release forms in the admin screen
|
15 |
+
* - fixed a security hole with an improperly escaped SQL query
|
16 |
+
* - encoded certain outputs in the admin panel using esc_attr() to prevent XSS attacks
|
17 |
+
* - fixed an issue with the 'Lockout Invalid Usernames' option not functioning as intended
|
18 |
+
*
|
19 |
* ver. 1.4 29-Aug-2009
|
20 |
* - removed erroneous error affecting WP 2.8+
|
21 |
* - fixed activation error caused by customizing the location of the wp-content folder
|
124 |
$numFails = $wpdb->get_var("SELECT COUNT(login_attempt_ID) FROM $table_name " .
|
125 |
"WHERE login_attempt_date + INTERVAL " .
|
126 |
$loginlockdownOptions['retries_within'] . " MINUTE > now() AND " .
|
127 |
+
"login_attempt_IP LIKE '" . $wpdb->escape($class_c) . "%'");
|
128 |
return $numFails;
|
129 |
}
|
130 |
|
138 |
$user = get_userdatabylogin($username);
|
139 |
if ( $user || "yes" == $loginlockdownOptions['lockout_invalid_usernames'] ) {
|
140 |
$insert = "INSERT INTO " . $table_name . " (user_id, login_attempt_date, login_attempt_IP) " .
|
141 |
+
"VALUES ('" . $user->ID . "', now(), '" . $wpdb->escape($ip) . "')";
|
142 |
$results = $wpdb->query($insert);
|
143 |
}
|
144 |
}
|
154 |
if ( $user || "yes" == $loginlockdownOptions['lockout_invalid_usernames'] ) {
|
155 |
$insert = "INSERT INTO " . $table_name . " (user_id, lockdown_date, release_date, lockdown_IP) " .
|
156 |
"VALUES ('" . $user->ID . "', now(), date_add(now(), INTERVAL " .
|
157 |
+
$loginlockdownOptions['lockout_length'] . " MINUTE), '" . $wpdb->escape($ip) . "')";
|
158 |
$results = $wpdb->query($insert);
|
159 |
}
|
160 |
}
|
167 |
|
168 |
$stillLocked = $wpdb->get_var("SELECT user_id FROM $table_name " .
|
169 |
"WHERE release_date > now() AND " .
|
170 |
+
"lockdown_IP LIKE '" . $wpdb->escape($class_c) . "%'");
|
171 |
|
172 |
return $stillLocked;
|
173 |
}
|
202 |
function print_loginlockdownAdminPage() {
|
203 |
global $wpdb;
|
204 |
$table_name = $wpdb->prefix . "lockdowns";
|
205 |
+
$loginlockdownAdminOptions = get_loginlockdownOptions();
|
206 |
+
|
207 |
if (isset($_POST['update_loginlockdownSettings'])) {
|
208 |
+
|
209 |
+
//wp_nonce check
|
210 |
+
check_admin_referer('login-lockdown_update-options');
|
211 |
+
|
212 |
if (isset($_POST['ll_max_login_retries'])) {
|
213 |
$loginlockdownAdminOptions['max_login_retries'] = $_POST['ll_max_login_retries'];
|
214 |
}
|
229 |
<div class="updated"><p><strong><?php _e("Settings Updated.", "loginlockdown");?></strong></p></div>
|
230 |
<?php
|
231 |
}
|
232 |
+
if (isset($_POST['release_lockdowns'])) {
|
233 |
+
|
234 |
+
//wp_nonce check
|
235 |
+
check_admin_referer('login-lockdown_release-lockdowns');
|
236 |
+
|
237 |
if (isset($_POST['releaseme'])) {
|
238 |
$released = $_POST['releaseme'];
|
239 |
foreach ( $released as $release_id ) {
|
240 |
$results = $wpdb->query("UPDATE $table_name SET release_date = now() " .
|
241 |
+
"WHERE lockdown_ID = " . $wpdb->escape($release_id) . "");
|
242 |
}
|
243 |
}
|
244 |
update_option("loginlockdownAdminOptions", $loginlockdownAdminOptions);
|
249 |
$dalist = listLockedDown();
|
250 |
?>
|
251 |
<div class=wrap>
|
252 |
+
<form method="post" action="<?php echo esc_attr($_SERVER["REQUEST_URI"]); ?>">
|
253 |
+
<?php
|
254 |
+
if ( function_exists('wp_nonce_field') )
|
255 |
+
wp_nonce_field('login-lockdown_update-options');
|
256 |
+
?>
|
257 |
<h2><?php _e('Login LockDown Options', 'loginlockdown') ?></h2>
|
258 |
<h3><?php _e('Max Login Retries', 'loginlockdown') ?></h3>
|
259 |
+
<input type="text" name="ll_max_login_retries" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['max_login_retries']); ?>">
|
260 |
<h3><?php _e('Retry Time Period Restriction (minutes)', 'loginlockdown') ?></h3>
|
261 |
+
<input type="text" name="ll_retries_within" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['retries_within']); ?>">
|
262 |
<h3><?php _e('Lockout Length (minutes)', 'loginlockdown') ?></h3>
|
263 |
+
<input type="text" name="ll_lockout_length" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['lockout_length']); ?>">
|
264 |
<h3><?php _e('Lockout Invalid Usernames?', 'loginlockdown') ?></h3>
|
265 |
<input type="radio" name="ll_lockout_invalid_usernames" value="yes" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "yes" ) echo "checked"; ?>> Yes <input type="radio" name="ll_lockout_invalid_usernames" value="no" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "no" ) echo "checked"; ?>> No
|
266 |
<h3><?php _e('Mask Login Errors?', 'loginlockdown') ?></h3>
|
269 |
<input type="submit" name="update_loginlockdownSettings" value="<?php _e('Update Settings', 'loginlockdown') ?>" /></div>
|
270 |
</form>
|
271 |
<br />
|
272 |
+
<form method="post" action="<?php echo esc_attr($_SERVER["REQUEST_URI"]); ?>">
|
273 |
+
<?php
|
274 |
+
if ( function_exists('wp_nonce_field') )
|
275 |
+
wp_nonce_field('login-lockdown_release-lockdowns');
|
276 |
+
?>
|
277 |
<h3><?php _e('Currently Locked Out', 'loginlockdown') ?></h3>
|
278 |
<?php
|
279 |
$num_lockedout = count($dalist);
|
282 |
} else {
|
283 |
foreach ( $dalist as $key => $option ) {
|
284 |
?>
|
285 |
+
<li><input type="checkbox" name="releaseme[]" value="<?php echo esc_attr($option['lockdown_ID']); ?>"> <?php echo esc_attr($option['lockdown_IP']); ?> (<?php echo esc_attr($option['minutes_left']); ?> minutes left)</li>
|
286 |
<?php
|
287 |
}
|
288 |
}
|
362 |
$username = sanitize_user($username);
|
363 |
$password = trim($password);
|
364 |
|
365 |
+
if ( "" != isLockedDown() ) {
|
366 |
return new WP_Error('incorrect_password', "<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent " .
|
367 |
"failed login attempts.<br /><br />Please try again later.");
|
368 |
}
|
readme.txt
CHANGED
@@ -3,7 +3,7 @@ Developer: Michael VanDeMar (michael@endlesspoetry.com)
|
|
3 |
Tags: security, login
|
4 |
Requires at least: 2.5
|
5 |
Tested up to: 2.8.4
|
6 |
-
Stable Tag: 1.
|
7 |
|
8 |
Limits the number of login attempts from a given IP range within a certain time period.
|
9 |
|
3 |
Tags: security, login
|
4 |
Requires at least: 2.5
|
5 |
Tested up to: 2.8.4
|
6 |
+
Stable Tag: 1.5
|
7 |
|
8 |
Limits the number of login attempts from a given IP range within a certain time period.
|
9 |
|
version.txt
CHANGED
@@ -1 +1 @@
|
|
1 |
-
1.
|
1 |
+
1.5
|