Login LockDown - Version 1.5

Version Description

Download this release

Release Info

Developer mvandemar
Plugin Icon 128x128 Login LockDown
Version 1.5
Comparing to
See all releases

Code changes from version 1.4 to 1.5

Files changed (3) hide show
  1. loginlockdown.php +38 -16
  2. readme.txt +1 -1
  3. version.txt +1 -1
loginlockdown.php CHANGED
@@ -2,7 +2,7 @@
2
/*
3
Plugin Name: Login LockDown
4
Plugin URI: http://www.bad-neighborhood.com/
5
- Version: v1.4
6
Author: Michael VanDeMar
7
Description: Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Distributed through <a href="http://www.bad-neighborhood.com/" target="_blank">Bad Neighborhood</a>.
8
*/
@@ -10,6 +10,12 @@ Description: Adds some extra security to WordPress by restricting the rate at wh
10
/*
11
* Change Log
12
*
13
* ver. 1.4 29-Aug-2009
14
* - removed erroneous error affecting WP 2.8+
15
* - fixed activation error caused by customizing the location of the wp-content folder
@@ -118,7 +124,7 @@ function countFails($username = "") {
118
$numFails = $wpdb->get_var("SELECT COUNT(login_attempt_ID) FROM $table_name " .
119
"WHERE login_attempt_date + INTERVAL " .
120
$loginlockdownOptions['retries_within'] . " MINUTE > now() AND " .
121
- "login_attempt_IP LIKE '$class_c%'");
122
return $numFails;
123
}
124
@@ -132,7 +138,7 @@ function incrementFails($username = "") {
132
$user = get_userdatabylogin($username);
133
if ( $user || "yes" == $loginlockdownOptions['lockout_invalid_usernames'] ) {
134
$insert = "INSERT INTO " . $table_name . " (user_id, login_attempt_date, login_attempt_IP) " .
135
- "VALUES ('" . $user->ID . "', now(), '" . mysql_real_escape_string($ip) . "')";
136
$results = $wpdb->query($insert);
137
}
138
}
@@ -148,7 +154,7 @@ function lockDown($username = "") {
148
if ( $user || "yes" == $loginlockdownOptions['lockout_invalid_usernames'] ) {
149
$insert = "INSERT INTO " . $table_name . " (user_id, lockdown_date, release_date, lockdown_IP) " .
150
"VALUES ('" . $user->ID . "', now(), date_add(now(), INTERVAL " .
151
- $loginlockdownOptions['lockout_length'] . " MINUTE), '" . $ip . "')";
152
$results = $wpdb->query($insert);
153
}
154
}
@@ -161,7 +167,7 @@ function isLockedDown() {
161
162
$stillLocked = $wpdb->get_var("SELECT user_id FROM $table_name " .
163
"WHERE release_date > now() AND " .
164
- "lockdown_IP LIKE '$class_c%'");
165
166
return $stillLocked;
167
}
@@ -196,9 +202,13 @@ function get_loginlockdownOptions() {
196
function print_loginlockdownAdminPage() {
197
global $wpdb;
198
$table_name = $wpdb->prefix . "lockdowns";
199
- $loginlockdownAdminOptions = get_loginlockdownOptions();
200
-
201
if (isset($_POST['update_loginlockdownSettings'])) {
202
if (isset($_POST['ll_max_login_retries'])) {
203
$loginlockdownAdminOptions['max_login_retries'] = $_POST['ll_max_login_retries'];
204
}
@@ -219,12 +229,16 @@ function print_loginlockdownAdminPage() {
219
<div class="updated"><p><strong><?php _e("Settings Updated.", "loginlockdown");?></strong></p></div>
220
<?php
221
}
222
- if (isset($_POST['release_lockdowns'])) {
223
if (isset($_POST['releaseme'])) {
224
$released = $_POST['releaseme'];
225
foreach ( $released as $release_id ) {
226
$results = $wpdb->query("UPDATE $table_name SET release_date = now() " .
227
- "WHERE lockdown_ID = $release_id");
228
}
229
}
230
update_option("loginlockdownAdminOptions", $loginlockdownAdminOptions);
@@ -235,14 +249,18 @@ function print_loginlockdownAdminPage() {
235
$dalist = listLockedDown();
236
?>
237
<div class=wrap>
238
- <form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
239
<h2><?php _e('Login LockDown Options', 'loginlockdown') ?></h2>
240
<h3><?php _e('Max Login Retries', 'loginlockdown') ?></h3>
241
- <input type="text" name="ll_max_login_retries" size="8" value="<?php echo $loginlockdownAdminOptions['max_login_retries']; ?>">
242
<h3><?php _e('Retry Time Period Restriction (minutes)', 'loginlockdown') ?></h3>
243
- <input type="text" name="ll_retries_within" size="8" value="<?php echo $loginlockdownAdminOptions['retries_within']; ?>">
244
<h3><?php _e('Lockout Length (minutes)', 'loginlockdown') ?></h3>
245
- <input type="text" name="ll_lockout_length" size="8" value="<?php echo $loginlockdownAdminOptions['lockout_length']; ?>">
246
<h3><?php _e('Lockout Invalid Usernames?', 'loginlockdown') ?></h3>
247
<input type="radio" name="ll_lockout_invalid_usernames" value="yes" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "yes" ) echo "checked"; ?>>&nbsp;Yes&nbsp;&nbsp;&nbsp;<input type="radio" name="ll_lockout_invalid_usernames" value="no" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "no" ) echo "checked"; ?>>&nbsp;No
248
<h3><?php _e('Mask Login Errors?', 'loginlockdown') ?></h3>
@@ -251,7 +269,11 @@ function print_loginlockdownAdminPage() {
251
<input type="submit" name="update_loginlockdownSettings" value="<?php _e('Update Settings', 'loginlockdown') ?>" /></div>
252
</form>
253
<br />
254
- <form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
255
<h3><?php _e('Currently Locked Out', 'loginlockdown') ?></h3>
256
<?php
257
$num_lockedout = count($dalist);
@@ -260,7 +282,7 @@ function print_loginlockdownAdminPage() {
260
} else {
261
foreach ( $dalist as $key => $option ) {
262
?>
263
- <li><input type="checkbox" name="releaseme[]" value="<?php echo $option['lockdown_ID']; ?>"> <?php echo $option['lockdown_IP']; ?> (<?php echo $option['minutes_left']; ?> minutes left)</li>
264
<?php
265
}
266
}
@@ -340,7 +362,7 @@ if ( isset($loginlockdown_db_version) ) {
340
$username = sanitize_user($username);
341
$password = trim($password);
342
343
- if ( 0 < isLockedDown() ) {
344
return new WP_Error('incorrect_password', "<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent " .
345
"failed login attempts.<br /><br />Please try again later.");
346
}
2
/*
3
Plugin Name: Login LockDown
4
Plugin URI: http://www.bad-neighborhood.com/
5
+ Version: v1.5
6
Author: Michael VanDeMar
7
Description: Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Distributed through <a href="http://www.bad-neighborhood.com/" target="_blank">Bad Neighborhood</a>.
8
*/
10
/*
11
* Change Log
12
*
13
+ * ver. 1.5 17-Sep-2009
14
+ * - implemented wp_nonce security in the options and lockdown release forms in the admin screen
15
+ * - fixed a security hole with an improperly escaped SQL query
16
+ * - encoded certain outputs in the admin panel using esc_attr() to prevent XSS attacks
17
+ * - fixed an issue with the 'Lockout Invalid Usernames' option not functioning as intended
18
+ *
19
* ver. 1.4 29-Aug-2009
20
* - removed erroneous error affecting WP 2.8+
21
* - fixed activation error caused by customizing the location of the wp-content folder
124
$numFails = $wpdb->get_var("SELECT COUNT(login_attempt_ID) FROM $table_name " .
125
"WHERE login_attempt_date + INTERVAL " .
126
$loginlockdownOptions['retries_within'] . " MINUTE > now() AND " .
127
+ "login_attempt_IP LIKE '" . $wpdb->escape($class_c) . "%'");
128
return $numFails;
129
}
130
138
$user = get_userdatabylogin($username);
139
if ( $user || "yes" == $loginlockdownOptions['lockout_invalid_usernames'] ) {
140
$insert = "INSERT INTO " . $table_name . " (user_id, login_attempt_date, login_attempt_IP) " .
141
+ "VALUES ('" . $user->ID . "', now(), '" . $wpdb->escape($ip) . "')";
142
$results = $wpdb->query($insert);
143
}
144
}
154
if ( $user || "yes" == $loginlockdownOptions['lockout_invalid_usernames'] ) {
155
$insert = "INSERT INTO " . $table_name . " (user_id, lockdown_date, release_date, lockdown_IP) " .
156
"VALUES ('" . $user->ID . "', now(), date_add(now(), INTERVAL " .
157
+ $loginlockdownOptions['lockout_length'] . " MINUTE), '" . $wpdb->escape($ip) . "')";
158
$results = $wpdb->query($insert);
159
}
160
}
167
168
$stillLocked = $wpdb->get_var("SELECT user_id FROM $table_name " .
169
"WHERE release_date > now() AND " .
170
+ "lockdown_IP LIKE '" . $wpdb->escape($class_c) . "%'");
171
172
return $stillLocked;
173
}
202
function print_loginlockdownAdminPage() {
203
global $wpdb;
204
$table_name = $wpdb->prefix . "lockdowns";
205
+ $loginlockdownAdminOptions = get_loginlockdownOptions();
206
+
207
if (isset($_POST['update_loginlockdownSettings'])) {
208
+
209
+ //wp_nonce check
210
+ check_admin_referer('login-lockdown_update-options');
211
+
212
if (isset($_POST['ll_max_login_retries'])) {
213
$loginlockdownAdminOptions['max_login_retries'] = $_POST['ll_max_login_retries'];
214
}
229
<div class="updated"><p><strong><?php _e("Settings Updated.", "loginlockdown");?></strong></p></div>
230
<?php
231
}
232
+ if (isset($_POST['release_lockdowns'])) {
233
+
234
+ //wp_nonce check
235
+ check_admin_referer('login-lockdown_release-lockdowns');
236
+
237
if (isset($_POST['releaseme'])) {
238
$released = $_POST['releaseme'];
239
foreach ( $released as $release_id ) {
240
$results = $wpdb->query("UPDATE $table_name SET release_date = now() " .
241
+ "WHERE lockdown_ID = " . $wpdb->escape($release_id) . "");
242
}
243
}
244
update_option("loginlockdownAdminOptions", $loginlockdownAdminOptions);
249
$dalist = listLockedDown();
250
?>
251
<div class=wrap>
252
+ <form method="post" action="<?php echo esc_attr($_SERVER["REQUEST_URI"]); ?>">
253
+ <?php
254
+ if ( function_exists('wp_nonce_field') )
255
+ wp_nonce_field('login-lockdown_update-options');
256
+ ?>
257
<h2><?php _e('Login LockDown Options', 'loginlockdown') ?></h2>
258
<h3><?php _e('Max Login Retries', 'loginlockdown') ?></h3>
259
+ <input type="text" name="ll_max_login_retries" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['max_login_retries']); ?>">
260
<h3><?php _e('Retry Time Period Restriction (minutes)', 'loginlockdown') ?></h3>
261
+ <input type="text" name="ll_retries_within" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['retries_within']); ?>">
262
<h3><?php _e('Lockout Length (minutes)', 'loginlockdown') ?></h3>
263
+ <input type="text" name="ll_lockout_length" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['lockout_length']); ?>">
264
<h3><?php _e('Lockout Invalid Usernames?', 'loginlockdown') ?></h3>
265
<input type="radio" name="ll_lockout_invalid_usernames" value="yes" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "yes" ) echo "checked"; ?>>&nbsp;Yes&nbsp;&nbsp;&nbsp;<input type="radio" name="ll_lockout_invalid_usernames" value="no" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "no" ) echo "checked"; ?>>&nbsp;No
266
<h3><?php _e('Mask Login Errors?', 'loginlockdown') ?></h3>
269
<input type="submit" name="update_loginlockdownSettings" value="<?php _e('Update Settings', 'loginlockdown') ?>" /></div>
270
</form>
271
<br />
272
+ <form method="post" action="<?php echo esc_attr($_SERVER["REQUEST_URI"]); ?>">
273
+ <?php
274
+ if ( function_exists('wp_nonce_field') )
275
+ wp_nonce_field('login-lockdown_release-lockdowns');
276
+ ?>
277
<h3><?php _e('Currently Locked Out', 'loginlockdown') ?></h3>
278
<?php
279
$num_lockedout = count($dalist);
282
} else {
283
foreach ( $dalist as $key => $option ) {
284
?>
285
+ <li><input type="checkbox" name="releaseme[]" value="<?php echo esc_attr($option['lockdown_ID']); ?>"> <?php echo esc_attr($option['lockdown_IP']); ?> (<?php echo esc_attr($option['minutes_left']); ?> minutes left)</li>
286
<?php
287
}
288
}
362
$username = sanitize_user($username);
363
$password = trim($password);
364
365
+ if ( "" != isLockedDown() ) {
366
return new WP_Error('incorrect_password', "<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent " .
367
"failed login attempts.<br /><br />Please try again later.");
368
}
readme.txt CHANGED
@@ -3,7 +3,7 @@ Developer: Michael VanDeMar (michael@endlesspoetry.com)
3
Tags: security, login
4
Requires at least: 2.5
5
Tested up to: 2.8.4
6
- Stable Tag: 1.4
7
8
Limits the number of login attempts from a given IP range within a certain time period.
9
3
Tags: security, login
4
Requires at least: 2.5
5
Tested up to: 2.8.4
6
+ Stable Tag: 1.5
7
8
Limits the number of login attempts from a given IP range within a certain time period.
9
version.txt CHANGED
@@ -1 +1 @@
1
- 1.4
1
+ 1.5