Version Description
Download this release
Release Info
Developer | mvandemar |
Plugin | Login LockDown |
Version | 1.8 |
Comparing to | |
See all releases |
Code changes from version 1.7.1 to 1.8
- loginlockdown.php +38 -30
- readme.txt +7 -2
loginlockdown.php
CHANGED
@@ -2,7 +2,7 @@
|
|
2 |
/*
|
3 |
Plugin Name: Login LockDown
|
4 |
Plugin URI: http://www.bad-neighborhood.com/
|
5 |
-
Version: v1.
|
6 |
Author: Michael VanDeMar
|
7 |
Description: Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Distributed through <a href="http://www.bad-neighborhood.com/" target="_blank">Bad Neighborhood</a>.
|
8 |
*/
|
@@ -10,6 +10,10 @@ Description: Adds some extra security to WordPress by restricting the rate at wh
|
|
10 |
/*
|
11 |
== Change Log ==
|
12 |
*
|
|
|
|
|
|
|
|
|
13 |
* ver. 1.7.1 13-Sep-2016
|
14 |
* - fixed bug causing all ipv6 addresses to get locked out if 1 was
|
15 |
* - added in WordPress MultiSite functionality
|
@@ -224,7 +228,7 @@ function get_loginlockdownOptions() {
|
|
224 |
'lockout_length' => 60,
|
225 |
'lockout_invalid_usernames' => 'no',
|
226 |
'mask_login_errors' => 'no',
|
227 |
-
'show_credit_link' => '
|
228 |
);
|
229 |
$loginlockdownOptions = get_option("loginlockdownAdminOptions");
|
230 |
if ( !empty($loginlockdownOptions) ) {
|
@@ -320,8 +324,8 @@ $active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'settings';
|
|
320 |
<h2><?php _e('Login LockDown Options', 'loginlockdown') ?></h2>
|
321 |
|
322 |
<h2 class="nav-tab-wrapper">
|
323 |
-
<a href="?page=loginlockdown.php&tab=settings" class="nav-tab <?php echo $active_tab == 'settings' ? 'nav-tab-active' : ''; ?>"
|
324 |
-
<a href="?page=loginlockdown.php&tab=activity" class="nav-tab <?php echo $active_tab == 'activity' ? 'nav-tab-active' : ''; ?>"
|
325 |
</h2>
|
326 |
<?php if ( $active_tab == 'settings' ) { ?>
|
327 |
<form method="post" action="<?php echo esc_attr($_SERVER["REQUEST_URI"]); ?>">
|
@@ -331,28 +335,27 @@ if ( function_exists('wp_nonce_field') )
|
|
331 |
?>
|
332 |
|
333 |
<h3><?php _e('Max Login Retries', 'loginlockdown') ?></h3>
|
334 |
-
<p
|
335 |
<p><input type="text" name="ll_max_login_retries" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['max_login_retries']); ?>"></p>
|
336 |
<h3><?php _e('Retry Time Period Restriction (minutes)', 'loginlockdown') ?></h3>
|
337 |
-
<p
|
338 |
<p><input type="text" name="ll_retries_within" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['retries_within']); ?>"></p>
|
339 |
<h3><?php _e('Lockout Length (minutes)', 'loginlockdown') ?></h3>
|
340 |
-
<p
|
341 |
<p><input type="text" name="ll_lockout_length" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['lockout_length']); ?>"></p>
|
342 |
<h3><?php _e('Lockout Invalid Usernames?', 'loginlockdown') ?></h3>
|
343 |
-
<p
|
344 |
-
<p><input type="radio" name="ll_lockout_invalid_usernames" value="yes" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "yes" ) echo "checked"; ?>> 
|
345 |
<h3><?php _e('Mask Login Errors?', 'loginlockdown') ?></h3>
|
346 |
-
<p
|
347 |
-
|
348 |
-
<p><input type="radio" name="ll_mask_login_errors" value="yes" <?php if( $loginlockdownAdminOptions['mask_login_errors'] == "yes" ) echo "checked"; ?>> Yes <input type="radio" name="ll_mask_login_errors" value="no" <?php if( $loginlockdownAdminOptions['mask_login_errors'] == "no" ) echo "checked"; ?>> No</p>
|
349 |
<h3><?php _e('Show Credit Link?', 'loginlockdown') ?></h3>
|
350 |
-
<p
|
351 |
-
<blockquote
|
352 |
-
This helps others know about the plugin so they can protect their blogs as well if they like.
|
353 |
-
<input type="radio" name="ll_show_credit_link" value="yes" <?php if( $loginlockdownAdminOptions['show_credit_link'] == "yes" || $loginlockdownAdminOptions['show_credit_link'] == "" ) echo "checked"; ?>> 
|
354 |
-
<input type="radio" name="ll_show_credit_link" value="shownofollow" <?php if( $loginlockdownAdminOptions['show_credit_link'] == "shownofollow" ) echo "checked"; ?>> 
|
355 |
-
<input type="radio" name="ll_show_credit_link" value="no" <?php if( $loginlockdownAdminOptions['show_credit_link'] == "no" ) echo "checked"; ?>> 
|
356 |
<div class="submit">
|
357 |
<input type="submit" class="button button-primary" name="update_loginlockdownSettings" value="<?php _e('Update Settings', 'loginlockdown') ?>" /></div>
|
358 |
</form>
|
@@ -377,7 +380,7 @@ if( count($dalist) == 1 ) {
|
|
377 |
} else {
|
378 |
foreach ( $dalist as $key => $option ) {
|
379 |
?>
|
380 |
-
<li><input type="checkbox" name="releaseme[]" value="<?php echo esc_attr($option['lockdown_ID']); ?>"> <?php echo esc_attr($option['lockdown_IP']); ?> (<?php echo esc_attr($option['minutes_left']); ?> minutes left)</li>
|
381 |
<?php
|
382 |
}
|
383 |
}
|
@@ -406,7 +409,9 @@ function ll_credit_link(){
|
|
406 |
$relnofollow = "";
|
407 |
}
|
408 |
if ( $showcreditlink != "no" ) {
|
409 |
-
echo "<p>
|
|
|
|
|
410 |
}
|
411 |
}
|
412 |
|
@@ -432,10 +437,10 @@ if ( isset($loginlockdown_db_version) ) {
|
|
432 |
$error = new WP_Error();
|
433 |
|
434 |
if ( empty($username) )
|
435 |
-
$error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
|
436 |
|
437 |
if ( empty($password) )
|
438 |
-
$error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
|
439 |
|
440 |
return $error;
|
441 |
}
|
@@ -443,7 +448,7 @@ if ( isset($loginlockdown_db_version) ) {
|
|
443 |
$userdata = get_user_by('login',$username);
|
444 |
|
445 |
if ( !$userdata ) {
|
446 |
-
return new WP_Error('invalid_username', sprintf(__('<strong>ERROR</strong>: Invalid username. <a href="%s" title="Password Lost and Found">Lost your password</a>?'), site_url('wp-login.php?action=lostpassword', 'login')));
|
447 |
}
|
448 |
|
449 |
$userdata = apply_filters('wp_authenticate_user', $userdata, $password);
|
@@ -452,7 +457,7 @@ if ( isset($loginlockdown_db_version) ) {
|
|
452 |
}
|
453 |
|
454 |
if ( !wp_check_password($password, $userdata->user_pass, $userdata->ID) ) {
|
455 |
-
return new WP_Error('incorrect_password', sprintf(__('<strong>ERROR</strong>: Incorrect password. <a href="%s" title="Password Lost and Found">Lost your password</a>?'), site_url('wp-login.php?action=lostpassword', 'login')));
|
456 |
}
|
457 |
|
458 |
$user = new WP_User($userdata->ID);
|
@@ -469,8 +474,7 @@ if ( isset($loginlockdown_db_version) ) {
|
|
469 |
$password = trim($password);
|
470 |
|
471 |
if ( "" != isLockedDown() ) {
|
472 |
-
return new WP_Error('incorrect_password', "<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent "
|
473 |
-
"failed login attempts.<br /><br />Please try again later.");
|
474 |
}
|
475 |
|
476 |
$user = apply_filters('authenticate', null, $username, $password);
|
@@ -478,7 +482,7 @@ if ( isset($loginlockdown_db_version) ) {
|
|
478 |
if ( $user == null ) {
|
479 |
// TODO what should the error message be? (Or would these even happen?)
|
480 |
// Only needed if all authentication handlers fail to return anything.
|
481 |
-
$user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
|
482 |
}
|
483 |
|
484 |
$ignore_codes = array('empty_username', 'empty_password');
|
@@ -487,11 +491,10 @@ if ( isset($loginlockdown_db_version) ) {
|
|
487 |
incrementFails($username);
|
488 |
if ( $loginlockdownOptions['max_login_retries'] <= countFails($username) ) {
|
489 |
lockDown($username);
|
490 |
-
return new WP_Error('incorrect_password', __("<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent "
|
491 |
-
"failed login attempts.<br /><br />Please try again later."));
|
492 |
}
|
493 |
if ( 'yes' == $loginlockdownOptions['mask_login_errors'] ) {
|
494 |
-
return new WP_Error('authentication_failed', sprintf(__('<strong>ERROR</strong>: Invalid username or incorrect password. <a href="%s" title="Password Lost and Found">Lost your password</a>?'), site_url('wp-login.php?action=lostpassword', 'login')));
|
495 |
} else {
|
496 |
do_action('wp_login_failed', $username);
|
497 |
}
|
@@ -567,3 +570,8 @@ if ( isset($loginlockdown_db_version) ) {
|
|
567 |
}
|
568 |
}
|
569 |
|
|
|
|
|
|
|
|
|
|
2 |
/*
|
3 |
Plugin Name: Login LockDown
|
4 |
Plugin URI: http://www.bad-neighborhood.com/
|
5 |
+
Version: v1.8
|
6 |
Author: Michael VanDeMar
|
7 |
Description: Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Distributed through <a href="http://www.bad-neighborhood.com/" target="_blank">Bad Neighborhood</a>.
|
8 |
*/
|
10 |
/*
|
11 |
== Change Log ==
|
12 |
*
|
13 |
+
* ver. 1.8 30-Sep-2019
|
14 |
+
* - fixed issues with internationalization, added .pot file
|
15 |
+
* - changed the credit link to default to not showing
|
16 |
+
*
|
17 |
* ver. 1.7.1 13-Sep-2016
|
18 |
* - fixed bug causing all ipv6 addresses to get locked out if 1 was
|
19 |
* - added in WordPress MultiSite functionality
|
228 |
'lockout_length' => 60,
|
229 |
'lockout_invalid_usernames' => 'no',
|
230 |
'mask_login_errors' => 'no',
|
231 |
+
'show_credit_link' => 'no'
|
232 |
);
|
233 |
$loginlockdownOptions = get_option("loginlockdownAdminOptions");
|
234 |
if ( !empty($loginlockdownOptions) ) {
|
324 |
<h2><?php _e('Login LockDown Options', 'loginlockdown') ?></h2>
|
325 |
|
326 |
<h2 class="nav-tab-wrapper">
|
327 |
+
<a href="?page=loginlockdown.php&tab=settings" class="nav-tab <?php echo $active_tab == 'settings' ? 'nav-tab-active' : ''; ?>"><?php _e('Settings', 'loginlockdown') ?></a>
|
328 |
+
<a href="?page=loginlockdown.php&tab=activity" class="nav-tab <?php echo $active_tab == 'activity' ? 'nav-tab-active' : ''; ?>"><?php _e('Activity', 'loginlockdown') ?> (<?php echo count($dalist); ?>)</a>
|
329 |
</h2>
|
330 |
<?php if ( $active_tab == 'settings' ) { ?>
|
331 |
<form method="post" action="<?php echo esc_attr($_SERVER["REQUEST_URI"]); ?>">
|
335 |
?>
|
336 |
|
337 |
<h3><?php _e('Max Login Retries', 'loginlockdown') ?></h3>
|
338 |
+
<p><?php _e('Number of failed login attempts within the "Retry Time Period Restriction" (defined below) needed to trigger a LockDown.', 'loginlockdown') ?></p>
|
339 |
<p><input type="text" name="ll_max_login_retries" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['max_login_retries']); ?>"></p>
|
340 |
<h3><?php _e('Retry Time Period Restriction (minutes)', 'loginlockdown') ?></h3>
|
341 |
+
<p><?php _e('Amount of time that determines the rate at which failed login attempts are allowed before a LockDown occurs.', 'loginlockdown') ?></p>
|
342 |
<p><input type="text" name="ll_retries_within" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['retries_within']); ?>"></p>
|
343 |
<h3><?php _e('Lockout Length (minutes)', 'loginlockdown') ?></h3>
|
344 |
+
<p><?php _e('How long a particular IP block will be locked out for once a LockDown has been triggered.', 'loginlockdown') ?></p>
|
345 |
<p><input type="text" name="ll_lockout_length" size="8" value="<?php echo esc_attr($loginlockdownAdminOptions['lockout_length']); ?>"></p>
|
346 |
<h3><?php _e('Lockout Invalid Usernames?', 'loginlockdown') ?></h3>
|
347 |
+
<p><?php _e('By default Login LockDown will not trigger if an attempt is made to log in using a username that does not exist. You can override this behavior here.', 'loginlockdown') ?></p>
|
348 |
+
<p><input type="radio" name="ll_lockout_invalid_usernames" value="yes" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "yes" ) echo "checked"; ?>> <?php _e('Yes', 'loginlockdown') ?> <input type="radio" name="ll_lockout_invalid_usernames" value="no" <?php if( $loginlockdownAdminOptions['lockout_invalid_usernames'] == "no" ) echo "checked"; ?>> <?php _e('No', 'loginlockdown') ?></p>
|
349 |
<h3><?php _e('Mask Login Errors?', 'loginlockdown') ?></h3>
|
350 |
+
<p><?php _e('WordPress will normally display distinct messages to the user depending on whether they try and log in with an invalid username, or with a valid username but the incorrect password. Toggling this option will hide why the login failed.', 'loginlockdown') ?></p>
|
351 |
+
<p><input type="radio" name="ll_mask_login_errors" value="yes" <?php if( $loginlockdownAdminOptions['mask_login_errors'] == "yes" ) echo "checked"; ?>> <?php _e('Yes', 'loginlockdown') ?> <input type="radio" name="ll_mask_login_errors" value="no" <?php if( $loginlockdownAdminOptions['mask_login_errors'] == "no" ) echo "checked"; ?>> <?php _e('No', 'loginlockdown') ?></p>
|
|
|
352 |
<h3><?php _e('Show Credit Link?', 'loginlockdown') ?></h3>
|
353 |
+
<p><?php _e('If enabled, Login LockDown will display the following message on the login form', 'loginlockdown') ?>:<br />
|
354 |
+
<blockquote><?php _e('Login form protected by', 'loginlockdown') ?> <a href='http://www.bad-neighborhood.com/login-lockdown.html'>Login LockDown</a>.</blockquote>
|
355 |
+
<?php _e('This helps others know about the plugin so they can protect their blogs as well if they like. You can enable or disable this message below', 'loginlockdown') ?>:</p>
|
356 |
+
<input type="radio" name="ll_show_credit_link" value="yes" <?php if( $loginlockdownAdminOptions['show_credit_link'] == "yes" || $loginlockdownAdminOptions['show_credit_link'] == "" ) echo "checked"; ?>> <?php _e('Yes, display the credit link.', 'loginlockdown') ?><br />
|
357 |
+
<input type="radio" name="ll_show_credit_link" value="shownofollow" <?php if( $loginlockdownAdminOptions['show_credit_link'] == "shownofollow" ) echo "checked"; ?>> <?php _e('Display the credit link, but add "rel=\'nofollow\'" (ie. do not pass any link juice).', 'loginlockdown') ?><br />
|
358 |
+
<input type="radio" name="ll_show_credit_link" value="no" <?php if( $loginlockdownAdminOptions['show_credit_link'] == "no" ) echo "checked"; ?>> <?php _e('No, do not display the credit link.', 'loginlockdown') ?><br />
|
359 |
<div class="submit">
|
360 |
<input type="submit" class="button button-primary" name="update_loginlockdownSettings" value="<?php _e('Update Settings', 'loginlockdown') ?>" /></div>
|
361 |
</form>
|
380 |
} else {
|
381 |
foreach ( $dalist as $key => $option ) {
|
382 |
?>
|
383 |
+
<li><input type="checkbox" name="releaseme[]" value="<?php echo esc_attr($option['lockdown_ID']); ?>"> <?php echo esc_attr($option['lockdown_IP']); ?> (<?php echo esc_attr($option['minutes_left']); ?> <?php _e('minutes left', 'loginlockdown') ?>)</li>
|
384 |
<?php
|
385 |
}
|
386 |
}
|
409 |
$relnofollow = "";
|
410 |
}
|
411 |
if ( $showcreditlink != "no" ) {
|
412 |
+
echo "<p>";
|
413 |
+
_e('Login form protected by', 'loginlockdown');
|
414 |
+
echo " <a href='http://www.bad-neighborhood.com/login-lockdown.html' $relnofollow>Login LockDown</a>.<br /><br /><br /></p>";
|
415 |
}
|
416 |
}
|
417 |
|
437 |
$error = new WP_Error();
|
438 |
|
439 |
if ( empty($username) )
|
440 |
+
$error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.', 'loginlockdown'));
|
441 |
|
442 |
if ( empty($password) )
|
443 |
+
$error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.', 'loginlockdown'));
|
444 |
|
445 |
return $error;
|
446 |
}
|
448 |
$userdata = get_user_by('login',$username);
|
449 |
|
450 |
if ( !$userdata ) {
|
451 |
+
return new WP_Error('invalid_username', sprintf(__('<strong>ERROR</strong>: Invalid username. <a href="%s" title="Password Lost and Found">Lost your password</a>?', 'loginlockdown'), site_url('wp-login.php?action=lostpassword', 'login')));
|
452 |
}
|
453 |
|
454 |
$userdata = apply_filters('wp_authenticate_user', $userdata, $password);
|
457 |
}
|
458 |
|
459 |
if ( !wp_check_password($password, $userdata->user_pass, $userdata->ID) ) {
|
460 |
+
return new WP_Error('incorrect_password', sprintf(__('<strong>ERROR</strong>: Incorrect password. <a href="%s" title="Password Lost and Found">Lost your password</a>?', 'loginlockdown'), site_url('wp-login.php?action=lostpassword', 'login')));
|
461 |
}
|
462 |
|
463 |
$user = new WP_User($userdata->ID);
|
474 |
$password = trim($password);
|
475 |
|
476 |
if ( "" != isLockedDown() ) {
|
477 |
+
return new WP_Error('incorrect_password', __("<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent failed login attempts.<br /><br />Please try again later.", 'loginlockdown'));
|
|
|
478 |
}
|
479 |
|
480 |
$user = apply_filters('authenticate', null, $username, $password);
|
482 |
if ( $user == null ) {
|
483 |
// TODO what should the error message be? (Or would these even happen?)
|
484 |
// Only needed if all authentication handlers fail to return anything.
|
485 |
+
$user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.', 'loginlockdown'));
|
486 |
}
|
487 |
|
488 |
$ignore_codes = array('empty_username', 'empty_password');
|
491 |
incrementFails($username);
|
492 |
if ( $loginlockdownOptions['max_login_retries'] <= countFails($username) ) {
|
493 |
lockDown($username);
|
494 |
+
return new WP_Error('incorrect_password', __("<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent failed login attempts.<br /><br />Please try again later.", 'loginlockdown'));
|
|
|
495 |
}
|
496 |
if ( 'yes' == $loginlockdownOptions['mask_login_errors'] ) {
|
497 |
+
return new WP_Error('authentication_failed', sprintf(__('<strong>ERROR</strong>: Invalid username or incorrect password. <a href="%s" title="Password Lost and Found">Lost your password</a>?', 'loginlockdown'), site_url('wp-login.php?action=lostpassword', 'login')));
|
498 |
} else {
|
499 |
do_action('wp_login_failed', $username);
|
500 |
}
|
570 |
}
|
571 |
}
|
572 |
|
573 |
+
add_action('plugins_loaded', 'loginlockdown_init', 10);
|
574 |
+
|
575 |
+
function loginlockdown_init() {
|
576 |
+
load_plugin_textdomain( 'loginlockdown', false, dirname(plugin_basename(__FILE__)).'/languages/' );
|
577 |
+
}
|
readme.txt
CHANGED
@@ -2,8 +2,8 @@
|
|
2 |
Developer: Michael VanDeMar (michael@endlesspoetry.com)
|
3 |
Tags: security, login, login form
|
4 |
Requires at least: 3.6
|
5 |
-
Tested up to:
|
6 |
-
Stable Tag: 1.
|
7 |
|
8 |
Limits the number of login attempts from a given IP range within a certain time period.
|
9 |
|
@@ -26,6 +26,11 @@ Enjoy.
|
|
26 |
|
27 |
== Change Log ==
|
28 |
|
|
|
|
|
|
|
|
|
|
|
29 |
ver. 1.7.1 13-Sep-2016
|
30 |
|
31 |
- fixed bug causing all ipv6 addresses to get locked out if 1 was
|
2 |
Developer: Michael VanDeMar (michael@endlesspoetry.com)
|
3 |
Tags: security, login, login form
|
4 |
Requires at least: 3.6
|
5 |
+
Tested up to: 5.2.3
|
6 |
+
Stable Tag: 1.8
|
7 |
|
8 |
Limits the number of login attempts from a given IP range within a certain time period.
|
9 |
|
26 |
|
27 |
== Change Log ==
|
28 |
|
29 |
+
ver. 1.8 30-Sep-2019
|
30 |
+
|
31 |
+
- fixed issues with internationalization, added .pot file
|
32 |
+
- changed the credit link to default to not showing
|
33 |
+
|
34 |
ver. 1.7.1 13-Sep-2016
|
35 |
|
36 |
- fixed bug causing all ipv6 addresses to get locked out if 1 was
|