Login Security Solution - Version 0.10.0

Version Description

Catch $user_ID not being set during "Change All Passwords" submission.
Add (commented out) log() calls in important spots. Enables users to help me help them.

Release Info

Developer	convissor
Plugin	Login Security Solution
Version	0.10.0
Comparing to
See all releases

Code changes from version 0.9.0 to 0.10.0

Files changed (4) hide show

admin.inc +6 -0
languages/login-security-solution.pot +39 -39
login-security-solution.php +12 -3
readme.txt +8 -5

admin.inc CHANGED Viewed

	@@ -865,6 +865,12 @@ class login_security_solution_admin extends login_security_solution {
865	return __('You do not have sufficient permissions to access this page.');
866	}
867






868	$sql = "INSERT INTO `$wpdb->usermeta`
869	(user_id, meta_key, meta_value)
870	SELECT ID, %s, 1


865	return __('You do not have sufficient permissions to access this page.');
866	}
867
868	+ if (empty($user_ID)) {
869	+ ###$this->log("force_change_for_all() user_ID not set.");
870	+ ###$this->log(debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS));
871	+ return __("\$user_ID variable not set. Another plugin is misbehaving.", self::ID);
872	+ }
873	+
874	$sql = "INSERT INTO `$wpdb->usermeta`
875	(user_id, meta_key, meta_value)
876	SELECT ID, %s, 1

languages/login-security-solution.pot CHANGED Viewed

	@@ -4,7 +4,7 @@ msgid ""
4	msgstr ""
5	"Project-Id-Version: Login Security Solution 0.9.0\n"
6	"Report-Msgid-Bugs-To: http://wordpress.org/tag/login-security-solution\n"
7	- "POT-Creation-Date: 2012-06-12 01:40:32+00:00\n"
8	"MIME-Version: 1.0\n"
9	"Content-Type: text/plain; charset=UTF-8\n"
10	"Content-Transfer-Encoding: 8bit\n"
	@@ -12,171 +12,171 @@ msgstr ""
12	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
13	"Language-Team: LANGUAGE <LL@li.org>\n"
14
15	- #: login-security-solution.php:~~457~~
16	msgid "Invalid username or password."
17	msgstr ""
18
19	- #: login-security-solution.php:~~463~~ tests/LoginErrorsTest.php:117
20	#: tests/LoginErrorsTest.php:129
21	msgid "Password reset is not allowed for this user"
22	msgstr ""
23
24	- #: login-security-solution.php:~~488~~ tests/LoginMessageTest.php:66
25	msgid "It has been over %d minutes since your last action."
26	msgstr ""
27
28	- #: login-security-solution.php:~~489~~ tests/LoginMessageTest.php:67
29	msgid "Please log back in."
30	msgstr ""
31
32	- #: login-security-solution.php:~~492~~ tests/LoginMessageTest.php:77
33	msgid "The grace period for changing your password has expired."
34	msgstr ""
35
36	- #: login-security-solution.php:~~493~~ tests/LoginMessageTest.php:78
37	msgid "Please submit this form to reset your password."
38	msgstr ""
39
40	- #: login-security-solution.php:~~496~~ tests/LoginMessageTest.php:88
41	msgid "Your password must be reset."
42	msgstr ""
43
44	- #: login-security-solution.php:~~497~~ tests/LoginMessageTest.php:89
45	msgid "Please submit this form to reset it."
46	msgstr ""
47
48	- #: login-security-solution.php:~~500~~ tests/LoginMessageTest.php:104
49	msgid "Your password has expired. Please log and change it."
50	msgstr ""
51
52	- #: login-security-solution.php:~~501~~ tests/LoginMessageTest.php:105
53	msgid "We provide a %d minute grace period to do so."
54	msgstr ""
55
56	- #: login-security-solution.php:~~504~~ tests/LoginMessageTest.php:115
57	msgid "The password you tried to create is not secure. Please try again."
58	msgstr ""
59
60	- #: login-security-solution.php:~~510~~ tests/LoginMessageTest.php:129
61	#: tests/LoginMessageTest.php:144
62	msgid "The site is undergoing maintenance."
63	msgstr ""
64
65	- #: login-security-solution.php:~~511~~ tests/LoginMessageTest.php:130
66	#: tests/LoginMessageTest.php:145
67	msgid "Please try again later."
68	msgstr ""
69
70	- #: login-security-solution.php:~~578~~
71	msgid "Passwords can not be reused."
72	msgstr ""
73
74	- #: login-security-solution.php:~~723~~
75	msgid "ERROR"
76	msgstr ""
77
78	- #: login-security-solution.php:~~843~~
79	msgid "Component Count Value from Current Attempt"
80	msgstr ""
81
82	- #: login-security-solution.php:~~845~~
83	msgid "Network IP %5d %s"
84	msgstr ""
85
86	- #: login-security-solution.php:~~847~~
87	msgid "Username %5d %s"
88	msgstr ""
89
90	- #: login-security-solution.php:~~849~~
91	msgid "Password MD5 %5d %s"
92	msgstr ""
93
94	- #: login-security-solution.php:~~1630~~
95	msgid "Your website, %s, may have been broken in to."
96	msgstr ""
97
98	- #: login-security-solution.php:~~1633~~
99	msgid ""
100	"Someone just logged in using the following components. Prior to that, some "
101	"combination of those components were a part of %d failed attempts to log in "
102	"during the past %d minutes:"
103	msgstr ""
104
105	- #: login-security-solution.php:~~1638~~
106	msgid ""
107	"The user has been logged out and will be required to confirm their identity "
108	"via the password reset functionality."
109	msgstr ""
110
111	- #: login-security-solution.php:~~1667~~
112	msgid "Your website, %s, is undergoing a brute force attack."
113	msgstr ""
114
115	- #: login-security-solution.php:~~1670~~
116	msgid ""
117	"There have been at least %d failed attempts to log in during the past %d "
118	"minutes that used one or more of the following components:"
119	msgstr ""
120
121	- #: login-security-solution.php:~~1675~~
122	msgid ""
123	"The %s plugin for WordPress is repelling the attack by making their login "
124	"failures take a very long time."
125	msgstr ""
126
127	- #: login-security-solution.php:~~1997~~
128	msgid "Password not set."
129	msgstr ""
130
131	- #: login-security-solution.php:~~2012~~
132	msgid "Passwords must be strings."
133	msgstr ""
134
135	- #: login-security-solution.php:~~2030~~
136	msgid "Passwords must use ASCII characters."
137	msgstr ""
138
139	- #: login-security-solution.php:~~2049~~
140	msgid "Password is too short."
141	msgstr ""
142
143	- #: login-security-solution.php:~~2058~~
144	msgid "Passwords must either contain numbers or be %d characters long."
145	msgstr ""
146
147	- #: login-security-solution.php:~~2067~~
148	msgid ""
149	"Passwords must either contain punctuation marks / symbols or be %d "
150	"characters long."
151	msgstr ""
152
153	- #: login-security-solution.php:~~2076~~
154	msgid ""
155	"Passwords must either contain upper-case and lower-case letters or be %d "
156	"characters long."
157	msgstr ""
158
159	- #: login-security-solution.php:~~2086~~
160	msgid "Passwords can't be sequential keys."
161	msgstr ""
162
163	- #: login-security-solution.php:~~2095~~
164	msgid "Passwords can't have that many sequential characters."
165	msgstr ""
166
167	- #: login-security-solution.php:~~2111~~
168	msgid "Passwords can't contain user data."
169	msgstr ""
170
171	- #: login-security-solution.php:~~2122~~
172	msgid "Passwords can't contain site info."
173	msgstr ""
174
175	- #: login-security-solution.php:~~2131~~
176	msgid "Password is too common."
177	msgstr ""
178
179	- #: login-security-solution.php:~~2140~~
180	msgid "Passwords can't be variations of dictionary words."
181	msgstr ""
182


4	msgstr ""
5	"Project-Id-Version: Login Security Solution 0.9.0\n"
6	"Report-Msgid-Bugs-To: http://wordpress.org/tag/login-security-solution\n"
7	+ "POT-Creation-Date: 2012-06-16 19:52:08+00:00\n"
8	"MIME-Version: 1.0\n"
9	"Content-Type: text/plain; charset=UTF-8\n"
10	"Content-Transfer-Encoding: 8bit\n"

12	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
13	"Language-Team: LANGUAGE <LL@li.org>\n"
14
15	+ #: login-security-solution.php:462
16	msgid "Invalid username or password."
17	msgstr ""
18
19	+ #: login-security-solution.php:468 tests/LoginErrorsTest.php:117
20	#: tests/LoginErrorsTest.php:129
21	msgid "Password reset is not allowed for this user"
22	msgstr ""
23
24	+ #: login-security-solution.php:493 tests/LoginMessageTest.php:66
25	msgid "It has been over %d minutes since your last action."
26	msgstr ""
27
28	+ #: login-security-solution.php:494 tests/LoginMessageTest.php:67
29	msgid "Please log back in."
30	msgstr ""
31
32	+ #: login-security-solution.php:497 tests/LoginMessageTest.php:77
33	msgid "The grace period for changing your password has expired."
34	msgstr ""
35
36	+ #: login-security-solution.php:498 tests/LoginMessageTest.php:78
37	msgid "Please submit this form to reset your password."
38	msgstr ""
39
40	+ #: login-security-solution.php:501 tests/LoginMessageTest.php:88
41	msgid "Your password must be reset."
42	msgstr ""
43
44	+ #: login-security-solution.php:502 tests/LoginMessageTest.php:89
45	msgid "Please submit this form to reset it."
46	msgstr ""
47
48	+ #: login-security-solution.php:505 tests/LoginMessageTest.php:104
49	msgid "Your password has expired. Please log and change it."
50	msgstr ""
51
52	+ #: login-security-solution.php:506 tests/LoginMessageTest.php:105
53	msgid "We provide a %d minute grace period to do so."
54	msgstr ""
55
56	+ #: login-security-solution.php:509 tests/LoginMessageTest.php:115
57	msgid "The password you tried to create is not secure. Please try again."
58	msgstr ""
59
60	+ #: login-security-solution.php:515 tests/LoginMessageTest.php:129
61	#: tests/LoginMessageTest.php:144
62	msgid "The site is undergoing maintenance."
63	msgstr ""
64
65	+ #: login-security-solution.php:516 tests/LoginMessageTest.php:130
66	#: tests/LoginMessageTest.php:145
67	msgid "Please try again later."
68	msgstr ""
69
70	+ #: login-security-solution.php:585
71	msgid "Passwords can not be reused."
72	msgstr ""
73
74	+ #: login-security-solution.php:732
75	msgid "ERROR"
76	msgstr ""
77
78	+ #: login-security-solution.php:852
79	msgid "Component Count Value from Current Attempt"
80	msgstr ""
81
82	+ #: login-security-solution.php:854
83	msgid "Network IP %5d %s"
84	msgstr ""
85
86	+ #: login-security-solution.php:856
87	msgid "Username %5d %s"
88	msgstr ""
89
90	+ #: login-security-solution.php:858
91	msgid "Password MD5 %5d %s"
92	msgstr ""
93
94	+ #: login-security-solution.php:1639
95	msgid "Your website, %s, may have been broken in to."
96	msgstr ""
97
98	+ #: login-security-solution.php:1642
99	msgid ""
100	"Someone just logged in using the following components. Prior to that, some "
101	"combination of those components were a part of %d failed attempts to log in "
102	"during the past %d minutes:"
103	msgstr ""
104
105	+ #: login-security-solution.php:1647
106	msgid ""
107	"The user has been logged out and will be required to confirm their identity "
108	"via the password reset functionality."
109	msgstr ""
110
111	+ #: login-security-solution.php:1676
112	msgid "Your website, %s, is undergoing a brute force attack."
113	msgstr ""
114
115	+ #: login-security-solution.php:1679
116	msgid ""
117	"There have been at least %d failed attempts to log in during the past %d "
118	"minutes that used one or more of the following components:"
119	msgstr ""
120
121	+ #: login-security-solution.php:1684
122	msgid ""
123	"The %s plugin for WordPress is repelling the attack by making their login "
124	"failures take a very long time."
125	msgstr ""
126
127	+ #: login-security-solution.php:2006
128	msgid "Password not set."
129	msgstr ""
130
131	+ #: login-security-solution.php:2021
132	msgid "Passwords must be strings."
133	msgstr ""
134
135	+ #: login-security-solution.php:2039
136	msgid "Passwords must use ASCII characters."
137	msgstr ""
138
139	+ #: login-security-solution.php:2058
140	msgid "Password is too short."
141	msgstr ""
142
143	+ #: login-security-solution.php:2067
144	msgid "Passwords must either contain numbers or be %d characters long."
145	msgstr ""
146
147	+ #: login-security-solution.php:2076
148	msgid ""
149	"Passwords must either contain punctuation marks / symbols or be %d "
150	"characters long."
151	msgstr ""
152
153	+ #: login-security-solution.php:2085
154	msgid ""
155	"Passwords must either contain upper-case and lower-case letters or be %d "
156	"characters long."
157	msgstr ""
158
159	+ #: login-security-solution.php:2095
160	msgid "Passwords can't be sequential keys."
161	msgstr ""
162
163	+ #: login-security-solution.php:2104
164	msgid "Passwords can't have that many sequential characters."
165	msgstr ""
166
167	+ #: login-security-solution.php:2120
168	msgid "Passwords can't contain user data."
169	msgstr ""
170
171	+ #: login-security-solution.php:2131
172	msgid "Passwords can't contain site info."
173	msgstr ""
174
175	+ #: login-security-solution.php:2140
176	msgid "Password is too common."
177	msgstr ""
178
179	+ #: login-security-solution.php:2149
180	msgid "Passwords can't be variations of dictionary words."
181	msgstr ""
182

	@@ -6,7 +6,7 @@
6	* Description: Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
7	*
8	* Plugin URI: http://wordpress.org/extend/plugins/login-security-solution/
9	- * Version: 0.9.0
10	* Author: Daniel Convissor
11	* Author URI: http://www.analysisandsolutions.com/
12	* License: GPLv2
	@@ -344,6 +344,7 @@ class login_security_solution {
344	*/
345
346	if ($this->is_idle($user->ID)) {

347	$this->redirect_to_login('idle', true);
348	return -5;
349	}
	@@ -351,11 +352,11 @@ class login_security_solution {
351	if ($this->is_pw_expired($user->ID)) {
352	$grace = $this->check_pw_grace_period($user->ID);
353	if ($grace === true) {
354	- // First time ~~they've been~~ here since password expired.
355	$this->redirect_to_login('pw_grace', true);
356	return -1;
357	} elseif ($grace === false) {
358	- // Grace period ~~has~~ expired.
359	$this->redirect_to_login('pw_expired', false, 'retrievepassword');
360	return -2;
361	}
	@@ -363,6 +364,7 @@ class login_security_solution {
363	}
364
365	if ($this->get_pw_force_change($user->ID)) {

366	$this->redirect_to_login('pw_force', false, 'retrievepassword');
367	return -3;
368	}
	@@ -370,6 +372,7 @@ class login_security_solution {
370	if ($this->options['disable_logins']
371	&& !current_user_can('administrator'))
372	{

373	$this->redirect_to_login();
374	return -4;
375	}
	@@ -403,10 +406,12 @@ class login_security_solution {
403
404	if (empty($user_ID)) {
405	if (empty($user_name)) {

406	return;
407	}
408	$user = get_user_by('login', $user_name);
409	if (! $user instanceof WP_User) {

410	return -1;
411	}
412	$user_ID = $user->ID;
	@@ -534,11 +539,13 @@ class login_security_solution {
534	*/
535	public function password_reset($user, $user_pass) {
536	if (empty($user->ID)) {

537	return false;
538	}
539
540	$user->user_pass = $user_pass;
541	if (!$this->validate_pw($user)) {

542	$this->set_pw_force_change($user->ID);
543	$this->redirect_to_login('pw_reset_bad', false, 'rp');
544	return -1;
	@@ -633,6 +640,7 @@ class login_security_solution {
633	if ($this->options['login_fail_breach_pw_force_change']
634	&& $fails['total'] >= $this->options['login_fail_breach_pw_force_change'])
635	{

636	$this->set_pw_force_change($user->ID);
637	$return += 2;
638	}
	@@ -640,6 +648,7 @@ class login_security_solution {
640	if ($this->options['login_fail_breach_notify']
641	&& $fails['total'] >= $this->options['login_fail_breach_notify'])
642	{

643	$this->notify_breach($network_ip, $user_name, $pass_md5, $fails);
644	$return += 4;
645	}


6	* Description: Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
7	*
8	* Plugin URI: http://wordpress.org/extend/plugins/login-security-solution/
9	+ * Version: 0.10.0
10	* Author: Daniel Convissor
11	* Author URI: http://www.analysisandsolutions.com/
12	* License: GPLv2

344	*/
345
346	if ($this->is_idle($user->ID)) {
347	+ ###$this->log("check(): Idle.");
348	$this->redirect_to_login('idle', true);
349	return -5;
350	}

352	if ($this->is_pw_expired($user->ID)) {
353	$grace = $this->check_pw_grace_period($user->ID);
354	if ($grace === true) {
355	+ ###$this->log("check(): First time here since password expired.");
356	$this->redirect_to_login('pw_grace', true);
357	return -1;
358	} elseif ($grace === false) {
359	+ ###$this->log("check(): Grace period expired.");
360	$this->redirect_to_login('pw_expired', false, 'retrievepassword');
361	return -2;
362	}

364	}
365
366	if ($this->get_pw_force_change($user->ID)) {
367	+ ###$this->log("check(): Password force change.");
368	$this->redirect_to_login('pw_force', false, 'retrievepassword');
369	return -3;
370	}

372	if ($this->options['disable_logins']
373	&& !current_user_can('administrator'))
374	{
375	+ ###$this->log("check(): Disable logins.");
376	$this->redirect_to_login();
377	return -4;
378	}

406
407	if (empty($user_ID)) {
408	if (empty($user_name)) {
409	+ ###$this->log("delete_last_active(): Empty user_ID, user_name.");
410	return;
411	}
412	$user = get_user_by('login', $user_name);
413	if (! $user instanceof WP_User) {
414	+ ###$this->log("delete_last_active(): Unknown user_name.");
415	return -1;
416	}
417	$user_ID = $user->ID;

539	*/
540	public function password_reset($user, $user_pass) {
541	if (empty($user->ID)) {
542	+ ###$this->log("password_reset(): user->ID not set.");
543	return false;
544	}
545
546	$user->user_pass = $user_pass;
547	if (!$this->validate_pw($user)) {
548	+ ###$this->log("password_reset(): Invalid password chosen.");
549	$this->set_pw_force_change($user->ID);
550	$this->redirect_to_login('pw_reset_bad', false, 'rp');
551	return -1;

640	if ($this->options['login_fail_breach_pw_force_change']
641	&& $fails['total'] >= $this->options['login_fail_breach_pw_force_change'])
642	{
643	+ ###$this->log("wp_login(): Breach force change.");
644	$this->set_pw_force_change($user->ID);
645	$return += 2;
646	}

648	if ($this->options['login_fail_breach_notify']
649	&& $fails['total'] >= $this->options['login_fail_breach_notify'])
650	{
651	+ ###$this->log("wp_login(): Breach notify.");
652	$this->notify_breach($network_ip, $user_name, $pass_md5, $fails);
653	$return += 4;
654	}

readme.txt CHANGED Viewed

	@@ -3,12 +3,10 @@ Contributors: convissor
3	Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=danielc%40analysisandsolutions%2ecom&lc=US&item_name=Donate%3a%20Login%20Security%20Solution&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted
4	Tags: login, password, idle, timeout, maintenance, security, attack, hack, lock, ban
5	Requires at least: 3.3
6	- Tested up to: 3.~~4RC3~~
7	- Stable tag: 0.9.0
8
9	- Security against brute force attacks by tracking IP, name, password;
10	- requiring very strong passwords. Idle timeout. Maintenance mode. Multisite
11	- ready!
12
13
14	== Description ==
	@@ -258,6 +256,11 @@ then `cd` into that directory and run:
258
259	== Changelog ==
260





261	= 0.9.0 =
262	* Fix change that prevented users from logging in after using the password
263	reset process with an insecure password. Users can now pick a better


3	Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=danielc%40analysisandsolutions%2ecom&lc=US&item_name=Donate%3a%20Login%20Security%20Solution&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted
4	Tags: login, password, idle, timeout, maintenance, security, attack, hack, lock, ban
5	Requires at least: 3.3
6	+ Tested up to: 3.4
7	+ Stable tag: 0.10.0
8
9	+ Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode. Multisite ready!


10
11
12	== Description ==

256
257	== Changelog ==
258
259	+ = 0.10.0 =
260	+ * Catch $user_ID not being set during "Change All Passwords" submission.
261	+ * Add (commented out) log() calls in important spots. Enables users to
262	+ help me help them.
263	+
264	= 0.9.0 =
265	* Fix change that prevented users from logging in after using the password
266	reset process with an insecure password. Users can now pick a better