Version Description
- Fix change that prevented users from logging in after using the password reset process with an insecure password. Users can now pick a better password right on the spot.
- Regenerate translation POT file.
- Tested under WordPress 3.3.2 and 3.4RC3, both using regular and multisite.
- Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.
Download this release
Release Info
| Developer | convissor |
| Plugin |  Login Security Solution |
| Version | 0.9.0 |
| Comparing to | |
| See all releases | |
Code changes from version 0.8.0 to 0.9.0
- languages/login-security-solution.pot +45 -41
- login-security-solution.php +9 -7
- readme.txt +16 -5
- tests/LoginFailTest.php +4 -0
- tests/LoginMessageTest.php +1 -7
- tests/PasswordChangeTest.php +5 -8
- tests/TestCase.php +16 -4
languages/login-security-solution.pot
CHANGED
|
@@ -2,9 +2,9 @@
|
|
| 2 |
# This file is distributed under the same license as the Login Security Solution package.
|
| 3 |
msgid ""
|
| 4 |
msgstr ""
|
| 5 |
-
"Project-Id-Version: Login Security Solution 0.
|
| 6 |
"Report-Msgid-Bugs-To: http://wordpress.org/tag/login-security-solution\n"
|
| 7 |
-
"POT-Creation-Date: 2012-
|
| 8 |
"MIME-Version: 1.0\n"
|
| 9 |
"Content-Type: text/plain; charset=UTF-8\n"
|
| 10 |
"Content-Transfer-Encoding: 8bit\n"
|
|
@@ -12,167 +12,171 @@ msgstr ""
|
|
| 12 |
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
| 13 |
"Language-Team: LANGUAGE <LL@li.org>\n"
|
| 14 |
|
| 15 |
-
#: login-security-solution.php:
|
| 16 |
msgid "Invalid username or password."
|
| 17 |
msgstr ""
|
| 18 |
|
| 19 |
-
#: login-security-solution.php:
|
| 20 |
#: tests/LoginErrorsTest.php:129
|
| 21 |
msgid "Password reset is not allowed for this user"
|
| 22 |
msgstr ""
|
| 23 |
|
| 24 |
-
#: login-security-solution.php:
|
| 25 |
msgid "It has been over %d minutes since your last action."
|
| 26 |
msgstr ""
|
| 27 |
|
| 28 |
-
#: login-security-solution.php:
|
| 29 |
msgid "Please log back in."
|
| 30 |
msgstr ""
|
| 31 |
|
| 32 |
-
#: login-security-solution.php:
|
| 33 |
msgid "The grace period for changing your password has expired."
|
| 34 |
msgstr ""
|
| 35 |
|
| 36 |
-
#: login-security-solution.php:
|
| 37 |
msgid "Please submit this form to reset your password."
|
| 38 |
msgstr ""
|
| 39 |
|
| 40 |
-
#: login-security-solution.php:
|
| 41 |
msgid "Your password must be reset."
|
| 42 |
msgstr ""
|
| 43 |
|
| 44 |
-
#: login-security-solution.php:
|
| 45 |
msgid "Please submit this form to reset it."
|
| 46 |
msgstr ""
|
| 47 |
|
| 48 |
-
#: login-security-solution.php:
|
| 49 |
msgid "Your password has expired. Please log and change it."
|
| 50 |
msgstr ""
|
| 51 |
|
| 52 |
-
#: login-security-solution.php:
|
| 53 |
msgid "We provide a %d minute grace period to do so."
|
| 54 |
msgstr ""
|
| 55 |
|
| 56 |
-
#: login-security-solution.php:
|
| 57 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
| 58 |
msgid "The site is undergoing maintenance."
|
| 59 |
msgstr ""
|
| 60 |
|
| 61 |
-
#: login-security-solution.php:
|
| 62 |
-
#: tests/LoginMessageTest.php:
|
| 63 |
msgid "Please try again later."
|
| 64 |
msgstr ""
|
| 65 |
|
| 66 |
-
#: login-security-solution.php:
|
| 67 |
msgid "Passwords can not be reused."
|
| 68 |
msgstr ""
|
| 69 |
|
| 70 |
-
#: login-security-solution.php:
|
| 71 |
msgid "ERROR"
|
| 72 |
msgstr ""
|
| 73 |
|
| 74 |
-
#: login-security-solution.php:
|
| 75 |
msgid "Component Count Value from Current Attempt"
|
| 76 |
msgstr ""
|
| 77 |
|
| 78 |
-
#: login-security-solution.php:
|
| 79 |
msgid "Network IP %5d %s"
|
| 80 |
msgstr ""
|
| 81 |
|
| 82 |
-
#: login-security-solution.php:
|
| 83 |
msgid "Username %5d %s"
|
| 84 |
msgstr ""
|
| 85 |
|
| 86 |
-
#: login-security-solution.php:
|
| 87 |
msgid "Password MD5 %5d %s"
|
| 88 |
msgstr ""
|
| 89 |
|
| 90 |
-
#: login-security-solution.php:
|
| 91 |
msgid "Your website, %s, may have been broken in to."
|
| 92 |
msgstr ""
|
| 93 |
|
| 94 |
-
#: login-security-solution.php:
|
| 95 |
msgid ""
|
| 96 |
"Someone just logged in using the following components. Prior to that, some "
|
| 97 |
"combination of those components were a part of %d failed attempts to log in "
|
| 98 |
"during the past %d minutes:"
|
| 99 |
msgstr ""
|
| 100 |
|
| 101 |
-
#: login-security-solution.php:
|
| 102 |
msgid ""
|
| 103 |
"The user has been logged out and will be required to confirm their identity "
|
| 104 |
"via the password reset functionality."
|
| 105 |
msgstr ""
|
| 106 |
|
| 107 |
-
#: login-security-solution.php:
|
| 108 |
msgid "Your website, %s, is undergoing a brute force attack."
|
| 109 |
msgstr ""
|
| 110 |
|
| 111 |
-
#: login-security-solution.php:
|
| 112 |
msgid ""
|
| 113 |
"There have been at least %d failed attempts to log in during the past %d "
|
| 114 |
"minutes that used one or more of the following components:"
|
| 115 |
msgstr ""
|
| 116 |
|
| 117 |
-
#: login-security-solution.php:
|
| 118 |
msgid ""
|
| 119 |
"The %s plugin for WordPress is repelling the attack by making their login "
|
| 120 |
"failures take a very long time."
|
| 121 |
msgstr ""
|
| 122 |
|
| 123 |
-
#: login-security-solution.php:
|
| 124 |
msgid "Password not set."
|
| 125 |
msgstr ""
|
| 126 |
|
| 127 |
-
#: login-security-solution.php:
|
| 128 |
msgid "Passwords must be strings."
|
| 129 |
msgstr ""
|
| 130 |
|
| 131 |
-
#: login-security-solution.php:
|
| 132 |
msgid "Passwords must use ASCII characters."
|
| 133 |
msgstr ""
|
| 134 |
|
| 135 |
-
#: login-security-solution.php:
|
| 136 |
msgid "Password is too short."
|
| 137 |
msgstr ""
|
| 138 |
|
| 139 |
-
#: login-security-solution.php:
|
| 140 |
msgid "Passwords must either contain numbers or be %d characters long."
|
| 141 |
msgstr ""
|
| 142 |
|
| 143 |
-
#: login-security-solution.php:
|
| 144 |
msgid ""
|
| 145 |
"Passwords must either contain punctuation marks / symbols or be %d "
|
| 146 |
"characters long."
|
| 147 |
msgstr ""
|
| 148 |
|
| 149 |
-
#: login-security-solution.php:
|
| 150 |
msgid ""
|
| 151 |
"Passwords must either contain upper-case and lower-case letters or be %d "
|
| 152 |
"characters long."
|
| 153 |
msgstr ""
|
| 154 |
|
| 155 |
-
#: login-security-solution.php:
|
| 156 |
msgid "Passwords can't be sequential keys."
|
| 157 |
msgstr ""
|
| 158 |
|
| 159 |
-
#: login-security-solution.php:
|
| 160 |
msgid "Passwords can't have that many sequential characters."
|
| 161 |
msgstr ""
|
| 162 |
|
| 163 |
-
#: login-security-solution.php:
|
| 164 |
msgid "Passwords can't contain user data."
|
| 165 |
msgstr ""
|
| 166 |
|
| 167 |
-
#: login-security-solution.php:
|
| 168 |
msgid "Passwords can't contain site info."
|
| 169 |
msgstr ""
|
| 170 |
|
| 171 |
-
#: login-security-solution.php:
|
| 172 |
msgid "Password is too common."
|
| 173 |
msgstr ""
|
| 174 |
|
| 175 |
-
#: login-security-solution.php:
|
| 176 |
msgid "Passwords can't be variations of dictionary words."
|
| 177 |
msgstr ""
|
| 178 |
|
| 2 |
# This file is distributed under the same license as the Login Security Solution package.
|
| 3 |
msgid ""
|
| 4 |
msgstr ""
|
| 5 |
+
"Project-Id-Version: Login Security Solution 0.9.0\n"
|
| 6 |
"Report-Msgid-Bugs-To: http://wordpress.org/tag/login-security-solution\n"
|
| 7 |
+
"POT-Creation-Date: 2012-06-12 01:40:32+00:00\n"
|
| 8 |
"MIME-Version: 1.0\n"
|
| 9 |
"Content-Type: text/plain; charset=UTF-8\n"
|
| 10 |
"Content-Transfer-Encoding: 8bit\n"
|
| 12 |
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
| 13 |
"Language-Team: LANGUAGE <LL@li.org>\n"
|
| 14 |
|
| 15 |
+
#: login-security-solution.php:457
|
| 16 |
msgid "Invalid username or password."
|
| 17 |
msgstr ""
|
| 18 |
|
| 19 |
+
#: login-security-solution.php:463 tests/LoginErrorsTest.php:117
|
| 20 |
#: tests/LoginErrorsTest.php:129
|
| 21 |
msgid "Password reset is not allowed for this user"
|
| 22 |
msgstr ""
|
| 23 |
|
| 24 |
+
#: login-security-solution.php:488 tests/LoginMessageTest.php:66
|
| 25 |
msgid "It has been over %d minutes since your last action."
|
| 26 |
msgstr ""
|
| 27 |
|
| 28 |
+
#: login-security-solution.php:489 tests/LoginMessageTest.php:67
|
| 29 |
msgid "Please log back in."
|
| 30 |
msgstr ""
|
| 31 |
|
| 32 |
+
#: login-security-solution.php:492 tests/LoginMessageTest.php:77
|
| 33 |
msgid "The grace period for changing your password has expired."
|
| 34 |
msgstr ""
|
| 35 |
|
| 36 |
+
#: login-security-solution.php:493 tests/LoginMessageTest.php:78
|
| 37 |
msgid "Please submit this form to reset your password."
|
| 38 |
msgstr ""
|
| 39 |
|
| 40 |
+
#: login-security-solution.php:496 tests/LoginMessageTest.php:88
|
| 41 |
msgid "Your password must be reset."
|
| 42 |
msgstr ""
|
| 43 |
|
| 44 |
+
#: login-security-solution.php:497 tests/LoginMessageTest.php:89
|
| 45 |
msgid "Please submit this form to reset it."
|
| 46 |
msgstr ""
|
| 47 |
|
| 48 |
+
#: login-security-solution.php:500 tests/LoginMessageTest.php:104
|
| 49 |
msgid "Your password has expired. Please log and change it."
|
| 50 |
msgstr ""
|
| 51 |
|
| 52 |
+
#: login-security-solution.php:501 tests/LoginMessageTest.php:105
|
| 53 |
msgid "We provide a %d minute grace period to do so."
|
| 54 |
msgstr ""
|
| 55 |
|
| 56 |
+
#: login-security-solution.php:504 tests/LoginMessageTest.php:115
|
| 57 |
+
msgid "The password you tried to create is not secure. Please try again."
|
| 58 |
+
msgstr ""
|
| 59 |
+
|
| 60 |
+
#: login-security-solution.php:510 tests/LoginMessageTest.php:129
|
| 61 |
+
#: tests/LoginMessageTest.php:144
|
| 62 |
msgid "The site is undergoing maintenance."
|
| 63 |
msgstr ""
|
| 64 |
|
| 65 |
+
#: login-security-solution.php:511 tests/LoginMessageTest.php:130
|
| 66 |
+
#: tests/LoginMessageTest.php:145
|
| 67 |
msgid "Please try again later."
|
| 68 |
msgstr ""
|
| 69 |
|
| 70 |
+
#: login-security-solution.php:578
|
| 71 |
msgid "Passwords can not be reused."
|
| 72 |
msgstr ""
|
| 73 |
|
| 74 |
+
#: login-security-solution.php:723
|
| 75 |
msgid "ERROR"
|
| 76 |
msgstr ""
|
| 77 |
|
| 78 |
+
#: login-security-solution.php:843
|
| 79 |
msgid "Component Count Value from Current Attempt"
|
| 80 |
msgstr ""
|
| 81 |
|
| 82 |
+
#: login-security-solution.php:845
|
| 83 |
msgid "Network IP %5d %s"
|
| 84 |
msgstr ""
|
| 85 |
|
| 86 |
+
#: login-security-solution.php:847
|
| 87 |
msgid "Username %5d %s"
|
| 88 |
msgstr ""
|
| 89 |
|
| 90 |
+
#: login-security-solution.php:849
|
| 91 |
msgid "Password MD5 %5d %s"
|
| 92 |
msgstr ""
|
| 93 |
|
| 94 |
+
#: login-security-solution.php:1630
|
| 95 |
msgid "Your website, %s, may have been broken in to."
|
| 96 |
msgstr ""
|
| 97 |
|
| 98 |
+
#: login-security-solution.php:1633
|
| 99 |
msgid ""
|
| 100 |
"Someone just logged in using the following components. Prior to that, some "
|
| 101 |
"combination of those components were a part of %d failed attempts to log in "
|
| 102 |
"during the past %d minutes:"
|
| 103 |
msgstr ""
|
| 104 |
|
| 105 |
+
#: login-security-solution.php:1638
|
| 106 |
msgid ""
|
| 107 |
"The user has been logged out and will be required to confirm their identity "
|
| 108 |
"via the password reset functionality."
|
| 109 |
msgstr ""
|
| 110 |
|
| 111 |
+
#: login-security-solution.php:1667
|
| 112 |
msgid "Your website, %s, is undergoing a brute force attack."
|
| 113 |
msgstr ""
|
| 114 |
|
| 115 |
+
#: login-security-solution.php:1670
|
| 116 |
msgid ""
|
| 117 |
"There have been at least %d failed attempts to log in during the past %d "
|
| 118 |
"minutes that used one or more of the following components:"
|
| 119 |
msgstr ""
|
| 120 |
|
| 121 |
+
#: login-security-solution.php:1675
|
| 122 |
msgid ""
|
| 123 |
"The %s plugin for WordPress is repelling the attack by making their login "
|
| 124 |
"failures take a very long time."
|
| 125 |
msgstr ""
|
| 126 |
|
| 127 |
+
#: login-security-solution.php:1997
|
| 128 |
msgid "Password not set."
|
| 129 |
msgstr ""
|
| 130 |
|
| 131 |
+
#: login-security-solution.php:2012
|
| 132 |
msgid "Passwords must be strings."
|
| 133 |
msgstr ""
|
| 134 |
|
| 135 |
+
#: login-security-solution.php:2030
|
| 136 |
msgid "Passwords must use ASCII characters."
|
| 137 |
msgstr ""
|
| 138 |
|
| 139 |
+
#: login-security-solution.php:2049
|
| 140 |
msgid "Password is too short."
|
| 141 |
msgstr ""
|
| 142 |
|
| 143 |
+
#: login-security-solution.php:2058
|
| 144 |
msgid "Passwords must either contain numbers or be %d characters long."
|
| 145 |
msgstr ""
|
| 146 |
|
| 147 |
+
#: login-security-solution.php:2067
|
| 148 |
msgid ""
|
| 149 |
"Passwords must either contain punctuation marks / symbols or be %d "
|
| 150 |
"characters long."
|
| 151 |
msgstr ""
|
| 152 |
|
| 153 |
+
#: login-security-solution.php:2076
|
| 154 |
msgid ""
|
| 155 |
"Passwords must either contain upper-case and lower-case letters or be %d "
|
| 156 |
"characters long."
|
| 157 |
msgstr ""
|
| 158 |
|
| 159 |
+
#: login-security-solution.php:2086
|
| 160 |
msgid "Passwords can't be sequential keys."
|
| 161 |
msgstr ""
|
| 162 |
|
| 163 |
+
#: login-security-solution.php:2095
|
| 164 |
msgid "Passwords can't have that many sequential characters."
|
| 165 |
msgstr ""
|
| 166 |
|
| 167 |
+
#: login-security-solution.php:2111
|
| 168 |
msgid "Passwords can't contain user data."
|
| 169 |
msgstr ""
|
| 170 |
|
| 171 |
+
#: login-security-solution.php:2122
|
| 172 |
msgid "Passwords can't contain site info."
|
| 173 |
msgstr ""
|
| 174 |
|
| 175 |
+
#: login-security-solution.php:2131
|
| 176 |
msgid "Password is too common."
|
| 177 |
msgstr ""
|
| 178 |
|
| 179 |
+
#: login-security-solution.php:2140
|
| 180 |
msgid "Passwords can't be variations of dictionary words."
|
| 181 |
msgstr ""
|
| 182 |
|
login-security-solution.php
CHANGED
|
@@ -6,7 +6,7 @@
|
|
| 6 |
* Description: Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
|
| 7 |
*
|
| 8 |
* Plugin URI: http://wordpress.org/extend/plugins/login-security-solution/
|
| 9 |
-
* Version: 0.
|
| 10 |
* Author: Daniel Convissor
|
| 11 |
* Author URI: http://www.analysisandsolutions.com/
|
| 12 |
* License: GPLv2
|
|
@@ -501,8 +501,7 @@ class login_security_solution {
|
|
| 501 |
$ours .= ' ' . sprintf(__('We provide a %d minute grace period to do so.', self::ID), $this->options['pw_change_grace_period_minutes']);
|
| 502 |
break;
|
| 503 |
case 'pw_reset_bad':
|
| 504 |
-
$ours = __('The password you
|
| 505 |
-
$ours .= ' ' . sprintf(__('We provide a %d minute grace period to do so.', self::ID), $this->options['pw_change_grace_period_minutes']);
|
| 506 |
break;
|
| 507 |
}
|
| 508 |
}
|
|
@@ -540,10 +539,8 @@ class login_security_solution {
|
|
| 540 |
|
| 541 |
$user->user_pass = $user_pass;
|
| 542 |
if (!$this->validate_pw($user)) {
|
| 543 |
-
$this->process_pw_metadata($user->ID, $user_pass);
|
| 544 |
$this->set_pw_force_change($user->ID);
|
| 545 |
-
$this->
|
| 546 |
-
$this->redirect_to_login('pw_reset_bad');
|
| 547 |
return -1;
|
| 548 |
}
|
| 549 |
|
|
@@ -1775,7 +1772,7 @@ class login_security_solution {
|
|
| 1775 |
* @param string $login_msg_id the ID representing the message to
|
| 1776 |
* display above the login form
|
| 1777 |
* @param bool $use_rt use WP's "redirect_to" on successful login?
|
| 1778 |
-
* @param bool $action "login" (default) or "retrievepassword"
|
| 1779 |
* @return void
|
| 1780 |
*
|
| 1781 |
* @uses login_security_solution::$key_login_msg to know which $_GET
|
|
@@ -1803,6 +1800,11 @@ class login_security_solution {
|
|
| 1803 |
}
|
| 1804 |
$uri .= 'action=' . urlencode($action);
|
| 1805 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1806 |
if ($login_msg_id) {
|
| 1807 |
$uri .= '&' . urlencode($this->key_login_msg) . '='
|
| 1808 |
. urlencode($login_msg_id);
|
| 6 |
* Description: Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
|
| 7 |
*
|
| 8 |
* Plugin URI: http://wordpress.org/extend/plugins/login-security-solution/
|
| 9 |
+
* Version: 0.9.0
|
| 10 |
* Author: Daniel Convissor
|
| 11 |
* Author URI: http://www.analysisandsolutions.com/
|
| 12 |
* License: GPLv2
|
| 501 |
$ours .= ' ' . sprintf(__('We provide a %d minute grace period to do so.', self::ID), $this->options['pw_change_grace_period_minutes']);
|
| 502 |
break;
|
| 503 |
case 'pw_reset_bad':
|
| 504 |
+
$ours = __('The password you tried to create is not secure. Please try again.', self::ID);
|
|
|
|
| 505 |
break;
|
| 506 |
}
|
| 507 |
}
|
| 539 |
|
| 540 |
$user->user_pass = $user_pass;
|
| 541 |
if (!$this->validate_pw($user)) {
|
|
|
|
| 542 |
$this->set_pw_force_change($user->ID);
|
| 543 |
+
$this->redirect_to_login('pw_reset_bad', false, 'rp');
|
|
|
|
| 544 |
return -1;
|
| 545 |
}
|
| 546 |
|
| 1772 |
* @param string $login_msg_id the ID representing the message to
|
| 1773 |
* display above the login form
|
| 1774 |
* @param bool $use_rt use WP's "redirect_to" on successful login?
|
| 1775 |
+
* @param bool $action "login" (default), "rp", or "retrievepassword"
|
| 1776 |
* @return void
|
| 1777 |
*
|
| 1778 |
* @uses login_security_solution::$key_login_msg to know which $_GET
|
| 1800 |
}
|
| 1801 |
$uri .= 'action=' . urlencode($action);
|
| 1802 |
|
| 1803 |
+
if ($action == 'rp') {
|
| 1804 |
+
$uri .= '&key=' . urlencode(@$_GET['key']);
|
| 1805 |
+
$uri .= '&login=' . urlencode(@$_GET['login']);
|
| 1806 |
+
}
|
| 1807 |
+
|
| 1808 |
if ($login_msg_id) {
|
| 1809 |
$uri .= '&' . urlencode($this->key_login_msg) . '='
|
| 1810 |
. urlencode($login_msg_id);
|
readme.txt
CHANGED
|
@@ -3,8 +3,8 @@ Contributors: convissor
|
|
| 3 |
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=danielc%40analysisandsolutions%2ecom&lc=US&item_name=Donate%3a%20Login%20Security%20Solution¤cy_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted
|
| 4 |
Tags: login, password, idle, timeout, maintenance, security, attack, hack, lock, ban
|
| 5 |
Requires at least: 3.3
|
| 6 |
-
Tested up to: 3.
|
| 7 |
-
Stable tag: 0.
|
| 8 |
|
| 9 |
Security against brute force attacks by tracking IP, name, password;
|
| 10 |
requiring very strong passwords. Idle timeout. Maintenance mode. Multisite
|
|
@@ -13,14 +13,16 @@ ready!
|
|
| 13 |
|
| 14 |
== Description ==
|
| 15 |
|
| 16 |
-
|
|
|
|
| 17 |
|
| 18 |
* Blocks brute force and dictionary attacks without inconveniencing
|
| 19 |
legitimate users or administrators
|
| 20 |
+ Tracks IP addresses, usernames, and passwords
|
| 21 |
+ If a login failure uses data matching a past failure, the plugin
|
| 22 |
slows down response times. The more failures, the longer the delay.
|
| 23 |
-
This
|
|
|
|
| 24 |
+ If an account seems breached, the "user" is immediately logged out
|
| 25 |
and forced to use WordPress' password reset utility. This prevents
|
| 26 |
any damage from being done and verifies the user's identity. All
|
|
@@ -102,7 +104,8 @@ that pushes malware into your readers' browsers.
|
|
| 102 |
So if your site does get cracked, not only do you waste hours cleaning up,
|
| 103 |
your reputation gets sullied, security software flags your site as dangerous,
|
| 104 |
and worst of all, you've inadvertently helped infect the computers of your
|
| 105 |
-
clients and friends.
|
|
|
|
| 106 |
|
| 107 |
|
| 108 |
== Installation ==
|
|
@@ -255,6 +258,14 @@ then `cd` into that directory and run:
|
|
| 255 |
|
| 256 |
== Changelog ==
|
| 257 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 258 |
= 0.8.0 =
|
| 259 |
* Fix logging user out a second time after WordPress expires cookies.
|
| 260 |
* It turns out this plugin requires WordPress 3.3, not 3.0.
|
| 3 |
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=danielc%40analysisandsolutions%2ecom&lc=US&item_name=Donate%3a%20Login%20Security%20Solution¤cy_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted
|
| 4 |
Tags: login, password, idle, timeout, maintenance, security, attack, hack, lock, ban
|
| 5 |
Requires at least: 3.3
|
| 6 |
+
Tested up to: 3.4RC3
|
| 7 |
+
Stable tag: 0.9.0
|
| 8 |
|
| 9 |
Security against brute force attacks by tracking IP, name, password;
|
| 10 |
requiring very strong passwords. Idle timeout. Maintenance mode. Multisite
|
| 13 |
|
| 14 |
== Description ==
|
| 15 |
|
| 16 |
+
A simple way to lock down login security for multisite and regular
|
| 17 |
+
WordPress installations.
|
| 18 |
|
| 19 |
* Blocks brute force and dictionary attacks without inconveniencing
|
| 20 |
legitimate users or administrators
|
| 21 |
+ Tracks IP addresses, usernames, and passwords
|
| 22 |
+ If a login failure uses data matching a past failure, the plugin
|
| 23 |
slows down response times. The more failures, the longer the delay.
|
| 24 |
+
This limits attackers ability to effectively probe your site,
|
| 25 |
+
so they'll give up and go find an easier target.
|
| 26 |
+ If an account seems breached, the "user" is immediately logged out
|
| 27 |
and forced to use WordPress' password reset utility. This prevents
|
| 28 |
any damage from being done and verifies the user's identity. All
|
| 104 |
So if your site does get cracked, not only do you waste hours cleaning up,
|
| 105 |
your reputation gets sullied, security software flags your site as dangerous,
|
| 106 |
and worst of all, you've inadvertently helped infect the computers of your
|
| 107 |
+
clients and friends. Oh, and that malware has possibly gotten itself
|
| 108 |
+
into the browser/computer you use for administering your website.
|
| 109 |
|
| 110 |
|
| 111 |
== Installation ==
|
| 258 |
|
| 259 |
== Changelog ==
|
| 260 |
|
| 261 |
+
= 0.9.0 =
|
| 262 |
+
* Fix change that prevented users from logging in after using the password
|
| 263 |
+
reset process with an insecure password. Users can now pick a better
|
| 264 |
+
password right on the spot.
|
| 265 |
+
* Regenerate translation POT file.
|
| 266 |
+
* Tested under WordPress 3.3.2 and 3.4RC3, both using regular and multisite.
|
| 267 |
+
* Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.
|
| 268 |
+
|
| 269 |
= 0.8.0 =
|
| 270 |
* Fix logging user out a second time after WordPress expires cookies.
|
| 271 |
* It turns out this plugin requires WordPress 3.3, not 3.0.
|
tests/LoginFailTest.php
CHANGED
|
@@ -37,6 +37,10 @@ class LoginFailTest extends TestCase {
|
|
| 37 |
public function setUp() {
|
| 38 |
parent::setUp();
|
| 39 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40 |
$this->ip = '1.2.3.4';
|
| 41 |
$_SERVER['REMOTE_ADDR'] = $this->ip;
|
| 42 |
$this->network_ip = '1.2.3';
|
| 37 |
public function setUp() {
|
| 38 |
parent::setUp();
|
| 39 |
|
| 40 |
+
if (!$this->is_fail_table_configured()) {
|
| 41 |
+
$this->markTestSkipped("The " . self::$lss->table_fail . " table doesn't exist or isn't using the InnoDB engine. Probably the plugin hasn't been activated.");
|
| 42 |
+
}
|
| 43 |
+
|
| 44 |
$this->ip = '1.2.3.4';
|
| 45 |
$_SERVER['REMOTE_ADDR'] = $this->ip;
|
| 46 |
$this->network_ip = '1.2.3';
|
tests/LoginMessageTest.php
CHANGED
|
@@ -112,13 +112,7 @@ class LoginMessageTest extends TestCase {
|
|
| 112 |
public function test_login_message__pw_reset_bad() {
|
| 113 |
$_GET[self::$lss->key_login_msg] = 'pw_reset_bad';
|
| 114 |
|
| 115 |
-
$
|
| 116 |
-
$options = self::$lss->options;
|
| 117 |
-
$options['pw_change_grace_period_minutes'] = $value;
|
| 118 |
-
self::$lss->options = $options;
|
| 119 |
-
|
| 120 |
-
$ours = __('The password you just created is not secure so must be changed. Use it now to log in then go to your profile page and create a new password.', self::ID);
|
| 121 |
-
$ours .= ' ' . sprintf(__('We provide a %d minute grace period to do so.', self::ID), $value);
|
| 122 |
|
| 123 |
$actual = self::$lss->login_message('input');
|
| 124 |
$this->assertEquals('input' . $this->ours($ours), $actual,
|
| 112 |
public function test_login_message__pw_reset_bad() {
|
| 113 |
$_GET[self::$lss->key_login_msg] = 'pw_reset_bad';
|
| 114 |
|
| 115 |
+
$ours = __('The password you tried to create is not secure. Please try again.', self::ID);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 116 |
|
| 117 |
$actual = self::$lss->login_message('input');
|
| 118 |
$this->assertEquals('input' . $this->ours($ours), $actual,
|
tests/PasswordChangeTest.php
CHANGED
|
@@ -202,24 +202,21 @@ class PasswordChangeTest extends TestCase {
|
|
| 202 |
global $wpdb;
|
| 203 |
|
| 204 |
$bad_pw = 'too simple';
|
|
|
|
|
|
|
| 205 |
|
| 206 |
$expected_error = 'Cannot modify header information';
|
| 207 |
$this->expected_errors($expected_error);
|
| 208 |
self::$location_expected = get_option('siteurl')
|
| 209 |
-
. '/wp-login.php?action=login&'
|
| 210 |
. self::$lss->key_login_msg . '=pw_reset_bad';
|
| 211 |
|
| 212 |
$actual = self::$lss->password_reset($this->user, $bad_pw);
|
| 213 |
$this->assertEquals(-1, $actual, 'password_reset() return.');
|
| 214 |
|
| 215 |
// Check the outcome.
|
| 216 |
-
$actual = self::$lss->
|
| 217 |
-
$this->
|
| 218 |
-
|
| 219 |
-
$actual = self::$lss->is_pw_reused($bad_pw, $this->user->ID);
|
| 220 |
-
$this->assertTrue($actual, 'Password should show up as reused');
|
| 221 |
-
|
| 222 |
-
$this->ensure_grace_and_force_are_populated();
|
| 223 |
|
| 224 |
$wpdb->query('ROLLBACK TO empty');
|
| 225 |
|
| 202 |
global $wpdb;
|
| 203 |
|
| 204 |
$bad_pw = 'too simple';
|
| 205 |
+
$_GET['key'] = 'jk';
|
| 206 |
+
$_GET['login'] = 'ab';
|
| 207 |
|
| 208 |
$expected_error = 'Cannot modify header information';
|
| 209 |
$this->expected_errors($expected_error);
|
| 210 |
self::$location_expected = get_option('siteurl')
|
| 211 |
+
. '/wp-login.php?action=rp&key=jk&login=ab&'
|
| 212 |
. self::$lss->key_login_msg . '=pw_reset_bad';
|
| 213 |
|
| 214 |
$actual = self::$lss->password_reset($this->user, $bad_pw);
|
| 215 |
$this->assertEquals(-1, $actual, 'password_reset() return.');
|
| 216 |
|
| 217 |
// Check the outcome.
|
| 218 |
+
$actual = self::$lss->get_pw_force_change($this->user->ID);
|
| 219 |
+
$this->assertTrue($actual, 'Force change should not be cleared.');
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 220 |
|
| 221 |
$wpdb->query('ROLLBACK TO empty');
|
| 222 |
|
tests/TestCase.php
CHANGED
|
@@ -258,14 +258,10 @@ abstract class TestCase extends PHPUnit_Framework_TestCase {
|
|
| 258 |
|
| 259 |
$opt = $wpdb->get_row("SHOW CREATE TABLE `$wpdb->options`", ARRAY_N);
|
| 260 |
$usr = $wpdb->get_row("SHOW CREATE TABLE `$wpdb->usermeta`", ARRAY_N);
|
| 261 |
-
$fail = $wpdb->get_row("SHOW CREATE TABLE `"
|
| 262 |
-
. self::$lss->table_fail . "`", ARRAY_N);
|
| 263 |
|
| 264 |
return (
|
| 265 |
strpos($opt[1], 'ENGINE=InnoDB')
|
| 266 |
&& strpos($usr[1], 'ENGINE=InnoDB')
|
| 267 |
-
&& !empty($fail)
|
| 268 |
-
&& strpos($fail[1], 'ENGINE=InnoDB')
|
| 269 |
);
|
| 270 |
}
|
| 271 |
|
|
@@ -311,6 +307,22 @@ abstract class TestCase extends PHPUnit_Framework_TestCase {
|
|
| 311 |
set_error_handler(array(&$this, 'expected_errors_handler'));
|
| 312 |
}
|
| 313 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 314 |
/**
|
| 315 |
* @see TestCase::expected_errors()
|
| 316 |
*/
|
| 258 |
|
| 259 |
$opt = $wpdb->get_row("SHOW CREATE TABLE `$wpdb->options`", ARRAY_N);
|
| 260 |
$usr = $wpdb->get_row("SHOW CREATE TABLE `$wpdb->usermeta`", ARRAY_N);
|
|
|
|
|
|
|
| 261 |
|
| 262 |
return (
|
| 263 |
strpos($opt[1], 'ENGINE=InnoDB')
|
| 264 |
&& strpos($usr[1], 'ENGINE=InnoDB')
|
|
|
|
|
|
|
| 265 |
);
|
| 266 |
}
|
| 267 |
|
| 307 |
set_error_handler(array(&$this, 'expected_errors_handler'));
|
| 308 |
}
|
| 309 |
|
| 310 |
+
/**
|
| 311 |
+
* Determines if the fail tabe exists and uses InnoDB
|
| 312 |
+
* @return bool
|
| 313 |
+
*/
|
| 314 |
+
protected static function is_fail_table_configured() {
|
| 315 |
+
global $wpdb;
|
| 316 |
+
|
| 317 |
+
$fail = $wpdb->get_row("SHOW CREATE TABLE `"
|
| 318 |
+
. self::$lss->table_fail . "`", ARRAY_N);
|
| 319 |
+
|
| 320 |
+
return (
|
| 321 |
+
!empty($fail)
|
| 322 |
+
&& strpos($fail[1], 'ENGINE=InnoDB')
|
| 323 |
+
);
|
| 324 |
+
}
|
| 325 |
+
|
| 326 |
/**
|
| 327 |
* @see TestCase::expected_errors()
|
| 328 |
*/
|
