Context Navigation

← Previous Changeset
Next Changeset →

Changeset 327790

Timestamp:

01/01/2011 08:32:40 PM (15 years ago)

Author:

johanee

Message:

Version 1.6.0

Location:

limit-login-attempts

Files:

: 1 deleted
: 6 edited
: 1 copied

tags/1.6.0 (copied) (copied from limit-login-attempts/tags/1.5.2)
tags/1.6.0/limit-login-attempts.php (modified) (18 diffs)
tags/1.6.0/readme.txt (modified) (5 diffs)
tags/1.6.0/screenshot-3.gif (modified) (previous)
tags/1.6.0/screenshot-4.gif (deleted)
trunk/limit-login-attempts-registrations.php (modified) (1 diff)
trunk/limit-login-attempts.php (modified) (3 diffs)
trunk/readme.txt (modified) (8 diffs)

Legend:

: Unmodified
: Added
: Removed

limit-login-attempts/tags/1.6.0/limit-login-attempts.php

-                      r298432
+                      r327790
   Author: Johan Eenfeldt
   Author URI: http://devel.kostdoktorn.se
   Version: 1.5.2
   Copyright 2008, 2009, 2010 Johan Eenfeldt
   Thanks to Michael Skerwiderski for reverse proxy handling.
+  Version: 1.6.0
+  Copyright 2008 - 2011 Johan Eenfeldt
+  Thanks to Michael Skerwiderski for reverse proxy handling suggestions.
   Licenced under the GNU GPL:
 …
           /* Reset failed attempts after this many seconds */
+          , 'valid_duration' => 86400 // 24 hours
+          /* Also limit malformed/forged cookies?
+           *
+           * NOTE: Only works in WP 2.7+, as necessary actions were added then.
+           */
+          , 'valid_duration' => 43200 // 12 hours
+          /* Also limit malformed/forged cookies? */
           , 'cookies' => true
 …
 /* Get options and setup filters & actions */
 function limit_login_setup() {
     load_plugin_textdomain('limit-login-attempts'
                    , PLUGINDIR.'/'.dirname(plugin_basename(__FILE__)));
+    load_plugin_textdomain('limit-login-attempts', false
+                   , dirname(plugin_basename(__FILE__)));
     limit_login_setup_options();
 …
+    }
+    if (empty($_COOKIE[AUTH_COOKIE]) && empty($_COOKIE[SECURE_AUTH_COOKIE])
+        && empty($_COOKIE[LOGGED_IN_COOKIE])) {
+        return;
+    }
+    limit_login_clear_auth_cookie();
+}
+/* Action: failed cookie login wrapper for limit_login_failed() */
+function limit_login_failed_cookie($cookie_elements) {
+    limit_login_clear_auth_cookie();
+    limit_login_failed($cookie_elements['username']);
+}
+/* Make sure auth cookie really get cleared (for this session too) */
+function limit_login_clear_auth_cookie() {
     wp_clear_auth_cookie();
 …
         $_COOKIE[LOGGED_IN_COOKIE] = '';
+    }
+}
-/* Action: failed cookie login wrapper for limit_login_failed() */
-function limit_login_failed_cookie($arg) {
-    limit_login_failed($arg);
-    wp_clear_auth_cookie();
+}
 …
  * lockout if nr of retries are above threshold. And more!
  */
 function limit_login_failed($arg) {
+function limit_login_failed($username) {
     $ip = limit_login_get_address();
 …
+    }
-    /* try to find username which failed */
-    $user = '';
-    if (is_string($arg)) {
-        /* action: wp_login_failed */
-        $user = $arg;
-    } elseif (is_array($arg) && array_key_exists('username', $arg)) {
-        /* action: auth_cookie_bad_* */
-        $user = $arg['username'];
+    }
     /* do housecleaning and save values */
     limit_login_cleanup($retries, $lockouts, $valid);
     /* do any notification */
     limit_login_notify($user);
+    limit_login_notify($username);
     /* increase statistics */
 …
         $lockouts = limit_login_option('allowed_lockouts');
         $time = round(limit_login_option('long_duration') / 3600);
         $when = sprintf(__ngettext('%d hour', '%d hours', $time, 'limit-login-attempts'), $time);
+        $when = sprintf(_n('%d hour', '%d hours', $time, 'limit-login-attempts'), $time);
     } else {
         /* normal lockout */
 …
         $lockouts = floor($count / limit_login_option('allowed_retries'));
         $time = round(limit_login_option('lockout_duration') / 60);
         $when = sprintf(__ngettext('%d minute', '%d minutes', $time, 'limit-login-attempts'), $time);
+        $when = sprintf(_n('%d minute', '%d minutes', $time, 'limit-login-attempts'), $time);
+    }
 …
     if ($when > 60) {
         $when = ceil($when / 60);
         $msg .= sprintf(__ngettext('Please try again in %d hour.', 'Please try again in %d hours.', $when, 'limit-login-attempts'), $when);
+        $msg .= sprintf(_n('Please try again in %d hour.', 'Please try again in %d hours.', $when, 'limit-login-attempts'), $when);
     } else {
         $msg .= sprintf(__ngettext('Please try again in %d minute.', 'Please try again in %d minutes.', $when, 'limit-login-attempts'), $when);
+        $msg .= sprintf(_n('Please try again in %d minute.', 'Please try again in %d minutes.', $when, 'limit-login-attempts'), $when);
+    }
 …
     $remaining = max((limit_login_option('allowed_retries') - ($retries[$ip] % limit_login_option('allowed_retries'))), 0);
     return sprintf(__ngettext("<strong>%d</strong> attempt remaining.", "<strong>%d</strong> attempts remaining.", $remaining, 'limit-login-attempts'), $remaining);
+    return sprintf(_n("<strong>%d</strong> attempt remaining.", "<strong>%d</strong> attempts remaining.", $remaining, 'limit-login-attempts'), $remaining);
+}
 …
  * Admin stuff
  */
-/* Does wordpress version support cookie option? */
-function limit_login_support_cookie_option() {
-    global $wp_version;
-    return (version_compare($wp_version, '2.7', '>='));
+}
 /* Make a guess if we are behind a proxy or not */
 …
     limit_login_sanitize_simple_int('long_duration');
+    $limit_login_options['cookies'] = !!limit_login_option('cookies');
     $notify_email_after = max(1, intval(limit_login_option('notify_email_after')));
     $limit_login_options['notify_email_after'] = min(limit_login_option('allowed_lockouts'), $notify_email_after);
 …
     $limit_login_options['lockout_notify'] = implode(',', $new_args);
-    $cookies = limit_login_option('cookies')
-        && limit_login_support_cookie_option() ? true : false;
-    $limit_login_options['cookies'] = $cookies;
     if ( limit_login_option('client_type') != LIMIT_LOGIN_DIRECT_ADDR
          && limit_login_option('client_type') != LIMIT_LOGIN_PROXY_ADDR ) {
 …
+    }
     echo('<tr><th scope="col">' . _c("IP|Internet address", 'limit-login-attempts') . '</th><th scope="col">' . __('Tried to log in as', 'limit-login-attempts') . '</th></tr>');
+    echo('<tr><th scope="col">' . _x("IP", "Internet address", 'limit-login-attempts') . '</th><th scope="col">' . __('Tried to log in as', 'limit-login-attempts') . '</th></tr>');
     foreach ($log as $ip => $arr) {
         echo('<tr><td class="limit-login-ip">' . $ip . '</td><td class="limit-login-max">');
         $first = true;
         foreach($arr as $user => $count) {
             $count_desc = sprintf(__ngettext('%d lockout', '%d lockouts', $count, 'limit-login-attempts'), $count);
+            $count_desc = sprintf(_n('%d lockout', '%d lockouts', $count, 'limit-login-attempts'), $count);
             if (!$first) {
                 echo(', ' . $user . ' (' .  $count_desc . ')');
 …
     $lockouts_now = is_array($lockouts) ? count($lockouts) : 0;
-    if (!limit_login_support_cookie_option()) {
-        $cookies_disabled = ' DISABLED ';
-        $cookies_note = ' <br /> '
-            . __('<strong>NOTE:</strong> Only works in Wordpress 2.7 or later'
-                 , 'limit-login-attempts');
-    } else {
-        $cookies_disabled = '';
-        $cookies_note = '';
+    }
     $cookies_yes = limit_login_option('cookies') ? ' checked ' : '';
     $cookies_no = limit_login_option('cookies') ? '' : ' checked ';
 …
               <?php if ($lockouts_total > 0) { ?>
               <input name="reset_total" value="<?php echo __('Reset Counter','limit-login-attempts'); ?>" type="submit" />
               <?php echo sprintf(__ngettext('%d lockout since last reset', '%d lockouts since last reset', $lockouts_total, 'limit-login-attempts'), $lockouts_total); ?>
+              <?php echo sprintf(_n('%d lockout since last reset', '%d lockouts since last reset', $lockouts_total, 'limit-login-attempts'), $lockouts_total); ?>
               <?php } else { echo __('No lockouts yet','limit-login-attempts'); } ?>
             </td>
 …
             <th scope="row" valign="top"><?php echo __('Handle cookie login','limit-login-attempts'); ?></th>
             <td>
+              <label><input type="radio" name="cookies" <?php echo $cookies_disabled . $cookies_yes; ?> value="1" /> <?php echo __('Yes','limit-login-attempts'); ?></label> <label><input type="radio" name="cookies" <?php echo $cookies_disabled . $cookies_no; ?> value="0" /> <?php echo __('No','limit-login-attempts'); ?></label>
+              <?php echo $cookies_note ?>
+              <label><input type="radio" name="cookies" <?php echo $cookies_yes; ?> value="1" /> <?php echo __('Yes','limit-login-attempts'); ?></label> <label><input type="radio" name="cookies" <?php echo $cookies_no; ?> value="0" /> <?php echo __('No','limit-login-attempts'); ?></label>
             </td>
           </tr>

limit-login-attempts/tags/1.6.0/readme.txt

-                      r298432
+                      r327790
 Contributors: johanee
 Tags: login, security, authentication
 Requires at least: 2.5
 Tested up to: 3.0.1
 Stable tag: 1.5.2
+Requires at least: 2.8
+Tested up to: 3.1-RC1
+Stable tag: 1.6.0
 Limit rate of login attempts, including by way of cookies, for each IP.
 …
 == Description ==
 Limit the number of login attempts possible both through normal login as well as (WordPress 2.7+) using auth cookies.
+Limit the number of login attempts possible both through normal login as well as using auth cookies.
 By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
 …
 * Limit the number of retry attempts when logging in (for each IP). Fully customizable
 * (WordPress 2.7+) Limit the number of attempts to log in using auth cookies in same way
+* Limit the number of attempts to log in using auth cookies in same way
 * Informs user about remaining retries or lockout time on login page
 * Optional logging, optional email notification
 …
 == Installation ==
 . Download and extract plugin files to a folder in your wp-content/plugin directory.
+. Download and extract plugin files to a wp-content/plugin directory.
 . Activate the plugin through the WordPress admin interface.
 . Customize the settings from the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
+. Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
 If you have any questions or problems please make a post here: http://wordpress.org/tags/limit-login-attempts
 == Frequently Asked Questions ==
+= Why not reset failed attempts on a successful login? =
+This is very much by design. Otherwise you could brute force the "admin" password by logging in as your own user every 4th attempt.
 = What is this option about site connection and reverse proxy? =
 …
 . Loginscreen after failed login with retries remaining
 . Loginscreen during lockout
+. Administration interface in WordPress 2.7
+. Administration interface in WordPress 2.5
+. Administration interface in WordPress 3.0.4
 == Changelog ==
+= 1.6.0 =
+* Happy New Year
+* Tested against WordPress 3.1-RC1
+* Plugin now requires WordPress version 2.8+. Of course you should never ever use anything but the latest version
+* Fixed deprecation warnings that had been piling up with the old version requirement. Thanks to Johannes Ruthenberg for the report that prompted this
+* Removed auth cookie admin check for version 2.7.
+* Make sure relevant values in $_COOKIE get cleared right away on auth cookie validation failure. There are still some problems with cookie auth handling. The lockout can trigger prematurely in rare cases, but fixing it is plugin version 2 stuff unfortunately.
+* Changed default time for retries to reset from 24 hours to 12 hours. The security impact is very minor and it means the warning will disappear "overnight"
+* Added question to FAQ ("Why not reset failed attempts on a successful login?")
+* Updated screenshots
 = 1.5.2 =

limit-login-attempts/trunk/limit-login-attempts-registrations.php

r298432	r327790
111	111	limit_login_store_array('registrations_valid', $valid);
112	112
113		/* ~~increase statistics?~~ */
	113	/* registration lockout? increase statistics */
114	114	if ($regs[$ip] >= limit_login_option('register_allowed'))
115	115	limit_login_statistic_inc('reg_lockouts_total');

limit-login-attempts/trunk/limit-login-attempts.php

-                      r298432
+                      r327790
     wp_clear_auth_cookie();
+}
+/*
+function limit_login_add_user_cookieinfo($cookie_elements) {
+    $username = $cookie_elements['username'];
+    $user = get_userdatabylogin($username);
+    if (!$user) {
+        return false;
+    }
+    $cookieinfo = array('expiration' => $cookie_elements['expiration']
+                , 'hmac' => $cookie_elements['hmac']);
+    update_user_meta($user->ID, 'limit_login_cookieinfo', $cookieinfo);
+}
+function limit_login_get_user_cookieinfo($username) {
+    $user = get_userdatabylogin($username);
+    if (!$user) {
+        return false;
+    }
+    $meta = get_user_meta(
+}
+ */
 /*
 …
      * Log format:
      * [ip][0] time of last attempt
      * [ip][1][user_name] number of attempts
+     * [ip][1][user_name] number of lockouts for username
      */
     if (isset($log[$ip])) {
 …
     $a = get_option($real_array_name);
+    if (!is_array($a)) {
+        $a = array();
+        $autoload = limit_login_is_array_autoload($array_name) ? 'yes' : 'no';
+        add_option($real_array_name, $a, '', $autoload);
+    }
+    if (is_array($a))
+        return $a;
+    $a = array();
+    $autoload = limit_login_is_array_autoload($array_name) ? 'yes' : 'no';
+    add_option($real_array_name, $a, '', $autoload);
     return $a;

limit-login-attempts/trunk/readme.txt

-                      r298432
+                      r327790
 Requires at least: 2.8
 Tested up to: 3.0.1
 Stable tag: 1.5.2
 Limit rate of login attempts for each IP. Also protect new user registration, password resets and more.
+Stable tag: 1.6.0
+Limit rate of login attempts for each IP. Additional security for new user registrations, password resets and more.
 == Description ==
 THIS IS A BETA VERSION!
+Additional security features for many parts of user handling: login, signup, password reset and more.
 Limit the number of login attempts possible both through normal login as well as using auth cookies.
 …
 * Limit the number of retry attempts when logging in (for each IP). Fully customizable
 * Optional logging and email notification
 * (WordPress 2.7+) Handles attempts to log in using auth cookies
 * Helps protect user login names from discovery
 * Informs user about remaining retries or lockout time on login page
 * (Wordpress 2.6.5+) Optional restrictions on password reset attempts for privileged users
 * Optional rate limit on new user registration
+* Handles attempts to log in using auth cookies
+* Help protect user login names from discovery
+* Show remaining retries or lockout time on login page
+* Optional restrictions of password resets for privileged users
+* Optional rate limit of new user registration
 * Allows modification of privileged users Author URL name ("nicename")
 * Handles server behind reverse proxy
+Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, French, Finnish, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
+Translations: Bulgarian, Catalan*, Czech*, German*, Norwegian*, Persian*, Romanian*, Russian*, Spanish, Swedish, Turkish*
+(* = translation not yet updated to plugin version 2)
+Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, French, Finnish, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish. (Most translations not yet updated to plugin version 2.)
 Plugin uses standard actions and filters only.
 …
 If you have ftp / ssh access to the site rename the file `wp-content/plugins/limit-login-attempts/limit-login-attempts.php` to deactivate the plugin.
+If you have access to the database (for example through phpMyAdmin) you can clear the `limit_login_lockouts` option in the wordpress options table. In a default setup this would work: `UPDATE wp_options SET option_value = '' WHERE option_name = 'limit_login_lockouts'`
+If you have access to the database (for example through phpMyAdmin) you can clear the `limit_login_lockouts` option in the wordpress options table.
+Don't do this unless you know what you are doing.
+In a default setup this would work: `UPDATE wp_options SET option_value = '' WHERE option_name = 'limit_login_lockouts'`
 = Why the privileged users list? Why are some names marked? =
 …
 = I disabled password reset for administrators and forgot my password, what do I do? =
+If you have ftp / ssh access look at the answer regarding being locked out above.
+If you have access to the database (for example through phpMyAdmin) you can clear the `limit_login_reset_min_role` option in the wordpress options table. In a default setup this would work: `UPDATE wp_options SET option_value = '' WHERE option_name = 'limit_login_reset_min_role'`
+If you have ftp / ssh access look at the answer regarding being locked out above to disable plugin.
+If you have access to the database (for example through phpMyAdmin) you can remove the plugin options value. This will revert settiongs to defaults which allow password reset using account e-mail (for privileged users).
+Plugin options are stored in `limit_login_options` option in the wordpress options table. You can remove this in a default setup using: `DELETE FROM wp_options WHERE option_name = 'limit_login_options'`. PLEASE BE CAREFUL OR YOU WILL SCREW UP YOUR WORDPRESS INSTALL!
+Truly advanced users can edit the 'disable_pwd_reset' entry in the serialized array of course.
 == Screenshots ==
 …
 * split admin page?
+* improve user rename (clear cache, ...)
+* remove user name editing, have to think some more on this
+* escape all translated strings
 * Re-re-check: user login name protection, track nonempty_credentials
 …
 * make dashboard text better
+* show when old translation
 * TEST TEST TEST TEST
 …
 * Update screenshots
 * Update site
+* track registrations
+* track last login
 == Change Log ==
 …
 * Only autoload the necessary option table entries
 * Log time of last lockout for each IP in log; keep track of last increase + last clear for statistics
 * Forward-merged changes from version 1.5 and 1.5.1
+* Forward-merged changes from versions 1.5 - 1.5.2
 * Move translations to separate directories
 * Updated Swedish translation

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: