Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3356220

Timestamp:

09/04/2025 04:17:05 PM (6 months ago)

Author:

axanet

Message:

Fixed: Login security improvements
Version update 1.1.2

Location:

axanet-tools/trunk

Files:

: 3 edited

README.md (modified) (2 diffs)
axanet-tools.php (modified) (2 diffs)
includes/login-security.php (modified) (14 diffs)

Legend:

: Unmodified
: Added
: Removed

axanet-tools/trunk/README.md

-                      r3356074
+                      r3356220
 Tested up to: 6.8
 Requires PHP: 8.0
 Stable tag: 1.1.1
+Stable tag: 1.1.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 1.1.2 =
+* Fixed: Login security improvements
 = 1.1.1 =
 * Fixed: Login security improvements

axanet-tools/trunk/axanet-tools.php

-                      r3356074
+                      r3356220
 Plugin Name: axanet Tools
 Description: Essential tools to edit login logo and login security, disable comments site-wide with optional deletion, disable system pages, manage admin bar visibility, search & replace database strings, clean up database and control maintenance mode.
 Version: 1.1.1
+Version: 1.1.2
 Author: axanet GmbH
 Author URI: https://axanet.ch
 …
 if ( ! defined( 'ABSPATH' ) ) exit;
 define( 'AXANET_TOOLS_VERSION', '1.1.1' );
+define( 'AXANET_TOOLS_VERSION', '1.1.2' );
 define( 'AXANET_TOOLS_PATH', plugin_dir_path( __FILE__ ) );
 define( 'AXANET_TOOLS_URL', plugin_dir_url( __FILE__ ) );

axanet-tools/trunk/includes/login-security.php

-                      r3356074
+                      r3356220
  */
+if ( ! defined( 'ABSPATH' ) ) exit;
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
 /**
 …
 /**
  * Get user IP
+ * Get user IP with validation
  */
 function axanet_login_security_get_ip() {
+    if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {
+        return sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) );
+    }
+    return false;
+    $ip = '';
+    $forwarded = filter_input( INPUT_SERVER, 'HTTP_X_FORWARDED_FOR', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
+    if ( ! empty( $forwarded ) ) {
+        $ip_chain = explode( ',', $forwarded );
+        $ip       = trim( $ip_chain[0] );
+    } else {
+        $client_ip = filter_input( INPUT_SERVER, 'HTTP_CLIENT_IP', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
+        $remote_ip = filter_input( INPUT_SERVER, 'REMOTE_ADDR', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
+        if ( ! empty( $client_ip ) ) {
+            $ip = $client_ip;
+        } elseif ( ! empty( $remote_ip ) ) {
+            $ip = $remote_ip;
+        }
+    }
+    return filter_var( $ip, FILTER_VALIDATE_IP ) ? $ip : false;
+}
 …
     $settings = axanet_login_security_get_settings();
     $key      = 'axanet_login_fail_' . md5( $ip );
+    $key      = 'axanet_login_fail_' . preg_replace( '/[^a-zA-Z0-9_]/', '_', $ip );
     $fails    = (int) get_transient( $key );
 …
     if ( $fails >= $settings['attempts'] ) {
         // Block IP
         $block_key = 'axanet_blocked_' . md5( $ip );
+        $block_key = 'axanet_blocked_' . preg_replace( '/[^a-zA-Z0-9_]/', '_', $ip );
         set_transient( $block_key, true, $settings['block_time'] * MINUTE_IN_SECONDS );
         // Save in blocked list for admin UI
         $blocked = get_option( 'axanet_blocked_ips', [] );
+        $blocked        = get_option( 'axanet_blocked_ips', [] );
         $blocked[ $ip ] = [
             'blocked_until' => time() + ( $settings['block_time'] * MINUTE_IN_SECONDS ),
 …
 /**
+ * Clear failed attempts on successful login
+ */
+function axanet_login_security_clear_failed_attempts( $username ) {
+    if ( ! axanet_login_security_is_enabled() ) {
+        return;
+    }
+    $ip = axanet_login_security_get_ip();
+    if ( $ip ) {
+        $key = 'axanet_login_fail_' . preg_replace( '/[^a-zA-Z0-9_]/', '_', $ip );
+        delete_transient( $key );
+    }
+}
+add_action( 'wp_login', 'axanet_login_security_clear_failed_attempts' );
+/**
  * Check if IP is blocked
  */
 …
+    }
     $block_key = 'axanet_blocked_' . md5( $ip );
+    $block_key = 'axanet_blocked_' . preg_replace( '/[^a-zA-Z0-9_]/', '_', $ip );
     return (bool) get_transient( $block_key );
+}
 …
     if ( axanet_login_security_is_ip_blocked() ) {
         wp_die(
             __( 'Too many failed login attempts. Please try again later.', 'axanet-tools' ),
             __( 'Blocked', 'axanet-tools' ),
+            esc_html__( 'Too many failed login attempts. Please try again later.', 'axanet-tools' ),
+            esc_html__( 'Blocked', 'axanet-tools' ),
             [ 'response' => 403 ]
         );
 …
  * Block REST API logins from blocked IPs
  */
+function axanet_login_security_block_rest( $user, $username, $password ) {
+function axanet_login_security_block_rest( $result ) {
+    if ( ! empty( $result ) ) {
+        return $result; // skip if already blocked
+    }
     if ( axanet_login_security_is_ip_blocked() ) {
         return new WP_Error(
 …
         );
+    }
-    return $user;
+}
-add_filter( 'rest_authentication_errors', function( $result ) {
-    if ( ! empty( $result ) ) {
-        return $result; // skip if already blocked
+    }
-    if ( axanet_login_security_is_ip_blocked() ) {
-        return new WP_Error(
-            'axanet_blocked',
-            __( 'Too many failed login attempts. Please try again later.', 'axanet-tools' ),
-            [ 'status' => 403 ]
-        );
+    }
     return $result;
+});
+}
+add_filter( 'rest_authentication_errors', 'axanet_login_security_block_rest' );
 /**
  * Handle failed REST API login attempts
  */
 add_filter( 'determine_current_user', function( $user_id ) {
+function axanet_login_security_rest_failed( $user_id ) {
     if ( ! axanet_login_security_is_enabled() ) {
         return $user_id;
 …
     // If REST login attempt failed, register it
     if ( defined( 'REST_REQUEST' ) && REST_REQUEST && empty( $user_id ) ) {
+        $username = sanitize_text_field( wp_unslash( $_REQUEST['username'] ?? '' ) );
+        $username = '';
+        if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) ) {
+            $username = sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) );
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verification is not applicable for REST API login requests.
+        } elseif ( ! empty( $_REQUEST['username'] ) ) {
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verification is not applicable for REST API login requests.
+            $username = sanitize_text_field( wp_unslash( $_REQUEST['username'] ) );
+        }
         if ( $username ) {
             axanet_login_security_register_failed_attempt( $username );
 …
     return $user_id;
+}, 100 );
+}
+add_filter( 'determine_current_user', 'axanet_login_security_rest_failed', 100 );
+/**
+ * Cleanup expired blocked IPs from the list
+ */
+function axanet_login_security_cleanup_blocked_ips() {
+    $blocked      = get_option( 'axanet_blocked_ips', [] );
+    $current_time = time();
+    $changed      = false;
+    foreach ( $blocked as $ip => $data ) {
+        if ( $data['blocked_until'] < $current_time ) {
+            unset( $blocked[ $ip ] );
+            $changed = true;
+        }
+    }
+    if ( $changed ) {
+        update_option( 'axanet_blocked_ips', $blocked );
+    }
+}
 /**
 …
+    }
+    // Cleanup expired blocked IPs on admin page load
+    axanet_login_security_cleanup_blocked_ips();
     $is_enabled = axanet_login_security_is_enabled();
 …
         $action = isset( $_POST['login_security_action'] ) ? sanitize_text_field( wp_unslash( $_POST['login_security_action'] ) ) : '';
         if ( $action === 'enable' ) {
+        if ( 'enable' === $action ) {
             update_option( 'axanet_login_security_enabled', 1 );
             $is_enabled = true;
             echo '<div class="notice notice-success"><p>' . esc_html__( 'Login Security enabled.', 'axanet-tools' ) . '</p></div>';
         } elseif ( $action === 'disable' ) {
+        } elseif ( 'disable' === $action ) {
             update_option( 'axanet_login_security_enabled', 0 );
             $is_enabled = false;
 …
     if ( isset( $_POST['axanet_unlock_ip'] ) && check_admin_referer( 'axanet_login_security_unlock' ) ) {
         $ip = isset( $_POST['ip'] ) ? sanitize_text_field( wp_unslash( $_POST['ip'] ) ) : '';
         if ( $ip ) {
+        if ( $ip && filter_var( $ip, FILTER_VALIDATE_IP ) ) {
             $blocked = get_option( 'axanet_blocked_ips', [] );
             if ( isset( $blocked[ $ip ] ) ) {
                 unset( $blocked[ $ip ] );
                 update_option( 'axanet_blocked_ips', $blocked );
+                delete_transient( 'axanet_blocked_' . md5( $ip ) );
+                echo '<div class="notice notice-success"><p>' . esc_html( sprintf( esc_html__( 'IP %s has been unblocked.', 'axanet-tools' ), $ip ) ) . '</p></div>';
+                $block_key = 'axanet_blocked_' . preg_replace( '/[^a-zA-Z0-9_]/', '_', $ip );
+                delete_transient( $block_key );
+                /* translators: %s: IP address */
+                echo '<div class="notice notice-success"><p>' . esc_html( sprintf( __( 'IP %s has been unblocked.', 'axanet-tools' ), $ip ) ) . '</p></div>';
+            }
+        }

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: