Changeset 347910
- Timestamp:
- 02/20/2011 12:45:05 AM (15 years ago)
- Location:
- ttc-wordpress-security-plugin/trunk
- Files:
-
- 2 edited
-
readme.txt (modified) (1 diff)
-
ttc_security.php (modified) (17 diffs)
Legend:
- Unmodified
- Added
- Removed
-
ttc-wordpress-security-plugin/trunk/readme.txt
r257566 r347910 3 3 Tags: bots, scrapers, cross-site scripting, block agents, block ip, security 4 4 Requires at least: 2.5 5 Tested up to: 2.5.16 Stable tag: 2. 55 Tested up to: 3.0.5 6 Stable tag: 2.6 7 7 8 8 This plugin blocks scrapers, cross-site scripting attempts, and other ill behaved bots. This is the second of three security plugins. -
ttc-wordpress-security-plugin/trunk/ttc_security.php
r257566 r347910 3 3 /* 4 4 Plugin Name: TimesToCome Security Plugin 5 Version: 2. 55 Version: 2.6 6 6 Plugin URI: http://herselfswebtools.com/2008/06/wordpress-security-plugin-block-scrapers-hackers-and-more.html 7 7 Description: Security plugin for Wordpress … … 16 16 // Instead of an error page, bots are now re-routed to main page 17 17 // if you'd rather send bots to error pages see notes below 18 // to prevent yourself from being blocked change 127.0.0.1 to your ip and uncomment ~120 //don't ban ourselves 18 // 19 // to prevent yourself from being blocked change 127.0.0.1 to your ip ~ line 120 or so 20 // 19 21 // ************************************************************************************************************ 20 22 // NOTES TO CODERS: 23 // Several people have asked to use this as a base to make their own security plugins 24 // Please feel free - you don't need my permission. I wrote this because I needed it and 25 // if you create a better one I think that is wonderful. 26 // 27 // Consider this code to be under the MIT license http://en.wikipedia.org/wiki/MIT_License 28 // 29 // If you do write a new improved version let me know I'll be happy post a link on the website. 30 // ************************************************************************************************************ 31 32 21 33 // ************************************************************************************************************ 22 34 //version 2.5 fixes menu options for wp 3.0 23 35 // ************************************************************************************************************ 24 25 26 27 36 //Feb. 2011 version 2.6 clean up, speed up, 37 // ************************************************************************************************************ 38 39 40 // globals 41 $wpdb; 42 $ttc_wpdb_prefix = $wpdb->prefix; 43 44 // server variables 45 $http_accept = $_SERVER['HTTP_ACCEPT']; 46 $http_remote_addr = $_SERVER['REMOTE_ADDR']; 47 $http_local_addr = $_SERVER['SERVER_ADDR']; 48 $http_user_agent = $_SERVER['HTTP_USER_AGENT']; 49 $request_time = $_SERVER['REQUEST_TIME']; 50 $request_uri = $_SERVER['REQUEST_URI']; 51 $request_method = $_SERVER['REQUEST_METHOD']; 52 53 // ttc variables 54 $log_table_name = $ttc_wpdb_prefix . "ttc_security_log"; 55 $ip_table_name = $ttc_wpdb_prefix . "ttc_ip_blacklist"; 56 $agent_table_name = $ttc_wpdb_prefix . "ttc_agent_blacklist"; 57 $request_table_name = $ttc_wpdp_prefix . "ttc_request_blacklist"; 58 59 60 28 61 // check out who is visiting us 29 62 function ttc_security() 30 63 { 31 32 // wordpress database prefix if any 33 global $wpdb; 34 64 // database info 65 global $wpdb; 66 global $ttc_wpdb_prefix; 67 global $log_table_name; 68 global $ip_table_name; 69 global $agent_table_name; 70 global $request_table_name; 71 72 35 73 // server variables 36 $http_accept = $_SERVER['HTTP_ACCEPT'];37 $http_remote_addr = $_SERVER['REMOTE_ADDR'];38 $http_local_addr = $_SERVER['SERVER_ADDR'];39 $http_user_agent = $_SERVER['HTTP_USER_AGENT'];40 $request_time = $_SERVER['REQUEST_TIME'];41 $request_uri = $_SERVER['REQUEST_URI'];42 $request_method = $_SERVER['REQUEST_METHOD'];74 global $http_accept; 75 global $http_remote_addr; 76 global $http_local_addr; 77 global $http_user_agent; 78 global $request_time; 79 global $request_uri; 80 global $request_method; 43 81 44 82 // local variables 45 83 $blacklisted = 0; 46 $log_table_name = $wpdb->prefix . "ttc_security_log"; 47 $ip_table_name = $wpdb->prefix . "ttc_ip_blacklist"; 48 $agent_table_name = $wpdb->prefix . "ttc_agent_blacklist"; 49 $request_table_name = $wpdp->prefix . "ttc_request_blacklist"; 50 84 85 86 51 87 ///********************************************* 52 88 // does this need to be done each time? 53 89 ///********************************************* 54 /* 55 // create tables if they don't already exist 56 if($wpdb->get_var("SHOW TABLES LIKE '$blacklist_table_name'") != $blacklist_table_name ) { 57 ttc_security_install(); 90 // create tables if they don't already exist 91 if (($wpdb->get_var("SHOW TABLES LIKE '$blacklist_table_name'") != $blacklist_table_name ) || 92 ($wpdb->get_var("SHOW TABLES LIKE '$ip_table_name'") != $ip_table_name ) || 93 ($wpdb->get_var("SHOW TABLES LIKE '$agent_table_name'") != $agent_table_name ) || 94 ($wpdb->get_var("SHOW TABLES LIKE '$request_table_name'") != $request_table_name )){ 95 96 ttc_security_install(); 58 97 } 59 if($wpdb->get_var("SHOW TABLES LIKE '$ip_table_name'") != $ip_table_name ) { 60 ttc_security_install(); 61 } 62 if($wpdb->get_var("SHOW TABLES LIKE '$agent_table_name'") != $agent_table_name ) { 63 ttc_security_install(); 64 } 65 if($wpdb->get_var("SHOW TABLES LIKE '$request_table_name'") != $request_table_name ) { 66 ttc_security_install(); 67 } 68 */ 69 ////******************************************** 70 71 72 73 98 99 100 101 102 ////******************************************** 74 103 // Note: faster and safer to pull all from db and loop through data using php for matches 75 // than it is to prep input, (san atize and clean up) and use MySql matching104 // than it is to prep input, (sanitize and clean up) and use MySql matching 76 105 77 106 // Note: tried === instead of tacking x on front of string but only matches in first position 78 107 // and we want matches any where in the string 79 108 109 110 80 111 // check for banned ip number 81 112 if ( $blacklisted == 0 ){ 82 $ip_table = $wpdb->prefix . "ttc_ip_blacklist"; 83 $sql = "SELECT ip FROM $ip_table"; 113 $sql = "SELECT ip FROM $ip_table_name"; 84 114 $ip_black_list = $wpdb->get_results( $sql ); 85 115 … … 91 121 92 122 //check for partial matches so we can block blocks of troublesome ip numbers 93 94 $hacked_http_remote_addr = "x" . $http_remote_addr; // php reads 0 if no match and 0 if first position, this is a hack around that.123 // hack so null doesn't equal a match 124 $hacked_http_remote_addr = "x" . $http_remote_addr; 95 125 if ((strpos ( $hacked_http_remote_addr, $bad_ip, 1 )) == 1 ){ 96 126 $blacklisted = 1; 97 } 98 99 127 } 100 128 } 101 129 } … … 105 133 // check for banned user agents and also for blank user agents 106 134 if ( $blacklisted == 0 ){ 107 $agent_table = $wpdb->prefix . "ttc_agent_blacklist"; 108 $sql = "SELECT agent FROM $agent_table"; 135 $sql = "SELECT agent FROM $agent_table_name"; 109 136 $agent_black_list = $wpdb->get_results ( $sql ); 110 $hacked_http_user_agent = "x" . $http_user_agent; //php reads 0 if not found, or if first position matches, this is a hack around that. PHP should return -1 not NULL !!! 137 138 //php reads 0 if not found, or if first position matches, this is a hack around that. PHP should return -1 not NULL !!! 139 $hacked_http_user_agent = "x" . $http_user_agent; 111 140 foreach ( $agent_black_list as $blacklisted_agent ){ 112 141 $bad_agent = $blacklisted_agent->agent; 113 114 142 115 143 if ( strpos ( $hacked_http_user_agent, $bad_agent ) > 0 ){ … … 125 153 if ( $blacklisted == 0 ){ 126 154 127 $request_table = $wpdb->prefix . "ttc_request_blacklist"; 128 $sql = "SELECT request from $request_table"; 155 $sql = "SELECT request from $request_table_name"; 129 156 $request_black_list = $wpdb->get_results ( $sql ); 130 157 … … 142 169 143 170 144 //*********************************************************************************************************************** 145 /////////////// uncomment ( remove // at beginning of line 118 ) and change 127.0.0.1 to your ip number to keep///////////////////////////////// 146 ////////////// yourself from getting banned /////////////////////////////////////////////////////////////////////////////////////////////////// 147 148 //********************************************* 149 // remove my ip before uploading 150 //********************************************** 171 172 //************************************************************************************************************** 173 // don't ban ourselves Change 127.0.0.1 to your ip number if you find yourself getting banned. 174 //************************************************************************************************************** 151 175 // don't ban ourselves.... 152 176 if ( $http_local_addr == $http_remote_addr ){ $blacklisted = 0; 153 }else if ( $http_remote_addr == " 98.200.58.3" ){ $blacklisted = 0; } ////// change 127.0.0.1 to your ip and remove leading //to prevent self banishment177 }else if ( $http_remote_addr == "127.0.0.1" ){ $blacklisted = 0; } ////// change 127.0.0.1 to your ip to prevent self banishment 154 178 155 179 … … 165 189 // do nothing all is right and wonderful in the world 166 190 167 }else if ( $blacklisted == 1 ){ 191 }else if ( $blacklisted == 1 ){ // already blacklisted ip here so just add to log 168 192 169 193 // too many to log, log entries growing too fast … … 173 197 global $wpdb; 174 198 175 // this sends bots to main page to prevent search engine bots from listing your error page 176 // but comment this out and customize an error page if you'd rather 177 199 //************************************************************************************************************* 200 // this sends bots to main page you can create a custom page for bots and send them there if you'd rather 178 201 //************************************************************************************************************* 179 202 // send rejections back to main site page … … 181 204 $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); 182 205 header("Location: http://$host$uri"); 183 184 /*185 // print error page //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////186 // You should personalize this for your website /////////////////////////////////////////////////////////////////////////////////////////////187 print "<html>\n";188 print "<head><title>I'm sorry but you look like a bot</title></head>\n";189 print "<body>\n";190 print "<h2>Banned: $blacklisted: $code</h2>\n";191 print "</body>\n";192 print "</html>\n";193 */194 195 206 196 207 exit(); … … 211 222 $code = "Attempted script or similar"; 212 223 } 213 214 215 //***************************************************************************************************************** 216 // this sends bots to main page to prevent search engine bots from listing your error page 217 // but comment this out and customize an error page if you'd rather 218 219 // send rejections back to main site page 224 225 226 //************************************************************************************************************* 227 // this sends bots to main page you can create a custom page for bots and send them there if you'd rather 228 //************************************************************************************************************* 220 229 $host = $_SERVER['HTTP_HOST']; 221 230 $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); 222 231 header("Location: http://$host$uri"); 223 232 224 /*225 // print error page ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////226 // You should personalize this for your website ///////////////////////////////////////////////////////////////////////////////////////////////227 print "<html>\n";228 print "<head><title>I'm sorry but you look like a bot</title></head>\n";229 print "<body>\n";230 print "<h2>Banned: $blacklisted: $code</h2>\n";231 print "</body>\n";232 print "</html>\n";233 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////234 */235 236 233 237 234 exit(); … … 246 243 function ttc_add_to_security_log( $error ) 247 244 { 248 // wordpress d ata base prefix if any245 // wordpress db info 249 246 global $wpdb; 250 247 global $ttc_wpdb_prefix; 248 251 249 // server variables 252 $log_table_name = $wpdb->prefix . "ttc_security_log"; 253 $request_time = $_SERVER['REQUEST_TIME']; 254 $http_accept = $_SERVER['HTTP_ACCEPT']; 255 $http_user_agent = $_SERVER['HTTP_USER_AGENT']; 256 $http_remote_addr = $_SERVER['REMOTE_ADDR']; 257 $http_request_uri = $_SERVER['REQUEST_URI']; 258 259 if($wpdb->get_var("show tables like '$log_table_name'") != $log_table_name) { 260 ttc_wp_user_registration_install(); 261 } 250 global $log_table_name; 251 global $request_time; 252 global $http_accept; 253 global $http_user_agent; 254 global $http_remote_addr; 255 global $http_request_uri; 256 257 262 258 263 259 // wtf? accept statements coming in at over 255 chars? Prevent sql errors and any funny business … … 285 281 function ttc_add_to_security_blacklist( $ip ) 286 282 { 287 // wordpress tables prefix if any283 // wordpress db info 288 284 global $wpdb; 289 290 // our table name 291 $ip_table_name = $wpdb->prefix . "ttc_ip_blacklist"; 292 293 // if the table isn't already there add it 294 if($wpdb->get_var("show tables like '$ip_table_name'") != $ip_table_name) { 295 ttc_wp_user_registration_install(); 296 } 285 global $ttc_wpdb_prefix; 286 global $ip_table_name; 287 297 288 298 289 // insert ip number into blacklisted ip table … … 310 301 function ttc_security_install() 311 302 { 312 // get db name/table prefix303 // wordpress db info 313 304 global $wpdb; 305 global $ttc_wpdb_prefix; 306 314 307 315 308 // create our tables 316 $log_table_name = $wpdb->prefix . "ttc_security_log";317 $ip_table_name = $wpdb->prefix . "ttc_ip_blacklist";318 $agent_table_name = $wpdb->prefix . "ttc_agent_blacklist";319 $request_table_name = $wpdb->prefix . "ttc_request_blacklist";309 global $log_table_name; 310 global $ip_table_name; 311 global $agent_table_name; 312 global $request_table_name; 320 313 321 314 $new_table = 0; … … 437 430 function ttc_security_add_menu_page() 438 431 { 439 440 432 add_options_page( 'Security logs', 'Security logs', 'manage_options', 'SecurityLogs', 'ttc_add_user_security_menu'); 441 442 433 } 443 434 … … 445 436 function ttc_add_user_security_menu() 446 437 { 438 447 439 448 440 if (!current_user_can('manage_options')) { … … 452 444 // wordpress db info 453 445 global $wpdb; 446 global $ttc_wpdb_prefix; 447 454 448 455 449 if (!current_user_can('manage_options')) { … … 458 452 459 453 // our table info 460 $log_table_name = $wpdb->prefix . "ttc_security_log";461 $ip_table_name = $wpdb->prefix . "ttc_ip_blacklist";462 $agent_table_name = $wpdb->prefix . "ttc_agent_blacklist";463 $request_table_name = $wpdb->prefix . "ttc_request_blacklist";454 global $log_table_name; 455 global $ip_table_name; 456 global $agent_table_name; 457 global $request_table_name; 464 458 465 459 //print logs
Note: See TracChangeset
for help on using the changeset viewer.