From 18820c71911b9ef71ce1b25e94da9d395bceacd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20G=C3=BCnther?= <th.guenther@saale-mail.de>
Date: Mon, 26 Feb 2024 14:47:51 +0100
Subject: [PATCH] Protection of WordPress logins

---
 assets/password.js                            |  43 +++
 assets/security.css                           |  12 +
 bdp-kompass.php                               |  12 +
 includes/action_caller.php                    |  23 ++
 includes/frontend-functions.php               |  34 ++-
 includes/pre_requires.php                     |   1 +
 includes/setup.php                            |  12 +-
 includes/spl.php                              |  32 ++
 .../Controllers/LoginHandler.php              | 282 ++++++++++++++++++
 .../Controllers/OptionsPage.php               | 130 ++++++++
 .../Views/checkbox-option.php                 |  29 ++
 .../LimitLoginAttempts/Views/radio-option.php |  35 +++
 .../LimitLoginAttempts/Views/tab-control.php  |  18 ++
 .../LimitLoginAttempts/Views/text-element.php |   7 +
 .../includes/block-and-allow-list-form.php    |  56 ++++
 .../includes/gui_elements.php                 | 116 +++++++
 .../includes/validators.php                   |  64 ++++
 .../includes/password_strength_rules.php      |  10 +
 18 files changed, 903 insertions(+), 13 deletions(-)
 create mode 100644 assets/password.js
 create mode 100644 includes/action_caller.php
 create mode 100644 includes/spl.php
 create mode 100644 modules/LimitLoginAttempts/Controllers/LoginHandler.php
 create mode 100644 modules/LimitLoginAttempts/Controllers/OptionsPage.php
 create mode 100644 modules/LimitLoginAttempts/Views/checkbox-option.php
 create mode 100644 modules/LimitLoginAttempts/Views/radio-option.php
 create mode 100644 modules/LimitLoginAttempts/Views/tab-control.php
 create mode 100644 modules/LimitLoginAttempts/Views/text-element.php
 create mode 100644 modules/LimitLoginAttempts/includes/block-and-allow-list-form.php
 create mode 100644 modules/LimitLoginAttempts/includes/gui_elements.php
 create mode 100644 modules/LimitLoginAttempts/includes/validators.php
 create mode 100644 modules/PasswordStrength/includes/password_strength_rules.php

diff --git a/assets/password.js b/assets/password.js
new file mode 100644
index 0000000..8796982
--- /dev/null
+++ b/assets/password.js
@@ -0,0 +1,43 @@
+jQuery(document).ready(function($) {
+    $( "<button class='button button-primary' disabled id='password_too_short'>" +
+        php_vars.password_too_short_text + "</button>" ).insertBefore( ".submit" );
+
+    $("#password_too_short").css('display', 'none');
+
+    $(document).on('DOMSubtreeModified', '#pass-strength-result', function() {
+        var strengthMeter = $(this).attr('class');
+        var allowedStrengths = php_vars.allowed_strengths;
+
+        $( "[name='pw_weak']" ).css('visibility', 'hidden');
+        $( '.pw-weak' ).css('visibility', 'hidden');
+        $( '#pw-weak-text-label' ).css('visibility', 'hidden');
+
+        if (strengthMeter !== '') {
+            if (allowedStrengths.includes(strengthMeter)) {
+                $("[name='pw_weak']").prop("checked", true);
+                $("[name='submit']").css('display', 'inline');
+                $('#createusersub').css('display', 'inline');
+                $('submit').onclick = function() {
+                    $('your-profile').submit();
+                };
+                $("#createusersub").onclick = function() {
+                    $('createuser').submit();
+                };
+
+                $("#password_too_short").css('display', 'none');
+            } else {
+                $("#createusersub").css('display', 'none');
+                $("[name='submit']").prop("disabled", true);
+                $("[name='pw_weak']").prop("checked", false);
+                $("[name='submit']").css('display', 'none');
+                $('submit').onclick = function() {
+                    return false;
+                };
+                $("#createusersub").onclick = function() {
+                    return false;
+                };
+                $("#password_too_short").css('display', 'inline');
+            }
+        }
+    });
+});
\ No newline at end of file
diff --git a/assets/security.css b/assets/security.css
index 5e213a9..46884dd 100644
--- a/assets/security.css
+++ b/assets/security.css
@@ -50,4 +50,16 @@
 
 .long_text {
     width: 80%;
+}
+
+.protect-login-no-blocked-ips
+{
+    padding: 5px 10px;
+    width: 90%;
+    background-color: #ffffff;
+    border-style: solid;
+    border-color: #00a32a;
+    border-width: 1px;
+    font-weight: bold;
+    font-size: 12pt;
 }
\ No newline at end of file
diff --git a/bdp-kompass.php b/bdp-kompass.php
index 1089ef6..fd253ce 100644
--- a/bdp-kompass.php
+++ b/bdp-kompass.php
@@ -12,6 +12,7 @@
  * Text Domain: bdp-kompass
  */
 
+use Bdp\Modules\LimitLoginAttempts\Controllers\OptionsPage as OptionsPageAlias;
 use Bdp\Modules\Security\Security;
 use Bdp\Modules\Seo\Seo;
 
@@ -36,6 +37,9 @@ function bdp_plugin_init() {
 	}
 }
 
+add_action('admin_menu', function () {
+	new OptionsPageAlias();
+});
 
 
 function register_custom_theme_directory() {
@@ -47,4 +51,12 @@ function register_custom_theme_directory() {
     switch_theme('buena');
 }
 
+function enqueue_custom_password_js() {
+	wp_enqueue_script( 'custom-password-js', BDP_LV_PLUGIN_URL . 'assets/password.js');
+	wp_localize_script( 'custom-password-js', 'php_vars', [
+		'allowed_strengths' => kompass_get_minimal_password_strength(),
+		'password_too_short_text' => 'Dass Passwort entspricht nicht den Anforderungen.'
+	]);
+}
+
 #add_action( 'after_setup_theme', 'register_custom_theme_directory' );
diff --git a/includes/action_caller.php b/includes/action_caller.php
new file mode 100644
index 0000000..9913ef1
--- /dev/null
+++ b/includes/action_caller.php
@@ -0,0 +1,23 @@
+<?php
+
+if (!isset($loginHandler)) {
+    $loginHandler = new \Bdp\Modules\LimitLoginAttempts\Controllers\LoginHandler();
+}
+
+add_action('wp_login_failed', [$loginHandler, 'onFailedLogin']);
+add_filter('wp_authenticate_user', [$loginHandler, 'onSuccessFullLogin'], 99999, 2);
+add_filter( 'admin_enqueue_scripts', 'enqueue_custom_password_js',10 );
+
+add_action('admin_init', 'admin_init');
+
+if (get_option('kompass_cookies', false)) {
+    $loginHandler->handleCookies();
+    add_action('auth_cookie_bad_username', [$loginHandler, 'checkFailedCookies']);
+    add_action('auth_cookie_valid', [$loginHandler, 'onValidCookie'], 10, 2);
+}
+
+if (isset($_POST['save_kompass_balist_list_type'])) {
+    updateBlockOrAllowList($_POST);
+}
+
+
diff --git a/includes/frontend-functions.php b/includes/frontend-functions.php
index a3b79df..e44b540 100644
--- a/includes/frontend-functions.php
+++ b/includes/frontend-functions.php
@@ -16,17 +16,13 @@ function bdp_update_dashboard_style() {
 
 
 function bdp_add_menu_security() {
+
     $moduleLoad = get_admin_url() . 'admin.php?page=' . BDP_LV_PLUGIN_SLUG . '/modules/index.php&loadmodule=';
 
-    add_menu_page(
-        'Sicherheit',
-        'Webseiten-Sicherheit',
-        'manage_options',
-        'site-health.php',
-        '',
-        'dashicons-admin-network',
-        5
-    );
+
+
+
+
 }
 
 function bdp_add_menu_contents() {
@@ -69,7 +65,7 @@ function bdp_add_menu_mein_lv() {
     $moduleLoad = get_admin_url() . 'admin.php?page=' . BDP_LV_PLUGIN_SLUG . '/modules/index.php&loadmodule=';
 
     add_menu_page(
-        'Mein BDP',
+        'Mein BdP',
         'BdP',
         'manage_options',
         $mainSlug,
@@ -113,7 +109,7 @@ function bdp_add_menu_setup() {
 
     add_submenu_page('users.php',
         'Design-Einstellungen',
-        'Design',
+        'Template bearbeiten',
         'manage_options',
         'customize.php?return=/wp-admin/'
     );
@@ -132,6 +128,22 @@ function bdp_add_menu_setup() {
         'manage_options',
         'themes.php'
     );
+
+	add_submenu_page('users.php',
+		'Sicherheit',
+		'Webseiten-Sicherheit',
+		'manage_options',
+		'site-health.php'
+	);
+
+	$loginOption = new \Bdp\Modules\LimitLoginAttempts\Controllers\OptionsPage();
+	add_submenu_page('users.php',
+		'Login-Sicherheit',
+		'Login-Sicherheit',
+		'manage_options',
+		BDP_LV_PLUGIN_SLUG . '-limit-login-attempts',
+		[$loginOption, 'limit_login_option_page']
+	);
 }
 
 function bdp_cleanup_menu()
diff --git a/includes/pre_requires.php b/includes/pre_requires.php
index 1436eff..12dc003 100644
--- a/includes/pre_requires.php
+++ b/includes/pre_requires.php
@@ -3,3 +3,4 @@ require_once (ABSPATH . '/wp-admin/includes/plugin.php');
 require_once (ABSPATH . '/wp-admin/includes/class-wp-filesystem-base.php');
 require_once (ABSPATH . '/wp-admin/includes/class-wp-filesystem-direct.php');
 require_once (ABSPATH . '/wp-includes/pluggable.php');
+require_once (ABSPATH . '/wp-admin/includes/template.php');
\ No newline at end of file
diff --git a/includes/setup.php b/includes/setup.php
index f8b5e8d..ca1e6a2 100644
--- a/includes/setup.php
+++ b/includes/setup.php
@@ -3,9 +3,12 @@ if ( ! defined( 'WP_PLUGIN_DIR' ) ) {               // Abspath to wp-content/plu
     define( 'WP_PLUGIN_DIR', WP_CONTENT_DIR . '/plugins' ); // Full path, no trailing slash.
 }
 
+use Bdp\Modules\LimitLoginAttempts\Controllers\LoginHandler;
+
+
 require_once dirname(__FILE__) . '/pre_requires.php';
 require_once dirname(__FILE__) . '/environment.php';
-
+require_once dirname(__FILE__) . '/spl.php';
 require_once dirname(__FILE__) . '/update.class.php';
 
 require_once BDP_LV_PLUGIN_DIR . 'includes/FileAccess.class.php';
@@ -20,6 +23,10 @@ require_once (BDP_LV_PLUGIN_DIR . '/includes/frontend-functions.php');
 
 require_once (BDP_LV_PLUGIN_DIR . '/modules/security/security.php');
 
+function admin_init()
+{
+	kompass_settings_validators();
+}
 
 bdp_create_menu_structure();
 
@@ -31,6 +38,7 @@ function bdp_kompass_load_plugin_textdomain() {
 
 
 
-#$class =
+$loginHandler = new LoginHandler();
 new BdpVersionChecker();
 #add_filter( 'plugins_api', array( $class, 'info' ), 20, 3 );
+require_once dirname(__FILE__) . '/action_caller.php';
diff --git a/includes/spl.php b/includes/spl.php
new file mode 100644
index 0000000..5f3b398
--- /dev/null
+++ b/includes/spl.php
@@ -0,0 +1,32 @@
+<?php
+spl_autoload_register(function ($className) {
+
+    if (!str_starts_with($className, 'ProtectLogin\\')) {
+        return;
+    }
+
+    $fileName = str_replace('\\','/', $className);
+    $fileName = str_replace('ProtectLogin/Modules/', 'ProtectLogin/modules/', $fileName);
+    $fileName = str_replace('ProtectLogin/', '', $fileName);
+
+
+
+    $fileName = BDP_LV_PLUGIN_DIR . $fileName . '.php';
+    if (!file_exists($fileName)) {
+        return;
+    }
+
+    require_once $fileName;
+});
+
+$modules = ['LimitLoginAttempts', 'PasswordStrength'];
+$subdirs = ['includes', 'Controllers', 'Views'];
+
+foreach ($modules as $curModule) {
+    foreach ($subdirs as $dir) {
+        $directoryPath = BDP_LV_PLUGIN_DIR . 'modules/' . $curModule . '/' . $dir . '/';
+        foreach (glob($directoryPath . '*.php') as $file) {
+            require_once $file;
+        }
+    }
+}
\ No newline at end of file
diff --git a/modules/LimitLoginAttempts/Controllers/LoginHandler.php b/modules/LimitLoginAttempts/Controllers/LoginHandler.php
new file mode 100644
index 0000000..0b92d42
--- /dev/null
+++ b/modules/LimitLoginAttempts/Controllers/LoginHandler.php
@@ -0,0 +1,282 @@
+<?php
+
+namespace Bdp\Modules\LimitLoginAttempts\Controllers;
+
+use ProtectLogin\Modules\LimitLoginAttempts\Requests\IpAddress;
+
+class LoginHandler {
+    public const DIRECT_ADDR =  'REMOTE_ADDR';
+    public const PROXY_ADDR = 'HTTP_X_FORWARDED_FOR';
+
+    public function onSuccessFullLogin($user, $password) {
+        if (!is_wp_error($user) && $this->isLoginAllowedFromIp() ) {
+            return $user;
+        }
+
+        global $limit_login_my_error_shown;
+        $limit_login_my_error_shown = true;
+
+        $error = new \WP_Error();
+        // This error should be the same as in "shake it" filter below
+        $error->add('too_many_retries', $this->composeErrorMessage());
+        return $error;
+    }
+
+    public function onFailedLogin(string $username) {
+        $ip = $this->getAddress();
+
+        /* if currently locked-out, do not add to retries */
+        $lockouts = get_option('protect_login_limit_login_lockouts', []);
+
+        if(isset($lockouts[$ip]) && time() < $lockouts[$ip]) {
+            return;
+        }
+
+        /* Get the arrays with retries and retries-valid information */
+        $retries = get_option('kompass_limit_login_retries', []);
+        $valid = get_option('kompass_limit_login_retries_valid', []);
+
+        /* Check validity and add one to retries */
+        if (isset($retries[$ip])) { //} && isset($valid[$ip]) && time() < $valid[$ip]) {
+            $retries[$ip] ++;
+        } else {
+            $retries[$ip] = 1;
+        }
+
+        update_option('kompass_limit_login_retries', $retries);
+
+        /* lockout? */
+        if($retries[$ip] % get_option('kompass_limit_login_allowed_retries', 0) != 0) {
+            return;
+        }
+
+
+        $retries_long = get_option('kompass_limit_login_allowed_retries', 1)
+            * get_option('kompass_limit_login_allowed_lockouts', 1);
+
+        if ($retries[$ip] >= $retries_long) {
+            $lockouts[$ip] = time() + get_option('kompass_limit_login_long_duration', 86400);
+
+        } else {
+            $lockouts[$ip] = time() + get_option('kompass_limit_login_lockout_duration', 900);
+        }
+
+        update_option('kompass_limit_login_lockouts', $lockouts);
+
+
+        /* do any notification */
+        $this->notify($username);
+
+    }
+
+    private function notifyByEmail($user)
+    {
+        $ip = $this->getAddress();
+
+        $lockouts = get_option('kompass_limit_login_lockouts', []);
+        if (!isset($lockouts[$ip])) {
+            return;
+        }
+
+        $blocked_until = $lockouts[$ip];
+
+        $retries = get_option('kompass_limit_login_retries', []);
+        $currentRetries = $retries[$ip];
+
+        $notify_after = get_option('kompass_limit_login_notify_email_after', 1);
+        if ($currentRetries % $notify_after !== 0) {
+            return;
+        }
+
+        $blogname = get_option('blogname', 'none');
+
+        $subject = sprintf(__("[%s] Too many failed login attempts"
+                , 'limit-login-attempts')
+            , $blogname);
+
+        $message = 'Neue Sperrung auf deiner Webseite: ' . PHP_EOL .
+            'IP-Adresse: ' . $ip . PHP_EOL .
+            'Gesperrt bis: ' . date('d.m.Y H:i', $blocked_until);
+
+        $admin_email = get_option('admin_email');
+        wp_mail($admin_email, $subject, $message);
+    }
+
+
+    /* Handle notification in event of lockout */
+    private function notify($user) {
+        $args = get_option('kompass_limit_login_lockout_notify', []);
+		if (!is_array($args)) {
+			$args = [$args];
+		}
+        foreach ($args as $mode) {
+            switch (trim($mode)) {
+                case 'email':
+                    $this->notifyByEmail($user);
+                    break;
+            }
+        }
+    }
+
+    private function composeErrorMessage() {
+        $ip = $this->getAddress();
+        $lockouts = get_option('kompass_limit_login_lockouts');
+
+        $msg = __('<strong>ERROR</strong>: Too many failed login attempts.', 'limit-login-attempts') . ' ';
+
+        if (!is_array($lockouts) || !isset($lockouts[$ip]) || time() >= $lockouts[$ip]) {
+            /* Huh? No timeout active? */
+            $msg .=  __('Please try again later.', 'limit-login-attempts');
+            return $msg;
+        }
+
+        $when = ceil(($lockouts[$ip] - time()) / 60);
+        if ($when > 60) {
+            $when = ceil($when / 60);
+            $msg .= sprintf(_n('Please try again in %d hour.', 'Please try again in %d hours.', $when, 'limit-login-attempts'), $when);
+        } else {
+            $msg .= sprintf(_n('Please try again in %d minute.', 'Please try again in %d minutes.', $when, 'limit-login-attempts'), $when);
+        }
+
+        return $msg;
+    }
+
+    private static function getAddress($typeName = '') {
+        global $limitLoginAttemptsSettings;
+
+        $typeOriginal = $typeName;
+        if (empty($typeName)) {
+            $typeName = get_option('kompass_limit_loginclient_type', self::DIRECT_ADDR);
+        }
+
+        if (isset($_SERVER[$typeName]) && filter_var($_SERVER[$typeName], FILTER_VALIDATE_IP)) {
+            return $_SERVER[$typeName];
+        }
+
+        /*
+         * Not found. Did we get proxy type from option?
+         * If so, try to fall back to direct address.
+         */
+        if ( empty($typeName) && $typeOriginal == self::PROXY_ADDR
+            && isset($_SERVER[self::DIRECT_ADDR])
+            && filter_var($_SERVER[self::DIRECT_ADDR], FILTER_VALIDATE_IP)) {
+
+            /*
+             * NOTE: Even though we fall back to direct address -- meaning you
+             * can get a mostly working plugin when set to PROXY mode while in
+             * fact directly connected to Internet it is not safe!
+             *
+             * Client can itself send HTTP_X_FORWARDED_FOR header fooling us
+             * regarding which IP should be banned.
+             */
+
+            return $_SERVER[self::DIRECT_ADDR];
+        }
+
+        return '';
+
+    }
+
+    public function isLoginAllowedFromIp() {
+        $ip = $this->getAddress();
+
+        if (in_array($ip, get_option('kompass_limit_login_blocklist', []))) {
+            return false;
+        }
+
+        if (in_array($ip, get_option('kompass_limit_login_allowlist', []))) {
+            return true;
+        }
+
+        /* lockout active? */
+        $lockouts = get_option('kompass_limit_login_lockouts', []);
+        return (!is_array($lockouts) || !isset($lockouts[$ip]) || time() >= $lockouts[$ip]);
+    }
+
+    public function checkFailedCookies($cookie_elements) {
+        $this->clearAuthCookie();
+
+        /*
+         * Invalid username gets counted every time.
+         */
+
+        $this->onFailedLogin($cookie_elements['username']);
+    }
+
+    private function clearAuthCookie() {
+        wp_clear_auth_cookie();
+
+        if (!empty($_COOKIE[AUTH_COOKIE])) {
+            $_COOKIE[AUTH_COOKIE] = '';
+        }
+        if (!empty($_COOKIE[SECURE_AUTH_COOKIE])) {
+            $_COOKIE[SECURE_AUTH_COOKIE] = '';
+        }
+        if (!empty($_COOKIE[LOGGED_IN_COOKIE])) {
+            $_COOKIE[LOGGED_IN_COOKIE] = '';
+        }
+    }
+
+    public function onValidCookie($cookie_elements, $user) {
+        /*
+         * As all meta values get cached on user load this should not require
+         * any extra work for the common case of no stored value.
+         */
+
+        if (get_user_meta($user->ID, 'kompass_limit_login_previous_cookie')) {
+            delete_user_meta($user->ID, 'kompass_limit_login_previous_cookie');
+        }
+    }
+
+    function clearLoginCookie($cookie_elements) {
+        $this->clearAuthCookie();
+
+        /*
+         * Under some conditions an invalid auth cookie will be used multiple
+         * times, which results in multiple failed attempts from that one
+         * cookie.
+         *
+         * Unfortunately I've not been able to replicate this consistently and
+         * thus have not been able to make sure what the exact cause is.
+         *
+         * Probably it is because a reload of for example the admin dashboard
+         * might result in multiple requests from the browser before the invalid
+         * cookie can be cleard.
+         *
+         * Handle this by only counting the first attempt when the exact same
+         * cookie is attempted for a user.
+         */
+
+        extract($cookie_elements, EXTR_OVERWRITE);
+
+        // Check if cookie is for a valid user
+        $user = get_user_by('login', $username);
+        if (!$user) {
+            // "shouldn't happen" for this action
+            $this->onFailedLogin($username);
+            return;
+        }
+
+        $previous_cookie = get_user_meta($user->ID, 'kompass_limit_login_previous_cookie', true);
+        if ($previous_cookie && $previous_cookie == $cookie_elements) {
+            // Identical cookies, ignore this attempt
+            return;
+        }
+
+        // Store cookie
+        if ($previous_cookie)
+            update_user_meta($user->ID, 'kompass_limit_login_previous_cookie', $cookie_elements);
+        else
+            add_user_meta($user->ID, 'kompass_limit_login_previous_cookie', $cookie_elements, true);
+
+        $this->onFailedLogin($username);
+    }
+
+    public function handleCookies() {
+        if ($this->isLoginAllowedFromIp()) {
+            return;
+        }
+
+        $this->clearAuthCookie();
+    }
+}
\ No newline at end of file
diff --git a/modules/LimitLoginAttempts/Controllers/OptionsPage.php b/modules/LimitLoginAttempts/Controllers/OptionsPage.php
new file mode 100644
index 0000000..8e4f4f3
--- /dev/null
+++ b/modules/LimitLoginAttempts/Controllers/OptionsPage.php
@@ -0,0 +1,130 @@
+<?php
+
+namespace Bdp\Modules\LimitLoginAttempts\Controllers;
+
+
+class OptionsPage
+{
+    public function __construct()
+    {
+        add_options_page(BDP_LV_PLUGIN_SLUG . '-limit-login-attempts',
+            'Protect Login',
+            'site-health.php',
+            BDP_LV_PLUGIN_SLUG . '-limit-login-attempts',
+            [$this, 'limit_login_option_page'],2048);
+    }
+
+    public function releaseIp($ip)
+    {
+        $allIps = get_option('kompass_limit_login_lockouts', []);
+        unset($allIps[$ip]);
+        update_option('kompass_limit_login_lockouts', $allIps);
+    }
+
+    public function getBlockedIps()
+    {
+        $ips = '';
+        foreach (get_option('kompass_limit_login_lockouts', []) as $ip => $blockedUntil) {
+            $ips .= '<tr>' .
+                        '<td style="padding-right: 10px;">' . $ip . '</td>' .
+                        '<td style="padding-right: 10px;">' . date('d.m.Y H:i', $blockedUntil) . ' Uhr</td>' .
+                        '<td>
+                            <a href="admin.php?page=bdp-kompass-limit-login-attempts&tab=tab4&action=release&ip=' .
+                                        base64_encode($ip) . '">Freigeben</a></td>' .
+                    '</tr>';
+        };
+
+        return $ips;
+    }
+
+    public function limit_login_option_page() {
+        global $errors;
+
+        $showMessage = null;
+
+        if (isset($_POST['update_options'])) {
+            update_settings($_POST);
+            $showMessage = 'Die Einstellungen wurden gespeichert';
+        }
+        if (isset($_GET['action']) && $_GET['action'] == 'release') {
+            $showMessage = 'Die IP-Adresse wurde freigegeben.';
+        }
+
+        if(isset($_POST['save_kompass_balist_list_type'])) {
+            $showMessage = 'Die Liste wurde gespeichert.';
+        }
+
+        if (null !== $showMessage && $errors === false) {
+            echo '<div class="notice notice-success" style="padding: 5px 10px;">';
+            echo $showMessage;
+            echo '</div>';
+        }
+
+        if ($errors) {
+            echo '<div class="notice notice-error" style="padding: 5px 10px;">';
+            echo 'Beim Durchführen der Aktion ist ein Fehler aufgetreten.';
+            echo '</div>';
+        }
+
+        $tab = isset($_GET['tab']) ? $_GET['tab'] : 'tab1';
+        ?>
+
+        <div class="wrap">
+            <h1 class="wp-heading-inline">Protect Login - Einstellungen</h1>
+            <hr class="wp-header-end">
+            <?= kompass_print_tab_header($tab); ?>
+
+            <div class="tab-content">
+                <?php
+                switch ($tab) {
+                    case 'tab1':
+                        echo '<form action="admin.php?page=bdp-kompass-limit-login-attempts&tab=tab1" method="post">';
+                        do_settings_sections(BDP_LV_PLUGIN_SLUG . '-limit-login-attempts');
+                        submit_button();
+                        echo '</form>';
+                        break;
+                    case 'tab2':
+                        echo '<h2>Blocklist</h2>';
+                        echo '<form action="admin.php?page=bdp-kompass-limit-login-attempts&tab=tab2" method="post">';
+                        kompass_print_block_allow_form('blocklist');
+                        submit_button();
+                        echo '</form>';
+                        break;
+                    case 'tab3':
+                        echo '<h2>Allowlist</h2>';
+                        echo '<form action="admin.php?page=bdp-kompass-limit-login-attempts&tab=tab3" method="post">';
+                        kompass_print_block_allow_form('allowlist');
+                        submit_button();
+                        echo '</form>';
+                        break;
+                    case 'tab4':
+                        if (isset($_GET['action']) && $_GET['action'] == 'release') {
+                            $this->releaseIp(base64_decode($_GET['ip']));
+                        }
+                        $blockedIps = $this->getBlockedIps();
+                        ?>
+                        <h3>Gesperrte IPs</h3>
+                        <?php
+                            if (strlen($blockedIps) == 0) {
+                                echo '<div class="protect-login-no-blocked-ips">';
+                                echo 'Derzeit sind keine Adressen gesperrt.';
+                                echo '</div>';
+                            } else { ?>
+                                <table>
+                                    <tr>
+                                        <th>IP</th>
+                                        <th>Gesperrt bis</th>
+                                        <th>Aktion</th>
+                                    </tr>
+                                    <?= $blockedIps ?>
+                                </table>
+                            <?php
+                            }
+                    break;
+                }
+                ?>
+            </div>
+        </div>
+        <?php
+    }
+}
\ No newline at end of file
diff --git a/modules/LimitLoginAttempts/Views/checkbox-option.php b/modules/LimitLoginAttempts/Views/checkbox-option.php
new file mode 100644
index 0000000..c781d67
--- /dev/null
+++ b/modules/LimitLoginAttempts/Views/checkbox-option.php
@@ -0,0 +1,29 @@
+<?php
+function kompass_print_checkbox($settingName) {
+    $currentSetting = get_option($settingName, []);
+	if (!is_array($currentSetting)) {
+		$currentSetting = [$currentSetting];
+	}
+
+    $options = ['kompass_limit_login_lockout_notify' => [
+        'email' => 'E-Mail an Administrator'
+        ],
+    ];
+
+    if(!isset($options[$settingName])) {
+        return;
+    }
+
+    $setting = $options[$settingName];
+    foreach ($setting as $radioOption => $optionText) {
+		$isChecked = in_array($radioOption, $currentSetting) ? 'checked ' : '' ;
+
+        echo '<input ' .
+            $isChecked .
+            'type="checkbox" 
+            name="' . $settingName . '[]" 
+            value="' . $radioOption . '"
+            id="setting_' . $settingName . '_' . $radioOption . '" />' .
+            '<label for="setting_' . $settingName . '_' . $radioOption . '">' . $optionText . '</label><br />';
+    }
+}
diff --git a/modules/LimitLoginAttempts/Views/radio-option.php b/modules/LimitLoginAttempts/Views/radio-option.php
new file mode 100644
index 0000000..a317dfd
--- /dev/null
+++ b/modules/LimitLoginAttempts/Views/radio-option.php
@@ -0,0 +1,35 @@
+<?php
+function kompass_print_radio($settingName) {
+    $currentSetting = get_option($settingName);
+    $options = [
+        'kompass_limit_login_client_type' => [
+            'REMOTE_ADDR' => 'Direkte Verbrindung',
+            'HTTP_X_FORWARDED_FOR' => 'Hinter einem Proxy'
+        ],
+        'kompass_limit_login_cookies' => [
+            true => 'Ja',
+            false => 'Nein'
+        ],
+        'kompass_password_minimal_strength' => [
+            '1' => 'Alle Passwörter erlauben',
+            '2' => 'Mittelstarke Passwörter',
+            '3' => 'Nur Starke Passwörter'
+        ]
+    ];
+
+    if(!isset($options[$settingName])) {
+        return;
+    }
+
+    $setting = $options[$settingName];
+    foreach ($setting as $radioOption  => $optionText) {
+        $isChecked = $currentSetting == $radioOption ? 'checked ' : '' ;
+        echo '<input  
+            ' . $isChecked .
+            ' type="radio"
+              name="' . $settingName . '"
+              value="' . $radioOption . '" 
+              id="setting_' . $settingName . '_' . $radioOption . '" />' .
+            '<label for="setting_' . $settingName . '_' . $radioOption . '">' . $optionText . '</label> &nbsp; ';
+    }
+}
diff --git a/modules/LimitLoginAttempts/Views/tab-control.php b/modules/LimitLoginAttempts/Views/tab-control.php
new file mode 100644
index 0000000..c94a830
--- /dev/null
+++ b/modules/LimitLoginAttempts/Views/tab-control.php
@@ -0,0 +1,18 @@
+<?php
+    function kompass_print_tab_header($activeTab = 'tab1')
+    {
+        $baseUrl = 'admin.php?page=bdp-kompass-limit-login-attempts&tab=';
+        return '<h2 class="nav-tab-wrapper">'.
+        '<a href="' . $baseUrl . 'tab1" class="nav-tab ' . ($activeTab == 'tab1' ? 'nav-tab-active' : '') . '">
+            Optionen
+        </a>'.
+        '<a href="' . $baseUrl . 'tab2" class="nav-tab ' . ($activeTab == 'tab2' ? 'nav-tab-active' : '') .'">
+            Blocklist
+        </a>'.
+        '<a href="' . $baseUrl . 'tab3" class="nav-tab ' . ($activeTab == 'tab3' ? 'nav-tab-active' : '') .'">
+            Allowlist
+        </a>'.
+        '<a href="' . $baseUrl . 'tab4" class="nav-tab ' . ($activeTab == 'tab4' ? 'nav-tab-active' : '') .'">
+            Gesperrte IPs
+        </a></h2>';
+    }
\ No newline at end of file
diff --git a/modules/LimitLoginAttempts/Views/text-element.php b/modules/LimitLoginAttempts/Views/text-element.php
new file mode 100644
index 0000000..2702e0c
--- /dev/null
+++ b/modules/LimitLoginAttempts/Views/text-element.php
@@ -0,0 +1,7 @@
+<?php
+function kompass_print_textbox($settingName, $settingValue) {
+    echo '<input type="text" name="' . $settingName . '" value="' . $settingValue. '" />';
+    if (defined('WP_DEBUG') && WP_DEBUG == true) {
+        echo '<br />' . $settingName;
+    }
+}
diff --git a/modules/LimitLoginAttempts/includes/block-and-allow-list-form.php b/modules/LimitLoginAttempts/includes/block-and-allow-list-form.php
new file mode 100644
index 0000000..265584d
--- /dev/null
+++ b/modules/LimitLoginAttempts/includes/block-and-allow-list-form.php
@@ -0,0 +1,56 @@
+<?php
+function updateBlockOrAllowList($postVars)
+{
+    $listType = $postVars['save_kompass_balist_list_type'];
+
+    $saveIPList = [];
+    if (isset($postVars['listElements'])) {
+        foreach ($postVars['listElements'] as $curIp) {
+            $curIp = trim($curIp);
+            if ($curIp !== '') {
+                $saveIPList[] = $curIp;
+            }
+        }
+    }
+
+    if (count($postVars['new_ips']) == 1) {
+        foreach (explode(PHP_EOL, $postVars['new_ips'][0]) as $newIp) {
+            $newIp = trim($newIp);
+            if ('' !== $newIp) {
+                $saveIPList[] = $newIp;
+            }
+        }
+    }
+
+    update_option('kompass_limit_login_' . $listType, $saveIPList);
+}
+
+function kompass_print_block_allow_form($listType) {
+    $elements = get_option('kompass_limit_login_' . $listType, []);
+
+     ?>
+
+    <input type="hidden" name="save_kompass_balist_list_type" value="<?= $listType; ?>" />
+
+    <?php
+    foreach ($elements as $currentIp) {
+        ?>
+        <p>
+            <input type="text" name="listElements[]" value="<?= $currentIp ?>" style="width: 350px;" /><br />
+            <label style="cursor: default; color: #a0a0a0; fot-size: 9pt; font-style: italic"><?= __('Zum Löschen frei lassen', BDP_LV_PLUGIN_SLUG); ?></label>
+        </p>
+        <?php
+    }
+    ?>
+    </div>
+    <div class="kompass_setting_box">
+        <h3><?= __('IP-Adresse hinzufügen', BDP_LV_PLUGIN_SLUG); ?></h3>
+        <p>
+            <textarea
+                    placeholder="<?= __('Please use line breaks to enter multiple ips', BDP_LV_PLUGIN_SLUG); ?>"
+                    name="new_ips[]"
+                    style="width: 350px;" rows="5"></textarea>
+        </p>
+    </div>
+<?php
+}
\ No newline at end of file
diff --git a/modules/LimitLoginAttempts/includes/gui_elements.php b/modules/LimitLoginAttempts/includes/gui_elements.php
new file mode 100644
index 0000000..ed7cbbd
--- /dev/null
+++ b/modules/LimitLoginAttempts/includes/gui_elements.php
@@ -0,0 +1,116 @@
+<?php
+
+// Callback-Funktion für die Einstellungsseite
+function custom_settings_section_callback() {
+    echo '<input type="hidden" name="update_options" value="true" />';
+}
+
+function _kompass_limit_logins_settings_callback($args) {
+    $setting = get_option($args['setting'], null);
+    if (null === $setting) {
+        $setting = '';
+    }
+
+    $value = esc_attr($setting);
+    if (isset($args['unit_division'])) {
+        $value = (int)$value / (int)$args['unit_division'];
+    }
+
+    kompass_print_textbox($args['setting'], $value);
+}
+
+function _kompass_limit_logins_settings_radio_callback($args)
+{
+    kompass_print_radio($args['setting']);
+}
+function _kompass_limit_logins_settings_checkbox_callback($args) {
+    kompass_print_checkbox($args['setting']);
+}
+
+
+
+
+
+
+add_settings_section(
+    'custom_settings_section',
+    'Optionen',
+    'custom_settings_section_callback',
+    BDP_LV_PLUGIN_SLUG . '-limit-login-attempts'
+);
+
+$settings_page = BDP_LV_PLUGIN_SLUG . '-limit-login-attempts';
+
+
+
+add_settings_field(
+    'kompass_lla_1',
+    'Maximale Wiederholungen',
+    '_kompass_limit_logins_settings_callback',
+    $settings_page,
+    'custom_settings_section',
+    ['setting' => 'kompass_limit_login_allowed_retries']);
+
+add_settings_field(
+    'kompass_lla_2',
+    'Dauer der Sperre (in Minuten)',
+    '_kompass_limit_logins_settings_callback',
+    $settings_page,
+    'custom_settings_section',
+    ['setting' => 'kompass_limit_login_lockout_duration', 'unit_division' => 60 ]);
+
+add_settings_field(
+    'kompass_lla_3',
+    'Maximale Anzahl an Sperrungen',
+    '_kompass_limit_logins_settings_callback',
+    $settings_page,
+    'custom_settings_section',
+    ['setting' => 'kompass_limit_login_allowed_lockouts']);
+
+add_settings_field(
+    'kompass_lla_4',
+    'Langzeitsperre in Stunden',
+    '_kompass_limit_logins_settings_callback',
+    $settings_page,
+    'custom_settings_section',
+    ['setting' => 'kompass_limit_login_long_duration', 'unit_division' => 3600]);
+
+add_settings_field(
+    'kompass_lla_5',
+    'Mininmale Passwort-Stärke:',
+    '_kompass_limit_logins_settings_radio_callback',
+    $settings_page,
+    'custom_settings_section',
+    ['setting' => 'kompass_password_minimal_strength']);
+
+add_settings_field(
+    'kompass_lla_6',
+    'Seite erreichbar über:',
+    '_kompass_limit_logins_settings_radio_callback',
+    $settings_page,
+    'custom_settings_section',
+    ['setting' => 'kompass_limit_login_client_type']);
+
+add_settings_field(
+    'kompass_lla_7',
+    'Cookies verarbeiten',
+    '_kompass_limit_logins_settings_radio_callback',
+    $settings_page,
+    'custom_settings_section',
+    ['setting' => 'kompass_limit_login_cookies']);
+
+add_settings_field(
+    'kompass_lla_8',
+    'Bei Sperrung benachrichtigen',
+    '_kompass_limit_logins_settings_checkbox_callback',
+    $settings_page,
+    'custom_settings_section',
+    ['setting' => 'kompass_limit_login_lockout_notify']);
+
+add_settings_field(
+    'kompass_lla_9',
+    'Fehlversuche bis zur Benachrichtigung',
+    '_kompass_limit_logins_settings_callback',
+    $settings_page,
+    'custom_settings_section',
+    ['setting' => 'kompass_limit_login_notify_email_after']);
diff --git a/modules/LimitLoginAttempts/includes/validators.php b/modules/LimitLoginAttempts/includes/validators.php
new file mode 100644
index 0000000..e2fb154
--- /dev/null
+++ b/modules/LimitLoginAttempts/includes/validators.php
@@ -0,0 +1,64 @@
+<?php
+function check_for_integer($input) {
+    if (!is_numeric($input)) {
+        wp_die('Bitte nur Zahlen, Danke!');
+    }
+    return $input;
+}
+
+
+function hours_to_seconds_converter($input) {
+    // Hier kannst du die Eingabe validieren, z.B. sicherstellen, dass es sich um eine gültige E-Mail-Adresse handelt.
+    return minutes_to_seconds_converter($input) * 60;
+}
+
+function minutes_to_seconds_converter($input) {
+
+    // Hier kannst du die Eingabe validieren, z.B. sicherstellen, dass es sich um eine gültige E-Mail-Adresse handelt.
+    return check_for_integer($input) * 60;
+}
+
+function kompass_settings_validators()
+{
+    $slug = BDP_LV_PLUGIN_SLUG . '-limit-login-attempts';
+
+    register_setting($slug,
+        'kompass_limit_login_allowed_retries',
+        'check_for_integer');
+
+    register_setting($slug,
+        'kompass_limit_login_allowed_lockouts',
+        'check_for_integer');
+
+    register_setting($slug,
+        'kompass_limit_login_lockout_duration',
+        'minutes_to_seconds_converter');
+
+    register_setting($slug,
+        'kompass_limit_login_long_duration',
+        'hours_to_seconds_converter');
+
+    register_setting($slug,
+        'kompass_limit_login_notify_email_after',
+        'check_for_integer');
+}
+
+function update_settings($postParams) {
+    $settings = ['kompass_limit_login_lockout_duration',
+        'kompass_limit_login_allowed_retries',
+        'kompass_limit_login_allowed_lockouts',
+        'kompass_password_minimal_strength',
+        'kompass_limit_login_client_type',
+        'kompass_limit_login_long_duration',
+        'kompass_limit_login_lockout_notify',
+        'kompass_limit_login_notify_email_after',
+        'kompass_limit_login_cookies'];
+
+    foreach ($settings as $curSetting) {
+		if (isset($postParams[$curSetting])) {
+			update_option( $curSetting, $postParams[ $curSetting ] );
+		} else {
+			update_option( $curSetting, '');
+		}
+    }
+}
\ No newline at end of file
diff --git a/modules/PasswordStrength/includes/password_strength_rules.php b/modules/PasswordStrength/includes/password_strength_rules.php
new file mode 100644
index 0000000..f696867
--- /dev/null
+++ b/modules/PasswordStrength/includes/password_strength_rules.php
@@ -0,0 +1,10 @@
+<?php
+function kompass_get_minimal_password_strength() {
+    $minPasswordStrength = get_option('kompass_password_minimal_strength', 1);
+
+    $possibleStrengths = ['1' => 'short, bad, good, strong',
+                         '2' => 'good, strong',
+                        '3' => 'strong'];
+
+    return ' ' . $possibleStrengths[$minPasswordStrength];
+}
\ No newline at end of file