From 3983108048fa3188e1c9fa6567a8cee0868f71e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20G=C3=BCnther?= Date: Thu, 31 Oct 2024 12:35:46 +0100 Subject: [PATCH] Moved Hide Login to WPS Hide Login Moved IP restrictions to Protect Login --- bdp-kompass.php | 26 +- includes/action_caller.php | 17 +- includes/setup.php | 7 - .../Controllers/LoginHandler.php | 281 ------------------ .../Controllers/OptionsPage.php | 193 ------------ .../LimitLoginAttempts/Views/tab-control.php | 18 -- .../includes/block-and-allow-list-form.php | 65 ---- .../includes/gui_elements.php | 102 ------- .../includes/validators.php | 60 ---- .../includes/password_strength_rules.php | 10 - modules/security/classes/Security.class.php | 25 +- modules/security/includes/settings_writer.php | 6 - 12 files changed, 22 insertions(+), 788 deletions(-) delete mode 100644 modules/LimitLoginAttempts/Controllers/LoginHandler.php delete mode 100644 modules/LimitLoginAttempts/Controllers/OptionsPage.php delete mode 100644 modules/LimitLoginAttempts/Views/tab-control.php delete mode 100644 modules/LimitLoginAttempts/includes/block-and-allow-list-form.php delete mode 100644 modules/LimitLoginAttempts/includes/gui_elements.php delete mode 100644 modules/LimitLoginAttempts/includes/validators.php delete mode 100644 modules/PasswordStrength/includes/password_strength_rules.php diff --git a/bdp-kompass.php b/bdp-kompass.php index 310b9ed..6a57dc2 100644 --- a/bdp-kompass.php +++ b/bdp-kompass.php @@ -12,14 +12,13 @@ * Text Domain: bdp-kompass */ -use Bdp\Libs\WpConfigEditor; use Bdp\Modules\EventParticipants\Controllers\MainController as EventsMain; use Bdp\Modules\KompassSettings\Controllers\SettingsPage as KomnpassSettings; -use Bdp\Modules\LimitLoginAttempts\Controllers\OptionsPage as OptionsPageAlias; use Bdp\Modules\Mail\Controllers\MailController; use Bdp\Modules\Mail\Controllers\MailSettingsController; use Bdp\Modules\Security\Security; use Bdp\Modules\Seo\Seo; +use ProtectLogin\Modules\LimitLoginAttempts\Controllers\LoginHandler; require_once dirname(__FILE__) . '/includes/setup.php'; @@ -33,7 +32,19 @@ function bdp_plugin_init() { Security::ProhibitBots(); Security::SetPageFilters(); -# WpConfigEditor::updateConfig('DISABLE_WP_CRON', true); + if ( !file_exists( dirname( BDP_LV_STARTUP_FILE ) . '/../protect-login/protect-login.php' ) ) { + $allowed_ips = get_option('kompass_limit_login_allowlist', []); + $blocked_ips = get_option('kompass_limit_login_blocklist', []); + $lockouts = get_option('protect_login_limit_login_lockouts', []); + + kompass_install_plugin('https://downloads.wordpress.org/plugin/protect-login.latest-stable.zip', 'protect-login'); + + update_option('protect_login_limit_login_blocklist', $blocked_ips); + update_option('protect_login_limit_login_allowlist', $allowed_ips); + foreach ($lockouts as $address => $duration) { + LoginHandler::lockout($address); + } + } if (null == get_option('kompass_already_installed', null)) { Seo::setup(); @@ -47,13 +58,9 @@ function bdp_plugin_init() { add_action('admin_menu', function () { bdp_kompass_load_plugin_textdomain(); - new OptionsPageAlias(); new KomnpassSettings(); new EventsMain(); new MailController(); - - - }); add_action('wp_ajax_bdp_kompass_show_ajax', 'bdp_kompass_load_ajax_content'); add_action('wp_ajax_nopriv_bdp_kompass_show_ajax', 'bdp_kompass_load_ajax_content'); @@ -72,11 +79,6 @@ function register_custom_theme_directory() { function enqueue_custom_password_js() { wp_enqueue_script( 'kompass-ajax', BDP_LV_PLUGIN_URL . '/assets/ajax.js'); wp_enqueue_script( 'searchable-table', BDP_LV_PLUGIN_URL . '/assets/searchtable.js'); - wp_enqueue_script( 'custom-password-js', BDP_LV_PLUGIN_URL . 'assets/password.js'); - wp_localize_script( 'custom-password-js', 'php_vars', [ - 'allowed_strengths' => kompass_get_minimal_password_strength(), - 'password_too_short_text' => 'Dass Passwort entspricht nicht den Anforderungen.' - ]); } diff --git a/includes/action_caller.php b/includes/action_caller.php index e50a837..bfdbd7b 100644 --- a/includes/action_caller.php +++ b/includes/action_caller.php @@ -1,26 +1,11 @@ handleCookies(); - add_action('auth_cookie_bad_username', [$loginHandler, 'checkFailedCookies']); - add_action('auth_cookie_valid', [$loginHandler, 'onValidCookie'], 10, 2); -} - -if (isset($_POST['save_kompass_balist_list_type'])) { - updateBlockOrAllowList($_POST); -} - function add_custom_admin_bar_item() { + return; global $wp_admin_bar; // Überprüfen, ob der Benutzer die erforderliche Berechtigung hat diff --git a/includes/setup.php b/includes/setup.php index 0e4f4c0..bfa2a1f 100644 --- a/includes/setup.php +++ b/includes/setup.php @@ -1,9 +1,4 @@ isLoginAllowedFromIp() ) { - return $user; - } - - global $limit_login_my_error_shown; - $limit_login_my_error_shown = true; - - $error = new \WP_Error(); - // This error should be the same as in "shake it" filter below - $error->add('too_many_retries', $this->composeErrorMessage()); - return $error; - } - - public function onFailedLogin(string $username) { - $ip = $this->getAddress(); - - /* if currently locked-out, do not add to retries */ - $lockouts = get_option('protect_login_limit_login_lockouts', []); - - if(isset($lockouts[$ip]) && time() < $lockouts[$ip]) { - return; - } - - /* Get the arrays with retries and retries-valid information */ - $retries = get_option('kompass_limit_login_retries', []); - $valid = get_option('kompass_limit_login_retries_valid', []); - - /* Check validity and add one to retries */ - if (isset($retries[$ip])) { //} && isset($valid[$ip]) && time() < $valid[$ip]) { - $retries[$ip] ++; - } else { - $retries[$ip] = 1; - } - - update_option('kompass_limit_login_retries', $retries); - - /* lockout? */ - if($retries[$ip] % get_option('kompass_limit_login_allowed_retries', 0) != 0) { - return; - } - - - $retries_long = get_option('kompass_limit_login_allowed_retries', 1) - * get_option('kompass_limit_login_allowed_lockouts', 1); - - if ($retries[$ip] >= $retries_long) { - $lockouts[$ip] = time() + get_option('kompass_limit_login_long_duration', 86400); - - } else { - $lockouts[$ip] = time() + get_option('kompass_limit_login_lockout_duration', 900); - } - - update_option('kompass_limit_login_lockouts', $lockouts); - - - /* do any notification */ - $this->notify($username); - - } - - private function notifyByEmail($user) - { - $ip = $this->getAddress(); - - $lockouts = get_option('kompass_limit_login_lockouts', []); - if (!isset($lockouts[$ip])) { - return; - } - - $blocked_until = $lockouts[$ip]; - - $retries = get_option('kompass_limit_login_retries', []); - $currentRetries = $retries[$ip]; - - $notify_after = get_option('kompass_limit_login_notify_email_after', 1); - if ($currentRetries % $notify_after !== 0) { - return; - } - - $blogname = get_option('blogname', 'none'); - - $subject = sprintf(__("[%s] Too many failed login attempts" - , 'limit-login-attempts') - , $blogname); - - $message = 'Neue Sperrung auf deiner Webseite: ' . PHP_EOL . - 'IP-Adresse: ' . $ip . PHP_EOL . - 'Gesperrt bis: ' . date('d.m.Y H:i', $blocked_until); - - $admin_email = get_option('admin_email'); - wp_mail($admin_email, $subject, $message); - } - - - /* Handle notification in event of lockout */ - private function notify($user) { - $args = get_option('kompass_limit_login_lockout_notify', []); - if (!is_array($args)) { - $args = [$args]; - } - foreach ($args as $mode) { - switch (trim($mode)) { - case 'email': - $this->notifyByEmail($user); - break; - } - } - } - private function composeErrorMessage() { - $ip = $this->getAddress(); - $lockouts = get_option('protect_login_limit_login_lockouts'); - - $msg = __('Too many failed login attempts.', BDP_LV_PLUGIN_SLUG) . ' '; - - if (!is_array($lockouts) || !isset($lockouts[$ip]) || time() >= $lockouts[$ip]) { - /* Huh? No timeout active? */ - $msg .= __('Please try again later.', BDP_LV_PLUGIN_SLUG); - return $msg; - } - - $when = ceil(($lockouts[$ip] - time()) / 60); - if ($when > 60) { - $when = ceil($when / 60); - $msg .= sprintf(_n('Please try again in %d hour.', 'Please try again in %d hours.', $when, BDP_LV_PLUGIN_SLUG), $when); - } else { - $msg .= sprintf(_n('Please try again in %d minute.', 'Please try again in %d minutes.', $when, BDP_LV_PLUGIN_SLUG), $when); - } - - return $msg; - } - - private static function getAddress($typeName = '') { - global $limitLoginAttemptsSettings; - - $typeOriginal = $typeName; - if (empty($typeName)) { - $typeName = get_option('kompass_limit_loginclient_type', self::DIRECT_ADDR); - } - - if (isset($_SERVER[$typeName]) && filter_var($_SERVER[$typeName], FILTER_VALIDATE_IP)) { - return $_SERVER[$typeName]; - } - - /* - * Not found. Did we get proxy type from option? - * If so, try to fall back to direct address. - */ - if ( empty($typeName) && $typeOriginal == self::PROXY_ADDR - && isset($_SERVER[self::DIRECT_ADDR]) - && filter_var($_SERVER[self::DIRECT_ADDR], FILTER_VALIDATE_IP)) { - - /* - * NOTE: Even though we fall back to direct address -- meaning you - * can get a mostly working plugin when set to PROXY mode while in - * fact directly connected to Internet it is not safe! - * - * Client can itself send HTTP_X_FORWARDED_FOR header fooling us - * regarding which IP should be banned. - */ - - return $_SERVER[self::DIRECT_ADDR]; - } - - return ''; - - } - - public function isLoginAllowedFromIp() { - $ip = $this->getAddress(); - - if (in_array($ip, get_option('kompass_limit_login_blocklist', []))) { - return false; - } - - if (in_array($ip, get_option('kompass_limit_login_allowlist', []))) { - return true; - } - - /* lockout active? */ - $lockouts = get_option('kompass_limit_login_lockouts', []); - return (!is_array($lockouts) || !isset($lockouts[$ip]) || time() >= $lockouts[$ip]); - } - - public function checkFailedCookies($cookie_elements) { - $this->clearAuthCookie(); - - /* - * Invalid username gets counted every time. - */ - - $this->onFailedLogin($cookie_elements['username']); - } - - private function clearAuthCookie() { - wp_clear_auth_cookie(); - - if (!empty($_COOKIE[AUTH_COOKIE])) { - $_COOKIE[AUTH_COOKIE] = ''; - } - if (!empty($_COOKIE[SECURE_AUTH_COOKIE])) { - $_COOKIE[SECURE_AUTH_COOKIE] = ''; - } - if (!empty($_COOKIE[LOGGED_IN_COOKIE])) { - $_COOKIE[LOGGED_IN_COOKIE] = ''; - } - } - - public function onValidCookie($cookie_elements, $user) { - /* - * As all meta values get cached on user load this should not require - * any extra work for the common case of no stored value. - */ - - if (get_user_meta($user->ID, 'kompass_limit_login_previous_cookie')) { - delete_user_meta($user->ID, 'kompass_limit_login_previous_cookie'); - } - } - - function clearLoginCookie($cookie_elements) { - $this->clearAuthCookie(); - - /* - * Under some conditions an invalid auth cookie will be used multiple - * times, which results in multiple failed attempts from that one - * cookie. - * - * Unfortunately I've not been able to replicate this consistently and - * thus have not been able to make sure what the exact cause is. - * - * Probably it is because a reload of for example the admin dashboard - * might result in multiple requests from the browser before the invalid - * cookie can be cleard. - * - * Handle this by only counting the first attempt when the exact same - * cookie is attempted for a user. - */ - - extract($cookie_elements, EXTR_OVERWRITE); - - // Check if cookie is for a valid user - $user = get_user_by('login', $username); - if (!$user) { - // "shouldn't happen" for this action - $this->onFailedLogin($username); - return; - } - - $previous_cookie = get_user_meta($user->ID, 'kompass_limit_login_previous_cookie', true); - if ($previous_cookie && $previous_cookie == $cookie_elements) { - // Identical cookies, ignore this attempt - return; - } - - // Store cookie - if ($previous_cookie) - update_user_meta($user->ID, 'kompass_limit_login_previous_cookie', $cookie_elements); - else - add_user_meta($user->ID, 'kompass_limit_login_previous_cookie', $cookie_elements, true); - - $this->onFailedLogin($username); - } - - public function handleCookies() { - if ($this->isLoginAllowedFromIp()) { - return; - } - - $this->clearAuthCookie(); - } -} \ No newline at end of file diff --git a/modules/LimitLoginAttempts/Controllers/OptionsPage.php b/modules/LimitLoginAttempts/Controllers/OptionsPage.php deleted file mode 100644 index 73e5e3e..0000000 --- a/modules/LimitLoginAttempts/Controllers/OptionsPage.php +++ /dev/null @@ -1,193 +0,0 @@ - $blockedUntil) { - $ips .= '' . - '' . $ip . ''; - if (in_array($ip, get_option('protect_login_limit_login_blocklist', []))) { - $ips .= 'Dauerhaft blockiert' . - '' . - 'Keine Aktion möglich' . - ''; - } else { - $ips .= '' . date('d.m.Y', $blockedUntil) . '
' . date('H:i', $blockedUntil) . ' Uhr' . - ' - ' . __('Release ip address', BDP_LV_PLUGIN_SLUG) . '
- ' . __('Add ip address to blocklist', BDP_LV_PLUGIN_SLUG) . '
- ' . __('Add ip address to allowlist and release', BDP_LV_PLUGIN_SLUG) . '
' . - ''; - }; - } - return $ips; - } - - public function limit_login_option_page() { - global $errors; - bdp_kompass_load_plugin_textdomain(); - $showMessage = null; - - if (isset($_POST['update_options'])) { - update_settings($_POST); - $showMessage = __('The settings were saved.', BDP_LV_PLUGIN_SLUG); - } - if (isset($_GET['action']) && $_GET['action'] == 'release') { - $showMessage = __('The ip address was released.', BDP_LV_PLUGIN_SLUG); - } - - if(isset($_POST['save_kompass_balist_list_type'])) { - $showMessage = __('The list was saved.', BDP_LV_PLUGIN_SLUG); - } - - if (null !== $showMessage && $errors === false) { - echo '
'; - echo $showMessage; - echo '
'; - } - - if ($errors) { - echo '
'; - echo __('An error occured.', BDP_LV_PLUGIN_SLUG); - echo '
'; - } - - $tab = isset($_GET['tab']) ? $_GET['tab'] : 'tab1'; - - if (isset($_GET['action']) && $_GET['action'] == 'removeFromList') { - $this->removeFromList($_GET['list'], base64_decode($_GET['ip'])); - if ($_GET['list'] == 'blocklist') { - $tab = 'tab2'; - } else { - $tab = 'tab3'; - } - } - bdp_kompass_load_plugin_textdomain(); - - ?> - -
-

- -

-
- - -
- '; - do_settings_sections(BDP_LV_PLUGIN_SLUG . '-limit-login-attempts'); - submit_button(); - echo ''; - break; - case 'tab2': - echo '

Blocklist

'; - echo '
'; - kompass_print_block_allow_form('blocklist'); - submit_button(); - echo '
'; - break; - case 'tab3': - echo '

Allowlist

'; - echo '
'; - kompass_print_block_allow_form('allowlist'); - submit_button(); - echo '
'; - break; - case 'tab4': - if (isset($_GET['action']) && $_GET['action'] == 'release') { - $this->releaseIp(base64_decode($_GET['ip'])); - } - - if (isset($_GET['action']) && $_GET['action'] == 'toBlock') { - $this->addToBlocklist(base64_decode($_GET['ip'])); - } - - if (isset($_GET['action']) && $_GET['action'] == 'toAllow') { - $this->addToAllowlist(base64_decode($_GET['ip'])); - } - $blockedIps = $this->getBlockedIps(); - echo '

'. __('Blocked IP addresses', BDP_LV_PLUGIN_SLUG) .'

'; - - if (strlen($blockedIps) == 0) { - echo '
'; - echo __('There are no ip addresses blocked.', BDP_LV_PLUGIN_SLUG); - echo '
'; - } else { ?> -

- -

- - - - - - - - - - - - -
- -
-
- '. - '' . - __('Options', BDP_LV_PLUGIN_SLUG) . - ''. - '' . - __('Blocklist', BDP_LV_PLUGIN_SLUG) . - ''. - '' . - __('Allowlist', BDP_LV_PLUGIN_SLUG) . - ''. - '' . - __('Blocked IP addresses', BDP_LV_PLUGIN_SLUG) . - ''; - } \ No newline at end of file diff --git a/modules/LimitLoginAttempts/includes/block-and-allow-list-form.php b/modules/LimitLoginAttempts/includes/block-and-allow-list-form.php deleted file mode 100644 index 87b827d..0000000 --- a/modules/LimitLoginAttempts/includes/block-and-allow-list-form.php +++ /dev/null @@ -1,65 +0,0 @@ - - - -

- -

- - - - - - - - - '; - echo ''; - echo ''; - echo ''; - } - ?> - -
' . $currentIp .'' - . __('Delete', BDP_LV_PLUGIN_SLUG) . '
- - - -
-

-

- -

-
- 'kompass_limit_login_allowed_retries']); - -add_settings_field( - 'kompass_lla_2', - __('Duration of lockout (in minutes)', BDP_LV_PLUGIN_SLUG), - 'kompass_print_textbox', - $settings_page, - 'custom_settings_section', - ['setting' => 'kompass_limit_login_lockout_duration', 'unit_division' => 60 ]); - -add_settings_field( - 'kompass_lla_3', - __('Maximum number of lockouts', BDP_LV_PLUGIN_SLUG), - 'kompass_print_textbox', - $settings_page, - 'custom_settings_section', - ['setting' => 'kompass_limit_login_allowed_lockouts']); - -add_settings_field( - 'kompass_lla_4', - __('Long-term duration (in hours)', BDP_LV_PLUGIN_SLUG), - 'kompass_print_textbox', - $settings_page, - 'custom_settings_section', - ['setting' => 'kompass_limit_login_long_duration', 'unit_division' => 3600]); - -add_settings_field( - 'kompass_lla_5', - __('Minimum password strength', BDP_LV_PLUGIN_SLUG), - '_kompass_limit_logins_settings_radio_callback', - $settings_page, - 'custom_settings_section', - ['setting' => 'kompass_password_minimal_strength']); - -add_settings_field( - 'kompass_lla_6', - __('Page accessible via', BDP_LV_PLUGIN_SLUG), - '_kompass_limit_logins_settings_radio_callback', - $settings_page, - 'custom_settings_section', - ['setting' => 'kompass_limit_login_client_type']); - -add_settings_field( - 'kompass_lla_7', - __('Handle cookies', BDP_LV_PLUGIN_SLUG), - '_kompass_limit_logins_settings_radio_callback', - $settings_page, - 'custom_settings_section', - ['setting' => 'kompass_limit_login_cookies']); - -add_settings_field( - 'kompass_lla_8', - __('Notify if blocked', BDP_LV_PLUGIN_SLUG), - '_kompass_limit_logins_settings_checkbox_callback', - $settings_page, - 'custom_settings_section', - ['setting' => 'kompass_limit_login_lockout_notify']); - -add_settings_field( - 'kompass_lla_9', - __('Failed attempts until notification', BDP_LV_PLUGIN_SLUG), - 'kompass_print_textbox', - $settings_page, - 'custom_settings_section', - ['setting' => 'kompass_limit_login_notify_email_after']); - diff --git a/modules/LimitLoginAttempts/includes/validators.php b/modules/LimitLoginAttempts/includes/validators.php deleted file mode 100644 index 5b7d7fe..0000000 --- a/modules/LimitLoginAttempts/includes/validators.php +++ /dev/null @@ -1,60 +0,0 @@ - 'short, bad, good, strong', - '2' => 'good, strong', - '3' => 'strong']; - - return ' ' . $possibleStrengths[$minPasswordStrength]; -} \ No newline at end of file diff --git a/modules/security/classes/Security.class.php b/modules/security/classes/Security.class.php index f86d810..134971e 100644 --- a/modules/security/classes/Security.class.php +++ b/modules/security/classes/Security.class.php @@ -11,7 +11,6 @@ class Security public const delete_plugins = [ 'akismet/akismet.php', 'hello.php', - 'wps-hide-login/wps-hide-login.php', 'limit-login-attempts-reloaded' ]; @@ -23,10 +22,6 @@ class Security self::installSecurityPlugin($pluginSlug, $pluginData['downloadUrl']); } } - $loginUrl = get_option('kompass_sec_rewrite_login', null); - if (null == $loginUrl) { - $loginUrl = get_option('whl_page', null) ?? 'bdp-login'; - } enable_option_disable_xmlrpc(); enable_option_block_authorscan(); @@ -38,7 +33,7 @@ class Security enable_option_prohibit_bot_access(); enable_option_block_directory_listing(); self::resetLimitLoginAttempts(); - delete_option('whl_page'); + } @@ -83,26 +78,20 @@ class Security global $wp; add_action('template_redirect', [Security::class, 'protectAuthorScan']); - - if (null !== is_login_rewritten()) { - if (str_contains($_SERVER['REQUEST_URI'], 'wp-login.php?action=logout')) { - return; - } - - Security::protectLoginSecurity(); - } - - + Security::protectLoginSecurity(); } public static function protectLoginSecurity() { $hideLogin = is_login_rewritten(); - if (null === $hideLogin) { return; } + update_option('whl_page', get_option(get_option('kompass_sec_rewrite_login', null))); + delete_option('kompass_sec_rewrite_login'); + kompass_install_plugin( 'https://downloads.wordpress.org/plugin/wps-hide-login.1.9.17.1.zip', 'wps-hide-login' ); - if ( str_contains( $_SERVER['REQUEST_URI'], 'wp-login.php' ) && ! isset( $_POST['redirect_to'] ) && $_POST['redirect_to'] !== 'interner-bereich' ) { + + if ( str_contains( $_SERVER['REQUEST_URI'], 'wp-login.php' ) && ! isset( $_POST['redirect_to'] ) && $_POST['redirect_to'] !== 'interner-bereich' ) { wp_redirect( home_url() ); die(); } diff --git a/modules/security/includes/settings_writer.php b/modules/security/includes/settings_writer.php index e06490f..c7bcfdb 100644 --- a/modules/security/includes/settings_writer.php +++ b/modules/security/includes/settings_writer.php @@ -86,12 +86,6 @@ function disable_option_disable_wp_debug() { WpConfigEditor::updateConfig('WP_DEBUG', 'true'); } -function disable_option_rewrite_url() { - update_option('kompass_sec_rewrite_login', null); -} - - - function kompass_sec_save_settings($settings) { $allPossibleSettings = [ 'option_disable_xmlrpc',