Phase 6: AIOS security plugin with conservative login lockdown config (10 attempts)

2025-11-28 17:19:54 -06:00
parent 78a744ef06
commit abbd3502e8
430 changed files with 137111 additions and 7 deletions
@@ -0,0 +1,10 @@
+<?php
+/**
+ * Merged by Davide Giunchi, from plugin "Stop User Enumeration"
+ */
+
+if (!is_admin() && isset($_SERVER['REQUEST_URI'])) {
+	if (preg_match('/(wp-comments-post)/', sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI']))) === 0 && !empty($_REQUEST['author'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- PCP warning. No nonce available.
+		wp_die(esc_html__('Accessing author info via link is forbidden', 'all-in-one-wp-security-and-firewall'), 403);
+	}
+}
@@ -0,0 +1,114 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head profile="http://gmpg.org/xfn/11">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<title><?php bloginfo('name'); ?></title>
+<?php
+global $aio_wp_security;
+$display_form = true;
+//Make this page look like the WP login page
+wp_admin_css('login', true);
+wp_admin_css('colors-fresh', true);
+do_action('login_head');
+$login_header_url   = 'http://wordpress.org/';
+$login_header_title = __('Powered by WordPress', 'all-in-one-wp-security-and-firewall');
+?>
+</head>
+
+<body class="login login-action-login wp-core-ui aiowps-unlock-request">
+<div id="login">
+<h1><a href="<?php echo esc_url($login_header_url); ?>" title="<?php echo esc_attr($login_header_title); ?>"><?php bloginfo('name'); ?></a></h1>
+	
+<?php
+if (isset($_POST['aiowps_unlock_request'])) {
+	//This catches the $_POST from the "Request Unlock" button on the main WP login page
+	isset($_POST['aiowps-unlock-string-info']) ? ($unlock_encoded_info = strip_tags(trim($_POST['aiowps-unlock-string-info']))) : ($unlock_encoded_info = '');
+	$unlock_secret_string = $aio_wp_security->configs->get_value('aiowps_unlock_request_secret_key');
+	$unlock_temp_string = isset($_POST['aiowps-unlock-temp-string']) ? strip_tags($_POST['aiowps-unlock-temp-string']) : '';
+	$submitted_encoded_string = base64_encode($unlock_temp_string.$unlock_secret_string);
+	if ($submitted_encoded_string !== $unlock_encoded_info) {
+		//Someone somehow landed on this page directly without clicking the unlock button on login form
+		echo '<div id="login_error">'.__('ERROR: Unable to process your request!', 'all-in-one-wp-security-and-firewall').'</div>';
+		die();
+	} elseif ($display_form) {
+		echo display_unlock_form();
+	}
+} //End if block
+
+if (isset($_POST['aiowps_wp_submit_unlock_request'])) {
+	//This catches the $_POST when someone submits the form from our special unlock request page where visitor enters email address
+	$errors = '';
+
+	$email = trim($_POST['aiowps_unlock_request_email']);
+	if (empty($email) || !is_email($email)) {
+		$errors .= '<p>'.__('Please enter a valid email address', 'all-in-one-wp-security-and-firewall').'</p>';
+	}
+	
+	if ($errors) {
+		$display_form = true;
+		echo '<div id="login_error">'.$errors.'</div>';
+		$sanitized_email = sanitize_email($email);
+		echo display_unlock_form($sanitized_email);
+	} else {
+		$locked_user = get_user_by('email', $email);
+		if (!$locked_user) {
+			//user with this email does not exist in the system
+			$errors .= '<p>'.__('User account not found!', 'all-in-one-wp-security-and-firewall').'</p>';
+			echo '<div id="login_error">'.$errors.'</div>';
+		} else {
+			//Process unlock request
+			//Generate a special code and unlock url
+			$ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
+			if (empty($ip)) {
+				$unlock_url = false;
+			} else {
+				$unlock_url = AIOWPSecurity_User_Login::generate_unlock_request_link($ip);
+			}
+
+			if (!$unlock_url) {
+				//No entry found in lockout table with this IP range
+				$error_msg = '<p>'.__('Error: No locked entry was found in the database with your IP address range.', 'all-in-one-wp-security-and-firewall').'</p>';
+				echo '<div id="login_error">'.$error_msg.'</div>';
+			} else {
+				//Send an email to the user
+				AIOWPSecurity_User_Login::send_unlock_request_email($email, $unlock_url);
+				echo '<p class="message">' . __('An email has been sent to you with the unlock instructions.', 'all-in-one-wp-security-and-firewall') . '</p>';
+			}
+		}
+		$display_form = false;
+	}
+}
+?>
+</div> <!-- end #login -->
+
+</body>
+</html>
+<?php
+
+function display_unlock_form($email = '') {
+	ob_start();
+	// Display the unlock request form
+	$unlock_form_msg
+		= '<p>' . __('You are here because you have been locked out due to too many incorrect login attempts.', 'all-in-one-wp-security-and-firewall') . '</p>'
+		. '<p>' . __('Please enter your email address and you will receive an email with instructions on how to unlock yourself.', 'all-in-one-wp-security-and-firewall') . '</p>';
+?>
+<div class="message"><?php echo $unlock_form_msg; ?></div>
+<form name="loginform" id="loginform" action="<?php echo wp_login_url(); ?>" method="post">
+	<?php
+	if (isset($_POST['aiowps-woo-login'])) {
+		echo '<input type="hidden" name="aiowps-woo-login" id="aiowps-woo-login" value="1" />';
+	}
+	?>
+	<p>
+		<label for="aiowps_unlock_request_email"><?php _e('Email Address', 'all-in-one-wp-security-and-firewall'); ?><br>
+		<input type="text" name="aiowps_unlock_request_email" id="aiowps_unlock_request_email" class="input" value="<?php echo $email; ?>" size="20"></label>
+	</p>
+		<p class="submit">
+			<input type="submit" name="aiowps_wp_submit_unlock_request" id="aiowps_wp_submit_unlock_request" class="button button-primary button-large" value="<?php esc_attr_e('Send unlock request', 'all-in-one-wp-security-and-firewall'); ?>">
+	</p>
+</form>
+<?php
+	$output = ob_get_contents();
+	ob_end_clean();
+	return $output;
+}
@@ -0,0 +1,31 @@
+<?php
+global $aio_wp_security;
+$aiowps_site_lockout_msg_raw = $aio_wp_security->configs->get_value('aiowps_site_lockout_msg');
+if (empty($aiowps_site_lockout_msg_raw)) {
+	$aiowps_site_lockout_msg_raw = '<p>This site is currently not available. Please try again later.</p>';
+}
+$maintenance_msg = html_entity_decode($aiowps_site_lockout_msg_raw, ENT_COMPAT, "UTF-8");
+$maintenance_msg = apply_filters('the_content', $maintenance_msg);
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head profile="http://gmpg.org/xfn/11">
+	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+	<title><?php bloginfo('name'); ?></title>
+	<?php // phpcs:ignore WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet -- Manual enqueue necessary. ?>
+	<link rel="stylesheet" type="text/css" href="<?php echo esc_url(AIO_WP_SECURITY_URL); ?>/css/wp-security-site-lockout-page.css" />
+	<?php wp_head(); ?>
+</head>
+
+<body>
+<div class="aiowps-site-lockout-body">
+	<div class="aiowps-site-lockout-body-content">
+		<div class="aiowps-site-lockout-box">
+				<div class="aiowps-site-lockout-msg">
+					<?php echo wp_kses_post($maintenance_msg); ?>
+				</div>
+		</div> <!-- end .aiowps-site-lockout-box -->
+	</div> <!-- end .aiowps-site-lockout-body-content -->
+</div> <!-- end .aiowps-site-lockout-body -->
+</body>
+</html>