function block_ip() { $IP = trim($_POST['IP']); $perm = $_POST['perm'] == '1' ? true : false; if (!preg_match('/^\\d+\\.\\d+\\.\\d+\\.\\d+$/', $IP)) { return array('err' => 1, 'errorMsg' => 'Please enter a valid IP address to block.'); } if (wfUtils::getIP() === $IP) { return array('err' => 1, 'errorMsg' => "You can't block your own IP address."); } if (self::getLog()->isWhitelisted($IP)) { return array('err' => 1, 'errorMsg' => 'The IP address ' . htmlentities($IP) . " is whitelisted and can't be blocked or it is in a range of internal IP addresses that Wordfence does not block. You can remove this IP from the whitelist on the Wordfence options page."); } if (wfConfig::get('neverBlockBG') !== 'treatAsOtherCrawlers') { //Either neverBlockVerified or neverBlockUA is selected which means the user doesn't want to block google if (wfCrawl::verifyCrawlerPTR('/googlebot\\.com$/i', $IP)) { return array('err' => 1, 'errorMsg' => "The IP address you're trying to block belongs to Google. Your options are currently set to not block these crawlers. Change this in Wordfence options if you want to manually block Google."); } } self::getLog()->blockIP($IP, $_POST['reason'], false, $perm); return array('ok' => 1); }
public static function syncAttackData($exit = true) { global $wpdb; $waf = wfWAF::getInstance(); $lastAttackMicroseconds = $wpdb->get_var("SELECT MAX(attackLogTime) FROM {$wpdb->base_prefix}wfHits"); if ($waf->getStorageEngine()->hasNewerAttackData($lastAttackMicroseconds)) { $attackData = $waf->getStorageEngine()->getNewestAttackDataArray($lastAttackMicroseconds); if ($attackData) { foreach ($attackData as $request) { if (count($request) !== 9) { continue; } list($logTimeMicroseconds, $requestTime, $ip, $learningMode, $paramKey, $paramValue, $failedRules, $ssl, $requestString) = $request; // Skip old entries and hits in learning mode, since they'll get picked up anyways. if ($logTimeMicroseconds <= $lastAttackMicroseconds || $learningMode) { continue; } $hit = new wfRequestModel(); $hit->attackLogTime = $logTimeMicroseconds; $hit->statusCode = 403; $hit->ctime = $requestTime; $hit->IP = wfUtils::inet_pton($ip); if (preg_match('/user\\-agent:(.*?)\\n/i', $requestString, $matches)) { $hit->UA = trim($matches[1]); $hit->isGoogle = wfCrawl::isGoogleCrawler($hit->UA); } if (preg_match('/Referer:(.*?)\\n/i', $requestString, $matches)) { $hit->referer = trim($matches[1]); } if (preg_match('/^[a-z]+\\s+(.*?)\\s+/i', $requestString, $uriMatches) && preg_match('/Host:(.*?)\\n/i', $requestString, $hostMatches)) { $hit->URL = 'http' . ($ssl ? 's' : '') . '://' . trim($hostMatches[1]) . trim($uriMatches[1]); } if (preg_match('/cookie:(.*?)\\n/i', $requestString, $matches)) { $hit->newVisit = strpos($matches[1], 'wfvt_' . crc32(site_url())) !== false ? 1 : 0; $hasVerifiedHumanCookie = strpos($matches[1], 'wordfence_verifiedHuman') !== false; if ($hasVerifiedHumanCookie && preg_match('/wordfence_verifiedHuman=(.*?);/', $matches[1], $cookieMatches)) { $hit->jsRun = (int) wp_verify_nonce($cookieMatches[1], 'wordfence_verifiedHuman' . $hit->UA . $ip); } $hasLoginCookie = strpos($matches[1], $ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) !== false; if ($hasLoginCookie && preg_match('/' . ($ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) . '=(.*?);/', $matches[1], $cookieMatches)) { $authCookie = rawurldecode($cookieMatches[1]); $authID = $ssl ? wp_validate_auth_cookie($authCookie, 'secure_auth') : wp_validate_auth_cookie($authCookie, 'auth'); if ($authID) { $hit->userID = $authID; } } } $path = '/'; if (preg_match('/^[A-Z]+ (.*?) HTTP\\/1\\.1/', $requestString, $matches)) { if (($pos = strpos($matches[1], '?')) !== false) { $path = substr($matches[1], 0, $pos); } else { $path = $matches[1]; } } $hit->action = 'blocked:waf'; /** @var wfWAFRule $rule */ $ruleIDs = explode('|', $failedRules); $actionData = array('learningMode' => $learningMode, 'failedRules' => $failedRules, 'paramKey' => $paramKey, 'paramValue' => $paramValue, 'path' => $path); if ($ruleIDs && $ruleIDs[0]) { $rule = $waf->getRule($ruleIDs[0]); if ($rule) { $hit->actionDescription = $rule->getDescription(); $actionData['category'] = $rule->getCategory(); $actionData['ssl'] = $ssl; $actionData['fullRequest'] = base64_encode($requestString); } } $hit->actionData = wfRequestModel::serializeActionData($actionData); $hit->save(); self::scheduleSendAttackData(); } } $waf->getStorageEngine()->truncateAttackData(); } update_site_option('wordfence_syncingAttackData', 0); update_site_option('wordfence_syncAttackDataAttempts', 0); if ($exit) { exit; } }
private function googleSafetyCheckOK() { //returns true if OK to block. Returns false if we must not block. $cacheKey = md5((isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '') . ' ' . wfUtils::getIP()); //Cache so we can call this multiple times in one request if (!isset(self::$gbSafeCache[$cacheKey])) { $nb = wfConfig::get('neverBlockBG'); if ($nb == 'treatAsOtherCrawlers') { self::$gbSafeCache[$cacheKey] = true; //OK to block because we're treating google like everyone else } else { if ($nb == 'neverBlockUA' || $nb == 'neverBlockVerified') { if (wfCrawl::isGoogleCrawler()) { //Check the UA using regex if ($nb == 'neverBlockVerified') { if (wfCrawl::verifyCrawlerPTR($this->googlePattern, wfUtils::getIP())) { //UA check passed, now verify using PTR if configured to self::$gbSafeCache[$cacheKey] = false; //This is a verified Google crawler, so no we can't block it } else { self::$gbSafeCache[$cacheKey] = true; //This is a crawler claiming to be Google but it did not verify } } else { //neverBlockUA self::$gbSafeCache[$cacheKey] = false; //User configured us to only do a UA check and this claims to be google so don't block } } else { self::$gbSafeCache[$cacheKey] = true; //This isn't a Google UA, so it's OK to block } } else { //error_log("Wordfence error: neverBlockBG option is not set."); self::$gbSafeCache[$cacheKey] = false; //Oops the config option is not set. This should never happen because it's set on install. So we return false to indicate it's not OK to block just for safety. } } } if (!isset(self::$gbSafeCache[$cacheKey])) { //error_log("Wordfence assertion fail in googleSafetyCheckOK: cached value is not set."); return false; //for safety } return self::$gbSafeCache[$cacheKey]; //return cached value }
public static function syncAttackData($exit = true) { global $wpdb; $waf = wfWAF::getInstance(); $lastAttackMicroseconds = $wpdb->get_var("SELECT MAX(attackLogTime) FROM {$wpdb->base_prefix}wfHits"); if ($waf->getStorageEngine()->hasNewerAttackData($lastAttackMicroseconds)) { $attackData = $waf->getStorageEngine()->getNewestAttackDataArray($lastAttackMicroseconds); if ($attackData) { foreach ($attackData as $request) { if (count($request) !== 9 && count($request) !== 10) { continue; } list($logTimeMicroseconds, $requestTime, $ip, $learningMode, $paramKey, $paramValue, $failedRules, $ssl, $requestString, $metadata) = $request; // Skip old entries and hits in learning mode, since they'll get picked up anyways. if ($logTimeMicroseconds <= $lastAttackMicroseconds || $learningMode) { continue; } $hit = new wfRequestModel(); $hit->attackLogTime = $logTimeMicroseconds; $hit->statusCode = 403; $hit->ctime = $requestTime; $hit->IP = wfUtils::inet_pton($ip); if (preg_match('/user\\-agent:(.*?)\\n/i', $requestString, $matches)) { $hit->UA = trim($matches[1]); $hit->isGoogle = wfCrawl::isGoogleCrawler($hit->UA); } if (preg_match('/Referer:(.*?)\\n/i', $requestString, $matches)) { $hit->referer = trim($matches[1]); } if (preg_match('/^[a-z]+\\s+(.*?)\\s+/i', $requestString, $uriMatches) && preg_match('/Host:(.*?)\\n/i', $requestString, $hostMatches)) { $hit->URL = 'http' . ($ssl ? 's' : '') . '://' . trim($hostMatches[1]) . trim($uriMatches[1]); } if (preg_match('/cookie:(.*?)\\n/i', $requestString, $matches)) { $hit->newVisit = strpos($matches[1], 'wfvt_' . crc32(site_url())) !== false ? 1 : 0; $hasVerifiedHumanCookie = strpos($matches[1], 'wordfence_verifiedHuman') !== false; if ($hasVerifiedHumanCookie && preg_match('/wordfence_verifiedHuman=(.*?);/', $matches[1], $cookieMatches)) { $hit->jsRun = (int) wp_verify_nonce($cookieMatches[1], 'wordfence_verifiedHuman' . $hit->UA . $ip); } $hasLoginCookie = strpos($matches[1], $ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) !== false; if ($hasLoginCookie && preg_match('/' . ($ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) . '=(.*?);/', $matches[1], $cookieMatches)) { $authCookie = rawurldecode($cookieMatches[1]); $authID = $ssl ? wp_validate_auth_cookie($authCookie, 'secure_auth') : wp_validate_auth_cookie($authCookie, 'auth'); if ($authID) { $hit->userID = $authID; } } } $path = '/'; if (preg_match('/^[A-Z]+ (.*?) HTTP\\/1\\.1/', $requestString, $matches)) { if (($pos = strpos($matches[1], '?')) !== false) { $path = substr($matches[1], 0, $pos); } else { $path = $matches[1]; } } $metadata = $metadata != null ? (array) $metadata : array(); if (isset($metadata['finalAction']) && $metadata['finalAction']) { // The request was blocked/redirected because of its IP based on the plugin's blocking settings. WAF blocks should be reported but not shown in live traffic with that as a reason. $action = $metadata['finalAction']['action']; $actionDescription = $action; if (class_exists('wfWAFIPBlocksController')) { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_UAREFIPRANGE) { $id = $metadata['finalAction']['id']; $wpdb->query($wpdb->prepare("UPDATE {$wpdb->base_prefix}wfBlocksAdv SET totalBlocked = totalBlocked + 1, lastBlocked = %d WHERE id = %d", $requestTime, $id)); wfActivityReport::logBlockedIP($ip); } else { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_REDIR) { $actionDescription .= ' (' . wfConfig::get('cbl_redirURL') . ')'; wfConfig::inc('totalCountryBlocked'); wfActivityReport::logBlockedIP($ip); } else { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY) { wfConfig::inc('totalCountryBlocked'); wfActivityReport::logBlockedIP($ip); } else { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_WFSN) { wordfence::wfsnReportBlockedAttempt($ip, 'login'); } } } } } if (strlen($actionDescription) == 0) { $actionDescription = 'Blocked by Wordfence'; } if (empty($failedRules)) { // Just a plugin block $hit->action = 'blocked:wordfence'; if (class_exists('wfWAFIPBlocksController')) { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_WFSN) { $hit->action = 'blocked:wfsnrepeat'; } } $hit->actionDescription = $actionDescription; } else { if ($failedRules == 'logged') { $hit->action = 'logged:waf'; } else { // Blocked by the WAF but would've been blocked anyway by the plugin settings so that message takes priority $hit->action = 'blocked:waf-always'; $hit->actionDescription = $actionDescription; } } } else { if ($failedRules == 'logged') { $hit->action = 'logged:waf'; } else { $hit->action = 'blocked:waf'; } } /** @var wfWAFRule $rule */ $ruleIDs = explode('|', $failedRules); $actionData = array('learningMode' => $learningMode, 'failedRules' => $failedRules, 'paramKey' => $paramKey, 'paramValue' => $paramValue, 'path' => $path); if ($ruleIDs && $ruleIDs[0]) { $rule = $waf->getRule($ruleIDs[0]); if ($rule) { if ($hit->action == 'logged:waf' || $hit->action == 'blocked:waf') { $hit->actionDescription = $rule->getDescription(); } $actionData['category'] = $rule->getCategory(); $actionData['ssl'] = $ssl; $actionData['fullRequest'] = base64_encode($requestString); } else { if ($ruleIDs[0] == 'logged') { if ($hit->action == 'logged:waf' || $hit->action == 'blocked:waf') { $hit->actionDescription = 'Watched IP Traffic: ' . $ip; } $actionData['category'] = 'logged'; $actionData['ssl'] = $ssl; $actionData['fullRequest'] = base64_encode($requestString); } } } $hit->actionData = wfRequestModel::serializeActionData($actionData); $hit->save(); self::scheduleSendAttackData(); } } $waf->getStorageEngine()->truncateAttackData(); } update_site_option('wordfence_syncingAttackData', 0); update_site_option('wordfence_syncAttackDataAttempts', 0); update_site_option('wordfence_lastSyncAttackData', time()); if ($exit) { exit; } }
/** * @return array|null|object */ public function execute() { global $wpdb; $sql = $this->buildQuery(); $results = $wpdb->get_results($sql, ARRAY_A); $this->getWFLog()->processGetHitsResults('', $results); $verifyCrawlers = false; if ($this->filters !== null && count($this->filters->getFilters()) > 0) { $filters = $this->filters->getFilters(); foreach ($filters as $f) { if (strtolower($f->getParam()) == "isgoogle") { $verifyCrawlers = true; break; } } } foreach ($results as $key => &$row) { if ($row['isGoogle'] && $verifyCrawlers) { if (!wfCrawl::isVerifiedGoogleCrawler($row['IP'], $row['UA'])) { unset($results[$key]); //foreach copies $results and iterates on the copy, so it is safe to mutate $results within the loop continue; } } $row['actionData'] = (array) json_decode($row['actionData'], true); } return array_values($results); }
public static function ajax_blockIP_callback() { $IP = trim($_POST['IP']); $perm = isset($_POST['perm']) && $_POST['perm'] == '1' ? true : false; if (!wfUtils::isValidIP($IP)) { return array('err' => 1, 'errorMsg' => "Please enter a valid IP address to block."); } if ($IP == wfUtils::getIP()) { return array('err' => 1, 'errorMsg' => "You can't block your own IP address."); } if (self::getLog()->isWhitelisted($IP)) { return array('err' => 1, 'errorMsg' => "The IP address " . wp_kses($IP, array()) . " is whitelisted and can't be blocked or it is in a range of internal IP addresses that Wordfence does not block. You can remove this IP from the whitelist on the Wordfence options page."); } if (wfConfig::get('neverBlockBG') != 'treatAsOtherCrawlers') { //Either neverBlockVerified or neverBlockUA is selected which means the user doesn't want to block google if (wfCrawl::isVerifiedGoogleCrawler($IP)) { return array('err' => 1, 'errorMsg' => "The IP address you're trying to block belongs to Google. Your options are currently set to not block these crawlers. Change this in Wordfence options if you want to manually block Google."); } } self::getLog()->blockIP($IP, $_POST['reason'], false, $perm); return array('ok' => 1); }