protected function sanitize_settings()
{
$this->sanitize_setting('bool', 'default', __('Default Blacklist', 'better-wp-security'));
$this->sanitize_setting('bool', 'enable_ban_lists', __('Ban Lists', 'better-wp-security'));
$this->sanitize_setting('newline-separated-ips', 'host_list', __('Ban Hosts', 'better-wp-security'));
if (is_array($this->settings['host_list'])) {
require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
$whitelisted_hosts = array();
$current_ip = ITSEC_Lib::get_ip();
foreach ($this->settings['host_list'] as $host) {
if (is_user_logged_in() && ITSEC_Lib_IP_Tools::intersect($current_ip, ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($host))) {
$this->set_can_save(false);
/* translators: 1: input name, 2: invalid host */
$this->add_error(sprintf(__('The following host in %1$s matches your current IP and cannot be banned: %2$s', 'better-wp-security'), __('Ban Hosts', 'better-wp-security'), $host));
continue;
}
if (ITSEC_Lib::is_ip_whitelisted($host)) {
$whitelisted_hosts[] = $host;
}
}
if (!empty($whitelisted_hosts)) {
$this->set_can_save(false);
/* translators: 1: input name, 2: invalid host list */
$this->add_error(wp_sprintf(_n('The following IP in %1$s is whitelisted and cannot be banned: %2$l', 'The following IPs in %1$s are whitelisted and cannot be banned: %2$l', count($whitelisted_hosts), 'better-wp-security'), __('Ban Hosts', 'better-wp-security'), $whitelisted_hosts));
}
}
$this->sanitize_setting(array($this, 'sanitize_agent_list_entry'), 'agent_list', __('Ban User Agents', 'better-wp-security'));
}
/**
* Determines whether a given IP address is whitelisted
*
* @param string $ip_to_check ip to check
* @param array $white_ips ip list to compare to if not yet saved to options
* @param boolean $current whether to whitelist the current ip or not (due to saving, etc)
*
* @return boolean true if whitelisted or false
*/
public static function is_ip_whitelisted($ip_to_check, $white_ips = null, $current = false)
{
$ip_to_check = trim($ip_to_check);
if ($white_ips === null) {
$global_settings = get_site_option('itsec_global');
$white_ips = isset($global_settings['lockout_white_list']) ? $global_settings['lockout_white_list'] : array();
}
if ($current === true) {
$white_ips[] = ITSEC_Lib::get_ip();
//add current user ip to whitelist to check automatically
}
foreach ($white_ips as $white_ip) {
$converted_white_ip = ITSEC_Lib::ip_wild_to_mask($white_ip);
$check_range = ITSEC_Lib::cidr_to_range($converted_white_ip);
$ip_range = ITSEC_Lib::cidr_to_range($ip_to_check);
if (sizeof($check_range) === 2) {
//range to check
$check_min = ip2long($check_range[0]);
$check_max = ip2long($check_range[1]);
if (sizeof($ip_range) === 2) {
$ip_min = ip2long($ip_range[0]);
$ip_max = ip2long($ip_range[1]);
/**
* Checks cover the following scenarios:
* - min-a, min-b, max-a, max-b : min-b is in a range and min-a is in b range
* - min-b, min-a, max-b, max-a : max-b is in a range and max-a is in b range
* - min-a, min-b, max-b, max-a : range b is encapsulated by range a
* - min-b, min-a, max-a, max-b : range a is encapsulated by range b
*/
if ($check_min <= $ip_min && $ip_min <= $check_max || $check_min <= $ip_max && $ip_max <= $check_max || $ip_min <= $check_min && $check_min <= $ip_max || $ip_min <= $check_max && $check_max <= $ip_max) {
return true;
}
} else {
$ip = ip2long($ip_range[0]);
if ($check_min <= $ip && $ip <= $check_max) {
return true;
}
}
} else {
//single ip to check
$check = ip2long($check_range[0]);
if (sizeof($ip_range) === 2) {
$ip_min = ip2long($ip_range[0]);
$ip_max = ip2long($ip_range[1]);
if ($ip_min <= $check && $check <= $ip_max) {
return true;
}
} else {
$ip = ip2long($ip_range[0]);
if ($check == $ip) {
return true;
}
}
}
}
return false;
}
public static function scan()
{
global $itsec_logger;
$results = self::get_scan_results();
if (is_array($results) && isset($results['cached']) && $results['cached']) {
return $results;
}
$user = wp_get_current_user();
$itsec_logger->log_event('malware', 3, $results, ITSEC_Lib::get_ip(), $user->user_login, $user->ID);
return $results;
}
/**
* Execute away mode functionality
*
* @return void
*/
public function run_active_check()
{
global $itsec_logger;
//execute lockout if applicable
if (self::is_active()) {
$itsec_logger->log_event('away_mode', 5, array(__('A host was prevented from accessing the dashboard due to away-mode restrictions being in effect', 'better-wp-security')), ITSEC_Lib::get_ip(), '', '', '', '');
wp_redirect(get_option('siteurl'));
wp_clear_auth_cookie();
die;
}
}
/**
* Determines whether a given IP address is whitelisted
*
* @param string $ip_to_check ip to check
* @param array $white_ips ip list to compare to if not yet saved to options
* @param boolean $current whether to whitelist the current ip or not (due to saving, etc)
*
* @return boolean true if whitelisted or false
*/
public static function is_ip_whitelisted($ip_to_check, $white_ips = null, $current = false)
{
$ip_to_check = trim($ip_to_check);
if ($white_ips === null) {
$global_settings = get_site_option('itsec_global');
$white_ips = isset($global_settings['lockout_white_list']) ? $global_settings['lockout_white_list'] : array();
}
if ($current === true) {
$white_ips[] = ITSEC_Lib::get_ip();
//add current user ip to whitelist to check automatically
}
foreach ($white_ips as $white_ip) {
$converted_white_ip = ITSEC_Lib::ip_wild_to_mask($white_ip);
$check_range = ITSEC_Lib::cidr_to_range($converted_white_ip);
$ip_range = ITSEC_Lib::cidr_to_range($ip_to_check);
if (sizeof($check_range) === 2) {
//range to check
$check_min = ip2long($check_range[0]);
$check_max = ip2long($check_range[1]);
if (sizeof($ip_range) === 2) {
$ip_min = ip2long($ip_range[0]);
$ip_max = ip2long($ip_range[1]);
if ($check_min < $ip_min && $ip_min < $check_max || $check_min < $ip_max && $ip_max < $check_max) {
return true;
}
} else {
$ip = ip2long($ip_range[0]);
if ($check_min < $ip && $ip < $check_max) {
return true;
}
}
} else {
//single ip to check
$check = ip2long($check_range[0]);
if (sizeof($ip_range) === 2) {
$ip_min = ip2long($ip_range[0]);
$ip_max = ip2long($ip_range[1]);
if ($ip_min < $check && $check < $ip_max) {
return true;
}
} else {
$ip = ip2long($ip_range[0]);
if ($check == $ip) {
return true;
}
}
}
}
return false;
}
/**
* Sends to lockout class when login form isn't completely filled out
*
* @param object $user user or wordpress error
* @param string $username username attempted
* @param string $password password attempted
*
* @return user object or WordPress error
*/
public function execute_brute_force_no_password($user, $username = '', $password = '')
{
global $itsec_lockout, $itsec_logger;
if (isset($_POST['wp-submit']) && (empty($username) || empty($password))) {
$user_id = username_exists(sanitize_text_field($username));
if ($user_id === false || $user_id === NULL) {
$itsec_lockout->check_lockout(false, $username);
} else {
$itsec_lockout->check_lockout($user_id);
}
$itsec_logger->log_event('brute_force', 5, array(), ITSEC_Lib::get_ip(), sanitize_text_field($username), intval($user_id));
$itsec_lockout->do_lockout('brute_force', sanitize_text_field($username));
}
return $user;
}
/**
* If the page is a WordPress 404 error log it and register for lockout
*
* @return void
*/
public function check_404()
{
global $itsec_logger, $itsec_lockout;
if (!is_404()) {
return;
}
$uri = explode('?', $_SERVER['REQUEST_URI']);
if (!is_array($this->settings['white_list']) || in_array($uri[0], $this->settings['white_list'])) {
// Invalid settings or white listed page.
return;
}
$itsec_logger->log_event('four_oh_four', 3, array('query_string' => isset($uri[1]) ? esc_sql($uri[1]) : ''), ITSEC_Lib::get_ip(), '', '', esc_sql($uri[0]), isset($_SERVER['HTTP_REFERER']) ? esc_sql($_SERVER['HTTP_REFERER']) : '');
$path_info = pathinfo($uri[0]);
if (!isset($path_info['extension']) || is_array($this->settings['types']) && !in_array('.' . $path_info['extension'], $this->settings['types'])) {
$itsec_lockout->do_lockout('four_oh_four');
}
}
/**
* Sends to lockout class when login form isn't completely filled out
*
* @param object $user user or wordpress error
* @param string $username username attempted
* @param string $password password attempted
*
* @return user object or WordPress error
*/
public function execute_brute_force_no_password($user, $username = '', $password = '')
{
global $itsec_lockout, $itsec_logger;
if (isset($this->settings['auto_ban_admin']) && $this->settings['auto_ban_admin'] === true && trim(sanitize_text_field($username)) == 'admin') {
$itsec_logger->log_event('brute_force', 5, array(), ITSEC_Lib::get_ip(), sanitize_text_field($username));
$itsec_lockout->do_lockout('brute_force_admin_user', sanitize_text_field($username));
}
if (defined('XMLRPC_REQUEST') && XMLRPC_REQUEST === true || isset($_POST['wp-submit']) && (empty($username) || empty($password))) {
$user_id = username_exists(sanitize_text_field($username));
if ($user_id === false || $user_id === NULL) {
$itsec_lockout->check_lockout(false, $username);
} else {
$itsec_lockout->check_lockout($user_id);
}
$itsec_logger->log_event('brute_force', 5, array(), ITSEC_Lib::get_ip(), sanitize_text_field($username), intval($user_id));
$itsec_lockout->do_lockout('brute_force', sanitize_text_field($username));
}
return $user;
}
/**
* If the page is a WordPress 404 error log it and register for lockout
*
* @return void
*/
public function check_404()
{
global $itsec_logger, $itsec_lockout;
if ($this->settings['enabled'] === true && is_404()) {
$uri = explode('?', $_SERVER['REQUEST_URI']);
if (isset($this->settings['white_list']) && !is_array($this->settings['white_list'])) {
$this->settings['white_list'] = explode(PHP_EOL, $this->settings['white_list']);
} elseif (!isset($this->settings['white_list'])) {
$this->settings['white_list'] = array();
}
if (in_array($uri[0], $this->settings['white_list']) === false) {
$itsec_logger->log_event('four_oh_four', 3, array('query_string' => isset($uri[1]) ? esc_sql($uri[1]) : ''), ITSEC_Lib::get_ip(), '', '', esc_sql($uri[0]), isset($_SERVER['HTTP_REFERER']) ? esc_sql($_SERVER['HTTP_REFERER']) : '');
$path_info = pathinfo($uri[0]);
if (!isset($path_info['extension']) || isset($this->settings['types']) && is_array($this->settings['types']) && in_array('.' . $path_info['extension'], $this->settings['types']) === false) {
$itsec_lockout->do_lockout('four_oh_four');
}
}
}
}
/**
* Execute brute force against xml_rpc login
*
* @Since 4.4
*
* @param mixed $error WordPress error
*
* @return mixed WordPress error
*/
public function xmlrpc_login_error($error)
{
global $itsec_lockout, $itsec_logger;
if (isset($this->settings['auto_ban_admin']) && $this->settings['auto_ban_admin'] === true && trim(sanitize_text_field($this->username)) == 'admin') {
$itsec_logger->log_event('brute_force', 5, array(), ITSEC_Lib::get_ip(), $this->username);
$itsec_lockout->do_lockout('brute_force_admin_user', $this->username);
} else {
$user_id = username_exists($this->username);
if ($user_id === false || $user_id === null) {
$itsec_lockout->check_lockout(false, $this->username);
} else {
$itsec_lockout->check_lockout($user_id);
}
$itsec_logger->log_event('brute_force', 5, array(), ITSEC_Lib::get_ip(), $this->username, intval($user_id));
$itsec_lockout->do_lockout('brute_force', $this->username);
}
return $error;
}
/**
* Execute away mode functionality
*
* @return void
*/
public function execute_away_mode()
{
global $itsec_logger;
//execute lockout if applicable
if ($this->check_away()) {
$itsec_logger->log_event('away_mode', 5, array(__('A host was prevented from accessing the dashboard due to away-mode restrictions being in effect', 'it-l10n-ithemes-security-pro')), ITSEC_Lib::get_ip(), '', '', '', '');
wp_redirect(get_option('siteurl'));
wp_clear_auth_cookie();
}
}
?>
</h4>
<ul>
<li><?php
_e('Public IP Address', 'it-l10n-better-wp-security');
?>
: <strong><a target="_blank"
title="<?php
_e('Get more information on this address', 'it-l10n-better-wp-security');
?>
"
href="http://whois.domaintools.com/<?php
echo ITSEC_Lib::get_ip();
?>
"><?php
echo ITSEC_Lib::get_ip();
?>
</a></strong>
</li>
<li><?php
_e('User Agent', 'it-l10n-better-wp-security');
?>
:
<strong><?php
echo filter_var($_SERVER['HTTP_USER_AGENT'], FILTER_SANITIZE_STRING);
?>
</strong></li>
</ul>
</li>
<li>
/**
* Validates the captcha code
*
* @since 1.13
*
* @return int status of captcha
*/
public static function validate_captcha() {
global $itsec_lockout, $itsec_logger;
$settings = get_site_option( 'itsec_recaptcha' );
if ( ! isset( $settings['site_key'] ) ) {
return - 2;
}
if ( ! isset( $_POST['g-recaptcha-response'] ) || empty( $_POST['g-recaptcha-response'] ) ) {
$itsec_logger->log_event(
'recaptcha',
5,
array(),
ITSEC_Lib::get_ip(),
'',
'',
esc_sql( $_SERVER['REQUEST_URI'] ),
isset( $_SERVER['HTTP_REFERER'] ) ? esc_sql( $_SERVER['HTTP_REFERER'] ) : ''
);
$itsec_lockout->do_lockout( 'recaptcha' );
return - 1; //captcha form not submitted
} else {
$url = add_query_arg(
array(
'secret' => $settings['secret_key'],
'response' => esc_attr( $_POST['g-recaptcha-response'] ),
'remoteip' => ITSEC_Lib::get_ip(),
),
'https://www.google.com/recaptcha/api/siteverify'
);
$response = wp_remote_get( $url );
if ( ! is_wp_error( $response ) ) {
$status = json_decode( $response['body'] );
if ( isset( $status->success ) ) {
return 1; //captcha validated successfully
} else {
$itsec_logger->log_event(
'recaptcha',
5,
array(),
ITSEC_Lib::get_ip(),
'',
'',
esc_sql( $_SERVER['REQUEST_URI'] ),
isset( $_SERVER['HTTP_REFERER'] ) ? esc_sql( $_SERVER['HTTP_REFERER'] ) : ''
);
$itsec_lockout->do_lockout( 'recaptcha' );
return 0; //incorrect captcha entered
}
} else {
return - 2; //captcha couldn't be validated
}
}
}
/**
* Process ajax request to set temp whitelist
*
* @since 4.3
*
* @return void
*/
public function itsec_temp_whitelist_ajax()
{
global $itsec_globals;
if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field($_POST['nonce']), 'itsec_temp_whitelist_nonce')) {
die;
}
$add_temp = false;
$current_ip = ITSEC_Lib::get_ip();
$temp_ip = get_site_option('itsec_temp_whitelist_ip');
if ($temp_ip !== false) {
if ($temp_ip['exp'] < $itsec_globals['current_time']) {
delete_site_option('itsec_temp_whitelist_ip');
$add_temp = true;
}
} else {
$add_temp = true;
}
if ($add_temp === false) {
die('error');
} else {
$response = array('ip' => ITSEC_Lib::get_ip(), 'exp' => $itsec_globals['current_time'] + 86400);
add_site_option('itsec_temp_whitelist_ip', $response);
$response['exp'] = date('Y-m-d H:i:s', $response['exp']);
$response['message1'] = __('Your IP Address', 'it-l10n-better-wp-security');
$response['message2'] = __('is whitelisted until', 'it-l10n-better-wp-security');
die(json_encode($response));
}
}
/**
* Determines whether a given IP address is whitelisted
*
* @param string $ip_to_check ip to check (can be in CIDR notation)
* @param array $white_ips ip list to compare to if not yet saved to options
* @param boolean $current whether to whitelist the current ip or not (due to saving, etc)
*
* @return boolean true if whitelisted or false
*/
public static function is_ip_whitelisted($ip_to_check, $white_ips = null, $current = false)
{
if (!class_exists('ITSEC_Lib_IP_Tools')) {
$itsec_core = ITSEC_Core::get_instance();
require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
}
if ($white_ips === null) {
$global_settings = get_site_option('itsec_global');
$white_ips = isset($global_settings['lockout_white_list']) ? $global_settings['lockout_white_list'] : array();
}
if ($current === true) {
$white_ips[] = ITSEC_Lib::get_ip();
//add current user ip to whitelist to check automatically
}
foreach ($white_ips as $white_ip) {
if (ITSEC_Lib_IP_Tools::intersect($ip_to_check, ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($white_ip))) {
return true;
}
}
return false;
}
public function is_visitor_temp_whitelisted()
{
global $itsec_globals;
$whitelist = $this->get_temp_whitelist();
$ip = ITSEC_Lib::get_ip();
if (isset($whitelist[$ip]) && $whitelist[$ip] > $itsec_globals['current_time']) {
return true;
}
return false;
}
/**
* Request a malware scan
*
* @since 4.3
*
* @param mixed $current_url the url to scan or null
*
* @return mixed the response from the server or false if the submission was not successful
*/
private function request_url_scan($current_url = null)
{
global $itsec_logger;
$url = 'https://www.virustotal.com/vtapi/v2/url/scan';
//Use the supplied URL if present
if (ITSEC_Lib::validate_url($current_url) === true) {
$current_url = esc_url($current_url);
} else {
$current_url = esc_url($_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
}
$args['body'] = array('url' => $current_url, 'apikey' => $this->settings['api_key']);
$response = wp_remote_post($url, $args);
if ($response['response']['code'] == 200 && isset($response['body'])) {
$scan_info = array('type' => 'Malware Scan Requested', 'resource' => $current_url);
$user = wp_get_current_user();
$itsec_logger->log_event('malware', 3, $scan_info, ITSEC_Lib::get_ip(), $user->user_login, $user->ID);
return json_decode(sanitize_text_field($response['body']));
//Valid request
} elseif ($response['response']['code'] == 204) {
return 204;
//Rate limit exceeded
} elseif ($response['response']['code'] == 403) {
return 403;
//Permission denied
} else {
return false;
//unspecified failure
}
}
/**
* Determines whether a given IP address is blacklisted
*
* @param string $ip ip to check (can be in CIDR notation)
* @param array $blacklisted_ips ip list to compare to if not yet saved to options
*
* @return boolean true if blacklisted or false
*/
public static function is_ip_blacklisted($ip = null, $blacklisted_ips = null)
{
$ip = sanitize_text_field($ip);
if (empty($ip)) {
$ip = ITSEC_Lib::get_ip();
}
if (!class_exists('ITSEC_Lib_IP_Tools')) {
require_once ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-ip-tools.php';
}
if (is_null($blacklisted_ips)) {
$blacklisted_ips = self::get_blacklisted_ips();
}
foreach ($blacklisted_ips as $blacklisted_ip) {
if (ITSEC_Lib_IP_Tools::intersect($ip, ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($blacklisted_ip))) {
return true;
}
}
return false;
}
/**
* Log successful user logout
*
* @since 4.1
*
* @return void
*/
public function wp_logout()
{
global $itsec_logger;
$itsec_logger->log_event('user_logging', 1, array('action' => __('A User Logged Out', 'it-l10n-ithemes-security-pro')), ITSEC_Lib::get_ip(), '', '', '', '');
}
public function enqueue_scripts_and_styles()
{
$vars = array('ip' => ITSEC_Lib::get_ip(), 'log_location' => ITSEC_Modules::get_default($this->id, 'log_location'));
wp_enqueue_script('itsec-global-settings-page-script', plugins_url('js/settings-page.js', __FILE__), array('jquery'), $this->version, true);
wp_localize_script('itsec-global-settings-page-script', 'itsec_global_settings_page', $vars);
}
/**
* Process ajax request to set temp whitelist
*
* @since 4.3
*
* @return void
*/
public function itsec_temp_whitelist_ajax() {
global $itsec_globals;
if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( $_POST['nonce'] ), 'itsec_temp_whitelist_nonce' ) ) {
die ();
}
$add_temp = false;
$current_ip = ITSEC_Lib::get_ip();
$temp_ip = get_site_option( 'itsec_temp_whitelist_ip' );
if ( $temp_ip !== false ) {
if ( $temp_ip['exp'] < $itsec_globals['current_time'] ) {
delete_site_option( 'itsec_temp_whitelist_ip' );
$add_temp = true;
}
} else {
$add_temp = true;
}
if ( $add_temp === false ) {
die( 'error' );
} else {
$response = array(
'ip' => ITSEC_Lib::get_ip(),
'exp' => $itsec_globals['current_time'] + 86400,
);
add_site_option( 'itsec_temp_whitelist_ip', $response );
$response['exp'] = human_time_diff( $itsec_globals['current_time'], $response['exp'] );
$response['message1'] = __( 'Your IP Address', 'it-l10n-ithemes-security-pro' );
$response['message2'] = __( 'is whitelisted for', 'it-l10n-ithemes-security-pro' );
$response['message3'] = __( 'Remove IP from Whitelist', 'it-l10n-ithemes-security-pro' );
die( json_encode( $response ) );
}
}
/**
* Determines whether a given IP address is whitelisted
*
* @param string $ip_to_check ip to check (can be in CIDR notation)
* @param array $white_ips ip list to compare to if not yet saved to options
* @param boolean $current whether to whitelist the current ip or not (due to saving, etc)
*
* @return boolean true if whitelisted or false
*/
public static function is_ip_whitelisted($ip_to_check, $white_ips = null, $current = false)
{
if (!class_exists('ITSEC_Lib_IP_Tools')) {
$itsec_core = ITSEC_Core::get_instance();
require_once dirname($itsec_core->get_plugin_file()) . '/core/lib/class-itsec-lib-ip-tools.php';
}
if ($white_ips === null) {
$global_settings = get_site_option('itsec_global');
$white_ips = isset($global_settings['lockout_white_list']) ? $global_settings['lockout_white_list'] : array();
}
if ($current === true) {
$white_ips[] = ITSEC_Lib::get_ip();
//add current user ip to whitelist to check automatically
}
// Check to see if we have a temporarily white listed IP
$temp = get_site_option('itsec_temp_whitelist_ip');
if (false !== $temp) {
// If the temporary white list is expired, delete the option we store it in
if ($temp['exp'] < current_time('timestamp')) {
delete_site_option('itsec_temp_whitelist_ip');
} else {
// If the temporary white list is still valid, add the IP to our list of white IPs
$white_ips[] = $temp['ip'];
}
}
$white_ips = apply_filters('itsec_white_ips', $white_ips);
foreach ($white_ips as $white_ip) {
if (ITSEC_Lib_IP_Tools::intersect($ip_to_check, ITSEC_Lib_IP_Tools::ip_wild_to_ip_cidr($white_ip))) {
return true;
}
}
return false;
}
/**
* Authenticate a user with two-factor enabled.
*
* Checks for a valid two-factor token or app password upon user authentication.
*
* @since 1.2.0
*
* @param mixed $user the user
* @param string $password password the password entered
*
* @return mixed user or error
*/
public function wp_authenticate_user( $user, $password ) {
global $itsec_logger, $itsec_globals;
if ( is_wp_error( $user ) ) {
return $user;
}
$current_user = $user; //Store error or user object already authenticated
$override = intval( get_user_option( 'itsec_two_factor_override', $user->ID ) ) === 1 ? true : false;
$override_expires = intval( get_user_option( 'itsec_two_factor_override_expires', $user->ID ) );
if ( true === $override && $itsec_globals['current_time'] < $override_expires ) {
return $user; //Override is active so just return the user.
}
if ( true === $override ) { //Delete the options if they've expired
delete_user_option( $user->ID, 'itsec_two_factor_override', true );
delete_user_option( $user->ID, 'itsec_two_factor_override_expires', true );
}
//make sure the user has two-factor turned on for their account
if ( isset( $user->ID ) && 'on' === trim( get_user_option( 'itsec_two_factor_enabled', $user->ID ) ) ) {
$key = get_user_option( 'itsec_two_factor_key', $user->ID );
$time = floor( time() / 30 ); //time to check
$good_login = false; //is this a valid login
if ( isset( $_POST['itsec_two_factor_code'] ) ) {
$code = sanitize_text_field( trim( $_POST['itsec_two_factor_code'] ) );
} else {
$code = false;
}
if ( false !== $code && 0 < strlen( $code ) ) {
$offset = isset( $this->settings['offset'] ) ? intval( $this->settings['offset'] ) : 1;
//Check both sides of the time
for ( $i = - $offset; $i <= $offset; $i ++ ) {
$log_time = $time + $i;
if ( $this->get_code( $key, $log_time ) === $code ) {
$good_login = array( $log_time, $code, ); //they gave a valid code
}
}
}
if ( false !== $good_login ) { //we have a valid code
$last_login = get_user_option( 'itsec_two_factor_last_login', $user->ID );
if ( is_array( $last_login ) && ( $last_login[1] === $good_login[1] || $last_login[0] >= $good_login[0] ) ) { //looks like a replay
$itsec_logger->log_event(
'two_factor',
8,
array(
__( 'Possible two-factor relay attack. Two factor code was re-used or invalid time.', 'it-l10n-ithemes-security-pro' ),
),
ITSEC_Lib::get_ip(),
sanitize_text_field( $user->user_login ),
'',
'',
''
);
return new WP_Error( 'invalid_two_factor_code', '<strong>' . __( 'ERROR', 'it-l10n-ithemes-security-pro' ) . '</strong>: ' . __( 'The two-factor code entered is invalid. Please try again.', 'it-l10n-ithemes-security-pro' ) );
} else { //its a good login so save the info
update_user_option( $user->ID, 'itsec_two_factor_last_login', $good_login );
}
} elseif ( defined( 'XMLRPC_REQUEST' ) && 'on' === trim( get_user_option( 'itsec_two_factor_use_app', $user->ID ) ) ) { //code is invalid, lets check the app password if its on
$good_login = false;
$app_passwords = get_user_option( 'itsec_two_factor_app_pass', $user->ID );
if ( false !== $app_passwords && ! is_array( $app_passwords ) && wp_check_password( strtoupper( str_replace( ' ', '', sanitize_text_field( $password ) ) ), $app_passwords ) ) {
$good_login = true;
}
if ( false !== $app_passwords && is_array( $app_passwords ) ) {
foreach ( $app_passwords as $app_password ) {
if ( wp_check_password( strtoupper( str_replace( ' ', '', sanitize_text_field( $password ) ) ), $app_password ) ) {
$good_login = true;
}
}
}
if ( true === $good_login ) {
$user->user_pass = wp_hash_password( $password );
return $user;
} else {
return new WP_Error( 'invalid_two_factor_app_password', '<strong>' . __( 'ERROR', 'it-l10n-ithemes-security-pro' ) . '</strong>: ' . __( 'The two-factor app password entered is invalid. Please try again.', 'it-l10n-ithemes-security-pro' ) );
}
} else {
return new WP_Error( 'invalid_two_factor_code', '<strong>' . __( 'ERROR', 'it-l10n-ithemes-security-pro' ) . '</strong>: ' . __( 'The two-factor code entered is invalid. Please try again.', 'it-l10n-ithemes-security-pro' ) );
}
}
return $current_user;
}
/**
* Sends to lockout class when username and password are filled out and wrong
*
* @since 4.5
*
* @return void
*/
public function wp_login_failed()
{
global $itsec_logger;
if ($this->report_ip() === 1) {
$itsec_logger->log_event('ipcheck', 10, array(), ITSEC_Lib::get_ip());
$this->execute_lock(false, true);
}
}
/**
* echos Lockout White List Field
*
* @since 4.0
*
* @return void
*/
public function settings_field_lockout_white_list()
{
$white_list = '';
//Convert and show the agent list
if (isset($this->settings['lockout_white_list']) && is_array($this->settings['lockout_white_list']) && sizeof($this->settings['lockout_white_list']) >= 1) {
$white_list = implode(PHP_EOL, $this->settings['lockout_white_list']);
} elseif (isset($this->settings['lockout_white_list']) && !is_array($this->settings['lockout_white_list']) && strlen($this->settings['lockout_white_list']) > 1) {
$white_list = $this->settings['lockout_white_list'];
}
echo '<textarea id="itsec_global_lockout_white_list" name="itsec_global[lockout_white_list]" rows="10" cols="50">' . $white_list . PHP_EOL . '</textarea>';
echo '<p class="submit"><a href="' . PHP_EOL . ITSEC_Lib::get_ip() . '" class="itsec_add_ip_to_whitelist button-primary">' . __('Add my current IP to Whitelist', 'better-wp-security') . '</a></p>';
echo '<p class="description">' . __('Use the guidelines below to enter hosts that will not be locked out from your site. This will keep you from locking yourself out of any features if you should trigger a lockout. Please note this does not override away mode and will only prevent a temporary ban. Should a permanent ban be triggered you will still be added to the "Ban Users" list unless the IP address is also white listed in that section.', 'better-wp-security') . '</p>';
echo '<ul>';
echo '<li>' . __('You may white list users by individual IP address or IP address range.', 'better-wp-security') . '</li>';
echo '<li>' . __('Individual IP addesses must be in IPV4 standard format (i.e. ###.###.###.### or ###.###.###.###/##). Wildcards (*) or a netmask is allowed to specify a range of ip addresses.', 'better-wp-security') . '</li>';
echo '<li>' . __('If using a wildcard (*) you must start with the right-most number in the ip field. For example ###.###.###.* and ###.###.*.* are permitted but ###.###.*.### is not.', 'better-wp-security') . '</li>';
echo '<li><a href="http://ip-lookup.net/domain-lookup.php" target="_blank">' . __('Lookup IP Address.', 'better-wp-security') . '</a></li>';
echo '<li>' . __('Enter only 1 IP address or 1 IP address range per line.', 'better-wp-security') . '</li>';
echo '</ul>';
echo '<p class="description"><strong>' . __('This white list will prevent any ip listed from triggering an automatic lockout. You can still block the IP address manually in the banned users settings.', 'better-wp-security') . '</strong></p>';
}
