public function run($arguments) { global $itsec_globals; $direction = isset($arguments['direction']) ? $arguments['direction'] : 'add'; if ($direction === 'add') { if (get_site_option('itsec_temp_whitelist_ip') !== false || !isset($arguments['ip'])) { return false; } $ip = sanitize_text_field($arguments['ip']); if (ITSEC_Lib::validates_ip_address($ip)) { $response = array('ip' => $ip, 'exp' => $itsec_globals['current_time'] + 86400); add_site_option('itsec_temp_whitelist_ip', $response); return true; } } elseif ($direction === 'remove') { delete_site_option('itsec_temp_whitelist_ip'); return true; } return false; }
/** * Send offending IP to IPCheck API * * @since 4.5 * * @param string|null $ip ip to report * @param int $type type of behavior to report * * @return int -1 on failure, 0 if report successful and IP not blocked, 1 if IP successful and IP blocked */ public function report_ip($ip = null, $type = 1) { global $itsec_globals, $itsec_logger; $action = 'report-ip'; /** * Switch types or return false if no valid type * * Valid types: * 1 = invalid/failed login * */ switch ($type) { case 1: $behavior = 'brute-force-login'; break; default: return -1; } //get current IP if needed if ($ip === null) { $ip = ITSEC_Lib::get_ip(); } else { $ip = trim(sanitize_text_field($ip)); } if ($this->is_ip_whitelisted($ip)) { return 0; } if (ITSEC_Lib::validates_ip_address($ip)) { //verify IP address is valid if (!isset($this->settings['api_key']) || !isset($this->settings['api_s'])) { return -1; //invalid key or secret } $args = json_encode(array('apikey' => $this->settings['api_key'], 'behavior' => $behavior, 'ip' => $ip, 'site' => home_url('', 'http'), 'timestamp' => $itsec_globals['current_time_gmt'])); //Build the request parameters $request = array('body' => array('request' => $args, 'signature' => self::hmac_SHA1($this->settings['api_s'], $action . $args))); $response = wp_remote_post(self::$endpoint . $action, $request); //Make sure the request was valid and has a valid body if (is_array($response) && isset($response['body'])) { $response = json_decode($response['body'], true); if (is_array($response) && isset($response['success']) && $response['success'] == true) { if (isset($response['block']) && $response['block'] == true) { $cache = isset($response['cache_ttl']) ? absint($response['cache_ttl']) : 3600; $expiration = date('Y-m-d H:i:s', $itsec_globals['current_time'] + $cache); $expiration_gmt = date('Y-m-d H:i:s', $itsec_globals['current_time_gmt'] + $cache); $itsec_logger->log_event(__('lockout', 'it-l10n-better-wp-security'), 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => 'host'), $ip); self::cache_ip($ip, array('status' => true), $cache); return 1; //ip report success. Just return true for now } else { return 0; } } } } return -1; }
/** * Locks out given user or host * * @since 4.0 * * @param string $type The type of lockout (for user reference) * @param string $reason Reason for lockout, for notifications * @param string $host Host to lock out * @param int $user user id to lockout * @param string $username username to lockout * * @return void */ private function lockout($type, $reason, $host = NULL, $user = NULL, $username = NULL) { global $wpdb, $itsec_logger, $itsec_globals, $itsec_files; $host_expiration = NULL; $user_expiration = NULL; $username = sanitize_text_field(trim($username)); if ($itsec_files->get_file_lock('lockout_' . $host . $user . $username)) { //Do we have a good host to lock out or not if ($host != NULL && $this->is_ip_whitelisted(sanitize_text_field($host)) === false && ITSEC_Lib::validates_ip_address($host) === true) { $good_host = sanitize_text_field($host); } else { $good_host = false; } //Do we have a valid user to lockout or not if ($user !== NULL && ITSEC_Lib::user_id_exists(intval($user)) === true) { $good_user = intval($user); } else { $good_user = false; } //Do we have a valid username to lockout or not if ($username !== NULL && $username != '') { $good_username = $username; } else { $good_username = false; } $blacklist_host = false; //assume we're not permanently blcking the host //Sanitize the data for later $type = sanitize_text_field($type); $reason = sanitize_text_field($reason); //handle a permanent host ban (if needed) if ($itsec_globals['settings']['blacklist'] === true && $good_host !== false) { //permanent blacklist $blacklist_period = isset($itsec_globals['settings']['blacklist_period']) ? $itsec_globals['settings']['blacklist_period'] * 24 * 60 * 60 : 604800; $host_count = 1 + $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM `" . $wpdb->base_prefix . "itsec_lockouts` WHERE `lockout_expire_gmt` > '%s' AND `lockout_host`='%s';", date('Y-m-d H:i:s', $itsec_globals['current_time_gmt'] - $blacklist_period), $host)); if ($host_count >= $itsec_globals['settings']['blacklist_count'] && isset($itsec_globals['settings']['write_files']) && $itsec_globals['settings']['write_files'] === true) { $host_expiration = false; if (!class_exists('ITSEC_Ban_Users')) { require trailingslashit($itsec_globals['plugin_dir']) . 'modules/free/ban-users/class-itsec-ban-users.php'; } ITSEC_Ban_Users::insert_ip(sanitize_text_field($host)); //Send it to the Ban Users module for banning $blacklist_host = true; //flag it so we don't do a temp ban as well } } //We have temp bans to perform if ($good_host !== false || $good_user !== false || $good_username || $good_username !== false) { if ($this->is_ip_whitelisted(sanitize_text_field($host))) { $whitelisted = true; $expiration = date('Y-m-d H:i:s', 1); $expiration_gmt = date('Y-m-d H:i:s', 1); } else { $whitelisted = false; $exp_seconds = intval($itsec_globals['settings']['lockout_period']) * 60; $expiration = date('Y-m-d H:i:s', $itsec_globals['current_time'] + $exp_seconds); $expiration_gmt = date('Y-m-d H:i:s', $itsec_globals['current_time_gmt'] + $exp_seconds); } if ($good_host !== false && $blacklist_host === false) { //temp lockout host $host_expiration = $expiration; $wpdb->insert($wpdb->base_prefix . 'itsec_lockouts', array('lockout_type' => $type, 'lockout_start' => date('Y-m-d H:i:s', $itsec_globals['current_time']), 'lockout_start_gmt' => date('Y-m-d H:i:s', $itsec_globals['current_time_gmt']), 'lockout_expire' => $expiration, 'lockout_expire_gmt' => $expiration_gmt, 'lockout_host' => sanitize_text_field($host), 'lockout_user' => '')); $itsec_logger->log_event(__('lockout', 'it-l10n-better-wp-security'), 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => $type), sanitize_text_field($host)); } if ($good_user !== false) { //blacklist host and temp lockout user $user_expiration = $expiration; $wpdb->insert($wpdb->base_prefix . 'itsec_lockouts', array('lockout_type' => $type, 'lockout_start' => date('Y-m-d H:i:s', $itsec_globals['current_time']), 'lockout_start_gmt' => date('Y-m-d H:i:s', $itsec_globals['current_time_gmt']), 'lockout_expire' => $expiration, 'lockout_expire_gmt' => $expiration_gmt, 'lockout_host' => '', 'lockout_user' => intval($user))); if ($whitelisted === false) { $itsec_logger->log_event('lockout', 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => $type), '', '', intval($user)); } else { $itsec_logger->log_event('lockout', 10, array(__('White Listed', 'it-l10n-better-wp-security'), 'type' => $type), '', '', intval($user)); } } if ($good_username !== false) { //blacklist host and temp lockout username $user_expiration = $expiration; $wpdb->insert($wpdb->base_prefix . 'itsec_lockouts', array('lockout_type' => $type, 'lockout_start' => date('Y-m-d H:i:s', $itsec_globals['current_time']), 'lockout_start_gmt' => date('Y-m-d H:i:s', $itsec_globals['current_time_gmt']), 'lockout_expire' => $expiration, 'lockout_expire_gmt' => $expiration_gmt, 'lockout_host' => '', 'lockout_username' => $username)); if ($whitelisted === false) { $itsec_logger->log_event('lockout', 10, array('expires' => $expiration, 'expires_gmt' => $expiration_gmt, 'type' => $type), '', '', $username); } else { $itsec_logger->log_event('lockout', 10, array(__('White Listed', 'it-l10n-better-wp-security'), 'type' => $type), '', '', $username); } } if ($whitelisted === false) { if ($itsec_globals['settings']['email_notifications'] === true) { //send email notifications $this->send_lockout_email($good_host, $good_user, $good_username, $host_expiration, $user_expiration, $reason); } if ($good_host !== false) { $itsec_files->release_file_lock('lockout_' . $host . $user . $username); $this->execute_lock(); } else { $itsec_files->release_file_lock('lockout_' . $host . $user . $username); $this->execute_lock(true); } } } $itsec_files->release_file_lock('lockout_' . $host . $user . $username); } }
/** * Sanitize and validate input * * @param Array $input array of input fields * * @return Array Sanitized array */ public function sanitize_module_input($input) { global $itsec_globals; $has_errors = false; //Sanitize checkbox features $input['enabled'] = isset($input['enabled']) && intval($input['enabled'] == 1) ? true : false; $input['default'] = isset($input['default']) && intval($input['default'] == 1) ? true : false; if (isset($input['agent_list']) && is_string($input['agent_list'])) { $agents = preg_split('/(?<!\\r)\\n|\\r(?!\\n)|(?<!\\r)\\r\\n|\\r\\r\\n/', trim($input['agent_list'])); } else { if (isset($input['agent_list']) && is_array($input['agent_list'])) { $agents = $input['agent_list']; } else { $agents = array(); } } $good_agents = array(); foreach ($agents as $agent) { $agent = trim(sanitize_text_field($agent)); if (!empty($agent)) { $good_agents[] = $agent; } } $input['agent_list'] = array_unique($good_agents); if (isset($input['host_list']) && is_string($input['host_list'])) { $addresses = preg_split('/(?<!\\r)\\n|\\r(?!\\n)|(?<!\\r)\\r\\n|\\r\\r\\n/', trim($input['host_list'])); } else { if (isset($input['host_list']) && is_array($input['host_list'])) { $addresses = $input['host_list']; } else { $addresses = array(); } } if (!class_exists('ITSEC_Ban_Users')) { require dirname(__FILE__) . '/class-itsec-ban-users.php'; } $bad_ips = array(); $white_ips = array(); $raw_ips = array(); foreach ($addresses as $index => $address) { $address = trim($address); if (empty($address)) { continue; } if (!ITSEC_Lib::validates_ip_address($address)) { $bad_ips[] = trim(filter_var($address, FILTER_SANITIZE_STRING)); } if (ITSEC_Ban_Users::is_ip_whitelisted($address, null, true)) { $white_ips[] = trim(filter_var($address, FILTER_SANITIZE_STRING)); } $raw_ips[] = trim(filter_var($address, FILTER_SANITIZE_STRING)); } $raw_ips = array_unique($raw_ips); if (!empty($bad_ips)) { $input['enabled'] = false; //disable ban users list $type = 'error'; if (!$has_errors) { $message = sprintf('%s<br /><br />', __('Note that the ban users feature has been disabled until the following errors are corrected:', 'better-wp-security')); } foreach ($bad_ips as $bad_ip) { $message .= sprintf('%s %s<br />', $bad_ip, __('is not a valid address in the ban users box.', 'better-wp-security')); } add_settings_error('itsec', esc_attr('settings_updated'), $message, $type); $has_errors = true; } if (sizeof($white_ips) > 0) { $input['enabled'] = false; //disable ban users list $type = 'error'; if (!$has_errors) { $message = sprintf('%s<br /><br />', __('Note that the ban users feature has been disabled until the following errors are corrected:', 'better-wp-security')); } foreach ($white_ips as $white_ip) { $message .= sprintf('%s %s<br />', $white_ip, __('is not a valid address as it has been white listed.', 'better-wp-security')); } add_settings_error('itsec', esc_attr('settings_updated'), $message, $type); $has_errors = true; } $input['host_list'] = $raw_ips; if (!$has_errors) { if (!isset($type) && ($input['host_list'] !== $this->settings['host_list'] || $input['enabled'] !== $this->settings['enabled'] || $input['default'] !== $this->settings['default'] || $input['agent_list'] !== $this->settings['agent_list']) || isset($itsec_globals['settings']['write_files']) && true === $itsec_globals['settings']['write_files']) { add_site_option('itsec_rewrites_changed', true); } } if (is_multisite()) { if (isset($type)) { $error_handler = new WP_Error(); $error_handler->add($type, $message); $this->core->show_network_admin_notice($error_handler); } else { $this->core->show_network_admin_notice(false); } $this->settings = $input; } return $input; }
/** * Sanitize and validate input * * @since 4.0 * * @param Array $input array of input fields * * @return Array Sanitized array */ public function sanitize_module_input($input) { global $itsec_globals; $input['did_upgrade'] = isset($this->settings['did_upgrade']) ? $this->settings['did_upgrade'] : false; if (isset($input['backup_email'])) { $bad_emails = array(); $emails_to_save = array(); if (isset($input['backup_email']) && !is_array($input['backup_email'])) { $emails = explode(PHP_EOL, $input['backup_email']); } elseif (isset($input['backup_email'])) { $emails = $input['backup_email']; } foreach ($emails as $email) { $email = sanitize_text_field(trim($email)); if (strlen($email) > 0) { if (is_email($email) === false) { $bad_emails[] = $email; } $emails_to_save[] = $email; } } if (sizeof($bad_emails) > 0) { $bad_addresses = implode(', ', $bad_emails); $type = 'error'; $message = __('The following backup email address(es) do not appear to be valid: ', 'better-wp-security') . $bad_addresses; add_settings_error('itsec', esc_attr('settings_updated'), $message, $type); } $input['backup_email'] = $emails_to_save; } if (isset($input['notification_email'])) { $bad_emails = array(); $emails_to_save = array(); if (isset($input['notification_email']) && !is_array($input['notification_email'])) { $emails = explode(PHP_EOL, $input['notification_email']); } else { $emails = $input['notification_email']; } foreach ($emails as $email) { $email = sanitize_text_field(trim($email)); if (strlen($email) > 0) { if (is_email($email) === false) { $bad_emails[] = $email; } $emails_to_save[] = $email; } } if (sizeof($bad_emails) > 0) { $bad_addresses = implode(', ', $bad_emails); $type = 'error'; $message = __('The following notification email address(es) do not appear to be valid: ', 'better-wp-security') . $bad_addresses; add_settings_error('itsec', esc_attr('settings_updated'), $message, $type); } $input['notification_email'] = $emails_to_save; } $input['lockout_message'] = isset($input['lockout_message']) ? trim(wp_kses($input['lockout_message'], $this->allowed_tags)) : ''; $input['user_lockout_message'] = isset($input['user_lockout_message']) ? trim(wp_kses($input['user_lockout_message'], $this->allowed_tags)) : ''; $input['community_lockout_message'] = isset($input['community_lockout_message']) ? trim(wp_kses($input['community_lockout_message'], $this->allowed_tags)) : ''; $input['blacklist'] = isset($input['blacklist']) && intval($input['blacklist'] == 1) ? true : false; $input['blacklist_count'] = isset($input['blacklist_count']) ? absint($input['blacklist_count']) : 3; $input['blacklist_period'] = isset($input['blacklist_period']) ? absint($input['blacklist_period']) : 7; $input['email_notifications'] = isset($input['email_notifications']) && intval($input['email_notifications'] == 1) ? true : false; $input['lockout_period'] = isset($input['lockout_period']) ? absint($input['lockout_period']) : 15; $input['log_rotation'] = isset($input['log_rotation']) ? absint($input['log_rotation']) : 14; $input['allow_tracking'] = isset($input['allow_tracking']) && intval($input['allow_tracking'] == 1) ? true : false; $input['write_files'] = isset($input['write_files']) && intval($input['write_files'] == 1) ? true : false; $input['nginx_file'] = isset($input['nginx_file']) ? sanitize_text_field($input['nginx_file']) : ABSPATH . 'nginx.conf'; $input['infinitewp_compatibility'] = isset($input['infinitewp_compatibility']) && intval($input['infinitewp_compatibility'] == 1) ? true : false; $input['log_info'] = $itsec_globals['settings']['log_info']; $input['lock_file'] = isset($input['lock_file']) && intval($input['lock_file'] == 1) ? true : false; $input['digest_email'] = isset($input['digest_email']) && intval($input['digest_email'] == 1) ? true : false; $input['proxy_override'] = isset($input['proxy_override']) && intval($input['proxy_override'] == 1) ? true : false; $input['hide_admin_bar'] = isset($input['hide_admin_bar']) && intval($input['hide_admin_bar'] == 1) ? true : false; //Set a fresh message queue if we're just turning on the digest. if ($input['digest_email'] === true && (!isset($this->settings['digest_email']) || $this->settings['digest_email'] === false)) { $digest_queue = array('last_sent' => $itsec_globals['current_time_gmt'], 'messages' => array()); update_site_option('itsec_message_queue', $digest_queue); } $input['log_location'] = isset($input['log_location']) ? sanitize_text_field($input['log_location']) : $itsec_globals['ithemes_log_dir']; //Process white list if (isset($input['lockout_white_list']) && !is_array($input['lockout_white_list'])) { $white_listed_addresses = explode(PHP_EOL, $input['lockout_white_list']); } elseif (isset($input['lockout_white_list'])) { $white_listed_addresses = $input['lockout_white_list']; } else { $white_listed_addresses = array(); } $bad_white_listed_ips = array(); $raw_white_listed_ips = array(); foreach ($white_listed_addresses as $index => $address) { $address = trim($address); if (strlen(trim($address)) > 0) { if (ITSEC_Lib::validates_ip_address($address) === false) { $bad_white_listed_ips[] = filter_var($address, FILTER_SANITIZE_STRING); } $raw_white_listed_ips[] = filter_var($address, FILTER_SANITIZE_STRING); } else { unset($white_listed_addresses[$index]); } } $raw_white_listed_ips = array_unique($raw_white_listed_ips); if (sizeof($bad_white_listed_ips) > 0) { $type = 'error'; $message = ''; $message .= sprintf('%s<br /><br />', __('There is a problem with an IP address in the white list:', 'better-wp-security')); foreach ($bad_white_listed_ips as $bad_ip) { $message .= sprintf('%s %s<br />', $bad_ip, __('is not a valid address in the white list users box.', 'better-wp-security')); } add_settings_error('itsec', esc_attr('settings_updated'), $message, $type); } $input['lockout_white_list'] = $raw_white_listed_ips; if ($input['log_location'] != $itsec_globals['ithemes_log_dir']) { $good_path = ITSEC_Lib::validate_path($input['log_location']); } else { $good_path = true; } if ($good_path !== true) { $input['log_location'] = $itsec_globals['ithemes_log_dir']; $type = 'error'; $message = __('The file path entered for the log location does not appear to be valid. it has been reset to: ' . $itsec_globals['ithemes_log_dir'], 'better-wp-security'); add_settings_error('itsec', esc_attr('settings_updated'), $message, $type); } $input['log_type'] = isset($input['log_type']) ? intval($input['log_type']) : 0; if (!isset($type) && $input['write_files'] === true && $this->settings['write_files'] === false) { add_site_option('itsec_rewrites_changed', true); } if (is_multisite()) { if (isset($type)) { $error_handler = new WP_Error(); $error_handler->add($type, $message); $this->core->show_network_admin_notice($error_handler); } else { $this->core->show_network_admin_notice(false); } $this->settings = $input; } return $input; }
/** * Process quick ban of host. * * Immediately adds the supplied host to the .htaccess file for banning. * * @since 4.0.0 * * @param string $host the host to ban * * @return bool true on success or false on failure */ public static function quick_ban( $host ) { $host = trim( $host ); if ( ! ITSEC_Lib::validates_ip_address( $host ) ) { return false; } $host_rule = '# ' . __( 'Quick ban IP. Will be updated on next formal rules save.', 'it-l10n-ithemes-security-pro' ) . "\n"; if ( 'nginx' === ITSEC_Lib::get_server() ) { $host_rule .= "\tdeny $host;\n"; } else if ( 'apache' === ITSEC_Lib::get_server() ) { $dhost = str_replace( '.', '\\.', $host ); //re-define $dhost to match required output for SetEnvIf-RegEX $host_rule .= "SetEnvIF REMOTE_ADDR \"^$dhost$\" DenyAccess\n"; //Ban IP $host_rule .= "SetEnvIF X-FORWARDED-FOR \"^$dhost$\" DenyAccess\n"; //Ban IP from Proxy-User $host_rule .= "SetEnvIF X-CLUSTER-CLIENT-IP \"^$dhost$\" DenyAccess\n"; //Ban IP for Cluster/Cloud-hosted WP-Installs $host_rule .= "<IfModule mod_authz_core.c>\n"; $host_rule .= "\t<RequireAll>\n"; $host_rule .= "\t\tRequire all granted\n"; $host_rule .= "\t\tRequire not env DenyAccess\n"; $host_rule .= "\t\tRequire not ip $host\n"; $host_rule .= "\t</RequireAll>\n"; $host_rule .= "</IfModule>\n"; $host_rule .= "<IfModule !mod_authz_core.c>\n"; $host_rule .= "\tOrder allow,deny\n"; $host_rule .= "\tDeny from env=DenyAccess\n"; $host_rule .= "\tDeny from $host\n"; $host_rule .= "\tAllow from all\n"; $host_rule .= "</IfModule>\n"; } require_once( trailingslashit( $GLOBALS['itsec_globals']['plugin_dir'] ) . 'core/lib/class-itsec-lib-config-file.php' ); $result = ITSEC_Lib_Config_File::append_server_config( $host_rule ); if ( is_wp_error( $result ) ) { return false; } return true; }
public static function quick_ban($host) { $host = trim($host); if (ITSEC_Lib::validates_ip_address(trim($host))) { $htaccess_file = ITSEC_Lib::get_htaccess(); $host_rule = '#Quick ban IP. Will be updated on next formal rules save.' . PHP_EOL; if (ITSEC_Lib::get_server() === 'nginx') { //NGINX rules $host_rule .= "\tdeny " . $host . ';' . PHP_EOL; } else { //rules for all other servers $dhost = str_replace('.', '\\.', trim($host)); //re-define $dhost to match required output for SetEnvIf-RegEX $host_rule .= "SetEnvIF REMOTE_ADDR \"^" . $dhost . "\$\" DenyAccess" . PHP_EOL; //Ban IP $host_rule .= "SetEnvIF X-FORWARDED-FOR \"^" . $dhost . "\$\" DenyAccess" . PHP_EOL; //Ban IP from Proxy-User $host_rule .= "SetEnvIF X-CLUSTER-CLIENT-IP \"^" . $dhost . "\$\" DenyAccess" . PHP_EOL; //Ban IP for Cluster/Cloud-hosted WP-Installs $host_rule .= 'order allow,deny' . PHP_EOL; $host_rule .= 'deny from env=DenyAccess' . PHP_EOL; $host_rule .= 'deny from ' . trim($host) . PHP_EOL; $host_rule .= 'allow from all' . PHP_EOL; } //Make sure we can write to the file $perms = substr(sprintf('%o', @fileperms($htaccess_file)), -4); @chmod($htaccess_file, 0664); $htaccess_contents = @file_get_contents($htaccess_file); //get the contents of the htaccess or nginx file if ($htaccess_contents === false) { return false; } $htaccess_contents = preg_replace("/(\\r\\n|\\n|\\r)/", PHP_EOL, $htaccess_contents); if (strpos($htaccess_contents, '# BEGIN iThemes Security') !== false) { $htaccess_contents = str_replace('# BEGIN iThemes Security' . PHP_EOL, '# BEGIN iThemes Security' . PHP_EOL . $host_rule, $htaccess_contents); } else { $htaccess_contents = '# BEGIN iThemes Security' . PHP_EOL . $host_rule . '# BEGIN iThemes Security' . PHP_EOL . $htaccess_contents; } @file_put_contents($htaccess_file, $htaccess_contents, LOCK_EX); //look for the tweaks module to see if we should reset to 0444 $tweaks = get_site_option('itsec_tweaks'); if ($tweaks !== false && isset($tweaks['write_permissions'])) { $write_files = $tweaks['write_permissions']; } else { $write_files = false; } //reset file permissions if we changed them if ($perms == '0444' || $write_files === true) { @chmod($htaccess_file, 0444); } } return true; }
/** * Sanitize and validate input * * @param Array $input array of input fields * * @return Array Sanitized array */ public function sanitize_module_input($input) { global $itsec_globals; $no_errors = false; //start out assuming they entered a bad IP somewhere //Sanitize checkbox features $input['enabled'] = isset($input['enabled']) && intval($input['enabled'] == 1) ? true : false; $input['default'] = isset($input['default']) && intval($input['default'] == 1) ? true : false; //process agent list if (isset($input['agent_list']) && !is_array($input['agent_list'])) { $agents = explode(PHP_EOL, $input['agent_list']); } elseif (isset($input['agent_list'])) { $agents = $input['agent_list']; } else { $agents = array(); } $good_agents = array(); foreach ($agents as $agent) { $good_agents[] = trim(sanitize_text_field($agent)); } $input['agent_list'] = $good_agents; //Process hosts list if (isset($input['host_list']) && !is_array($input['host_list'])) { $addresses = explode(PHP_EOL, $input['host_list']); } elseif (isset($input['host_list'])) { $addresses = $input['host_list']; } else { $addresses = array(); } $bad_ips = array(); $white_ips = array(); $raw_ips = array(); foreach ($addresses as $index => $address) { if (strlen(trim($address)) > 0) { if (ITSEC_Lib::validates_ip_address($address) === false) { $bad_ips[] = trim(filter_var($address, FILTER_SANITIZE_STRING)); } if (!class_exists('ITSEC_Ban_Users')) { require dirname(__FILE__) . '/class-itsec-ban-users.php'; } if (ITSEC_Ban_Users::is_ip_whitelisted($address, NULL, true)) { $white_ips[] = trim(filter_var($address, FILTER_SANITIZE_STRING)); } $raw_ips[] = trim(filter_var($address, FILTER_SANITIZE_STRING)); } else { unset($addresses[$index]); } } $raw_ips = array_unique($raw_ips); if (sizeof($bad_ips) > 0) { $input['enabled'] = false; //disable ban users list $type = 'error'; if ($no_errors === true) { $message = sprintf('%s<br /><br />', __('Note that the ban users feature has been disabled until the following errors are corrected:', 'it-l10n-better-wp-security')); } foreach ($bad_ips as $bad_ip) { $message .= sprintf('%s %s<br />', $bad_ip, __('is not a valid address in the ban users box.', 'it-l10n-better-wp-security')); } add_settings_error('itsec', esc_attr('settings_updated'), $message, $type); } else { $no_errors = true; } if (sizeof($white_ips) > 0) { $input['enabled'] = false; //disable ban users list $type = 'error'; if ($no_errors === true) { $message = sprintf('%s<br /><br />', __('Note that the ban users feature has been disabled until the following errors are corrected:', 'it-l10n-better-wp-security')); } foreach ($white_ips as $white_ip) { $message .= sprintf('%s %s<br />', $white_ip, __('is not a valid address as it has been white listed.', 'it-l10n-better-wp-security')); } add_settings_error('itsec', esc_attr('settings_updated'), $message, $type); } else { $no_errors = true; } $input['host_list'] = $raw_ips; if ($no_errors === true) { if (!isset($type) && ($input['host_list'] !== $this->settings['host_list'] || $input['enabled'] !== $this->settings['enabled'] || $input['default'] !== $this->settings['default'] || $input['agent_list'] !== $this->settings['agent_list']) || isset($itsec_globals['settings']['write_files']) && $itsec_globals['settings']['write_files'] === true) { add_site_option('itsec_rewrites_changed', true); } } if (is_multisite()) { if (isset($type)) { $error_handler = new WP_Error(); $error_handler->add($type, $message); $this->core->show_network_admin_notice($error_handler); } else { $this->core->show_network_admin_notice(false); } $this->settings = $input; } return $input; }
public static function quick_ban($host) { global $itsec_files; if ($itsec_files->get_file_lock('htaccess')) { $host = trim($host); if (ITSEC_Lib::validates_ip_address(trim($host))) { $rule_open = array('# BEGIN iThemes Security', '# BEGIN Better WP Security'); $htaccess_file = ITSEC_Lib::get_htaccess(); $host_rule = '#Quick ban IP. Will be updated on next formal rules save.' . PHP_EOL; if (ITSEC_Lib::get_server() === 'nginx') { //NGINX rules $host_rule .= "\tdeny " . $host . ';' . PHP_EOL; } else { //rules for all other servers $dhost = str_replace('.', '\\.', trim($host)); //re-define $dhost to match required output for SetEnvIf-RegEX $host_rule .= "SetEnvIF REMOTE_ADDR \"^" . $dhost . "\$\" DenyAccess" . PHP_EOL; //Ban IP $host_rule .= "SetEnvIF X-FORWARDED-FOR \"^" . $dhost . "\$\" DenyAccess" . PHP_EOL; //Ban IP from Proxy-User $host_rule .= "SetEnvIF X-CLUSTER-CLIENT-IP \"^" . $dhost . "\$\" DenyAccess" . PHP_EOL; //Ban IP for Cluster/Cloud-hosted WP-Installs $host_rule .= 'order allow,deny' . PHP_EOL; $host_rule .= 'deny from env=DenyAccess' . PHP_EOL; $host_rule .= 'deny from ' . trim($host) . PHP_EOL; $host_rule .= 'allow from all' . PHP_EOL; } //Make sure we can write to the file $perms = substr(sprintf('%o', @fileperms($htaccess_file)), -4); @chmod($htaccess_file, 0664); $htaccess_contents = @file($htaccess_file); $has_itsec = false; //assume itsec hasn't written anything to htaccess foreach ($htaccess_contents as $line_number => $line) { if (in_array(trim($line), $rule_open)) { $has_itsec = $line_number; } } if ($has_itsec === false) { array_unshift($htaccess_contents, '# BEGIN iThemes Security' . PHP_EOL, $host_rule, '# END iThemes Security' . PHP_EOL); $content = implode('', $htaccess_contents); } else { $content = implode('', $htaccess_contents); $content = str_replace('# BEGIN iThemes Security' . PHP_EOL, '# BEGIN iThemes Security' . PHP_EOL . $host_rule, $content); } if (!($f = @fopen($htaccess_file, 'w+'))) { return false; //we can't write to the file } @fwrite($f, $content); @fclose($f); //look for the tweaks module to see if we should reset to 0444 $tweaks = get_site_option('itsec_tweaks'); if ($tweaks !== false && isset($tweaks['write_permissions'])) { $write_files = $tweaks['write_permissions']; } else { $write_files = false; } //reset file permissions if we changed them if ($perms == '0444' || $write_files === true) { @chmod($htaccess_file, 0444); } } $itsec_files->release_file_lock('htaccess'); return true; } return false; }