public function firewallBadIPs()
{
$IP = wfUtils::getIP();
if ($this->isWhitelisted($IP)) {
return;
}
$IPnum = wfUtils::inet_pton($IP);
//New range and UA pattern blocking:
$r1 = $this->getDB()->querySelect("select id, blockType, blockString from " . $this->ipRangesTable);
foreach ($r1 as $blockRec) {
if ($blockRec['blockType'] == 'IU') {
$ipRangeBlocked = false;
$uaPatternBlocked = false;
$refBlocked = false;
$bDat = explode('|', $blockRec['blockString']);
$ipRange = $bDat[0];
$uaPattern = $bDat[1];
$refPattern = isset($bDat[2]) ? $bDat[2] : '';
if ($ipRange) {
list($start_range, $end_range) = explode('-', $ipRange);
if (preg_match('/[\\.:]/', $start_range)) {
$start_range = wfUtils::inet_pton($start_range);
$end_range = wfUtils::inet_pton($end_range);
} else {
$start_range = wfUtils::inet_pton(long2ip($start_range));
$end_range = wfUtils::inet_pton(long2ip($end_range));
}
if (strcmp($IPnum, $start_range) >= 0 && strcmp($IPnum, $end_range) <= 0) {
$ipRangeBlocked = true;
}
}
if ($uaPattern) {
if (wfUtils::isUABlocked($uaPattern)) {
$uaPatternBlocked = true;
}
}
if ($refPattern) {
if (wfUtils::isRefererBlocked($refPattern)) {
$refBlocked = true;
}
}
$doBlock = false;
if ($uaPattern && $ipRange && $refPattern) {
if ($uaPatternBlocked && $ipRangeBlocked && $refBlocked) {
$doBlock = true;
}
}
if ($uaPattern && $ipRange) {
if ($uaPatternBlocked && $ipRangeBlocked) {
$doBlock = true;
}
}
if ($uaPattern && $refPattern) {
if ($uaPatternBlocked && $refBlocked) {
$doBlock = true;
}
}
if ($ipRange && $refPattern) {
if ($ipRangeBlocked && $refBlocked) {
$doBlock = true;
}
} else {
if ($uaPattern) {
if ($uaPatternBlocked) {
$doBlock = true;
}
} else {
if ($ipRange) {
if ($ipRangeBlocked) {
$doBlock = true;
}
} else {
if ($refPattern) {
if ($refBlocked) {
$doBlock = true;
}
}
}
}
}
if ($doBlock) {
$this->getDB()->queryWrite("update " . $this->ipRangesTable . " set totalBlocked = totalBlocked + 1, lastBlocked = unix_timestamp() where id=%d", $blockRec['id']);
wfActivityReport::logBlockedIP($IP);
$this->do503(3600, "Advanced blocking in effect.");
}
}
}
//End range/UA blocking
// Country blocking
if (wfConfig::get('isPaid')) {
$blockedCountries = wfConfig::get('cbl_countries', false);
$bareRequestURI = wfUtils::extractBareURI($_SERVER['REQUEST_URI']);
$bareBypassRedirURI = wfUtils::extractBareURI(wfConfig::get('cbl_bypassRedirURL', ''));
$skipCountryBlocking = false;
if ($bareBypassRedirURI && $bareRequestURI == $bareBypassRedirURI) {
//Run this before country blocking because even if the user isn't blocked we need to set the bypass cookie so they can bypass future blocks.
$bypassRedirDest = wfConfig::get('cbl_bypassRedirDest', '');
if ($bypassRedirDest) {
self::setCBLCookieBypass();
$this->redirect($bypassRedirDest);
//exits
}
}
$bareBypassViewURI = wfUtils::extractBareURI(wfConfig::get('cbl_bypassViewURL', ''));
if ($bareBypassViewURI && $bareBypassViewURI == $bareRequestURI) {
self::setCBLCookieBypass();
$skipCountryBlocking = true;
}
if (!$skipCountryBlocking && $blockedCountries && !self::isCBLBypassCookieSet()) {
if (is_user_logged_in() && !wfConfig::get('cbl_loggedInBlocked', false)) {
//User is logged in and we're allowing logins
//Do nothing
} else {
if (strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false && !wfConfig::get('cbl_loginFormBlocked', false)) {
//It's the login form and we're allowing that
//Do nothing
} else {
if (strpos($_SERVER['REQUEST_URI'], '/wp-login.php') === false && !wfConfig::get('cbl_restOfSiteBlocked', false)) {
//It's the rest of the site and we're allowing that
//Do nothing
} else {
if ($country = wfUtils::IP2Country($IP)) {
foreach (explode(',', $blockedCountries) as $blocked) {
if (strtoupper($blocked) == strtoupper($country)) {
//At this point we know the user has been blocked
if (wfConfig::get('cbl_action') == 'redir') {
$redirURL = wfConfig::get('cbl_redirURL');
$eRedirHost = wfUtils::extractHostname($redirURL);
$isExternalRedir = false;
if ($eRedirHost && $eRedirHost != wfUtils::extractHostname(home_url())) {
//It's an external redirect...
$isExternalRedir = true;
}
if (!$isExternalRedir && wfUtils::extractBareURI($redirURL) == $bareRequestURI) {
//Is this the URI we want to redirect to, then don't block it
//Do nothing
/* Uncomment the following if page components aren't loading for the page we redirect to.
Uncommenting is not recommended because it means that anyone from a blocked country
can crawl your site by sending the page blocked users are redirected to as the referer for every request.
But it's your call.
} else if(wfUtils::extractBareURI($_SERVER['HTTP_REFERER']) == $redirURL){ //If the referer the page we want to redirect to? Then this might be loading as a component so don't block.
//Do nothing
*/
} else {
$this->redirect(wfConfig::get('cbl_redirURL'));
}
} else {
$this->do503(3600, "Access from your area has been temporarily limited for security reasons");
wfConfig::inc('totalCountryBlocked');
}
}
}
}
}
}
}
}
}
if ($rec = $this->getDB()->querySingleRec("select blockedTime, reason from " . $this->blocksTable . " where IP=%s and (permanent=1 OR (blockedTime + %s > unix_timestamp()))", $IPnum, wfConfig::get('blockedTime'))) {
$this->getDB()->queryWrite("update " . $this->blocksTable . " set lastAttempt=unix_timestamp(), blockedHits = blockedHits + 1 where IP=%s", $IPnum);
$now = $this->getDB()->querySingle("select unix_timestamp()");
$secsToGo = $rec['blockedTime'] + wfConfig::get('blockedTime') - $now;
if (wfConfig::get('other_WFNet') && strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false) {
//We're on the login page and this IP has been blocked
wordfence::wfsnReportBlockedAttempt($IP, 'login');
}
$this->do503($secsToGo, $rec['reason']);
}
}
public function checkForBlockedCountry()
{
static $hasRun;
if (isset($hasRun)) {
return;
}
$hasRun = true;
$blockedCountries = wfConfig::get('cbl_countries', false);
$bareRequestURI = untrailingslashit(wfUtils::extractBareURI($_SERVER['REQUEST_URI']));
$IP = wfUtils::getIP();
if ($country = wfUtils::IP2Country($IP)) {
foreach (explode(',', $blockedCountries) as $blocked) {
if (strtoupper($blocked) == strtoupper($country)) {
//At this point we know the user has been blocked
if (wfConfig::get('cbl_action') == 'redir') {
$redirURL = wfConfig::get('cbl_redirURL');
$eRedirHost = wfUtils::extractHostname($redirURL);
$isExternalRedir = false;
if ($eRedirHost && $eRedirHost != wfUtils::extractHostname(home_url())) {
//It's an external redirect...
$isExternalRedir = true;
}
if (!$isExternalRedir && untrailingslashit(wfUtils::extractBareURI($redirURL)) == $bareRequestURI) {
//Is this the URI we want to redirect to, then don't block it
//Do nothing
/* Uncomment the following if page components aren't loading for the page we redirect to.
Uncommenting is not recommended because it means that anyone from a blocked country
can crawl your site by sending the page blocked users are redirected to as the referer for every request.
But it's your call.
} else if(wfUtils::extractBareURI($_SERVER['HTTP_REFERER']) == $redirURL){ //If the referer the page we want to redirect to? Then this might be loading as a component so don't block.
//Do nothing
*/
} else {
wfConfig::inc('totalCountryBlocked');
$this->initLogRequest();
$this->currentRequest->actionDescription = 'blocked access via country blocking and redirected to URL (' . wfConfig::get('cbl_redirURL') . ')';
$this->currentRequest->statusCode = 503;
if (!$this->currentRequest->action) {
$this->currentRequest->action = 'blocked:wordfence';
}
$this->logHit();
wfActivityReport::logBlockedIP($IP);
$this->redirect(wfConfig::get('cbl_redirURL'));
}
} else {
$this->currentRequest->actionDescription = 'blocked access via country blocking';
wfConfig::inc('totalCountryBlocked');
wfActivityReport::logBlockedIP($IP);
$this->do503(3600, "Access from your area has been temporarily limited for security reasons");
}
}
}
}
}
