-
Notifications
You must be signed in to change notification settings - Fork 2
/
limit-login-attempts.php
executable file
·115 lines (82 loc) · 3.79 KB
/
limit-login-attempts.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
<?php
/*
Plugin Name: Limit Login Attempts
Plugin URI: https://wordpress.org/plugins/limit-login-attempts/
Description: Limit rate of login attempts, including by way of cookies, for each IP.
Author: Johan Eenfeldt
Author URI: http://devel.kostdoktorn.se
Text Domain: limit-login-attempts
Version: 1.8.0-dev
Copyright 2008 - 2012 Johan Eenfeldt
Thanks to Michael Skerwiderski for reverse proxy handling suggestions.
Licenced under the GNU GPL:
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
// Different ways to get remote address: direct & behind proxy
define( 'LIMIT_LOGIN_DIRECT_ADDR', 'REMOTE_ADDR' );
define( 'LIMIT_LOGIN_PROXY_ADDR', 'HTTP_X_FORWARDED_FOR' );
// Notify value checked against these in limit_login_sanitize_variables()
define( 'LIMIT_LOGIN_LOCKOUT_NOTIFY_ALLOWED', 'log,email' );
$limit_login_options = array(
// Are we behind a proxy?
'client_type' => LIMIT_LOGIN_DIRECT_ADDR,
// Lock out after this many tries
'allowed_retries' => 4,
// Lock out for this many seconds
'lockout_duration' => 1200, // 20 minutes
// Long lock out after this many lockouts
'allowed_lockouts' => 4,
// Long lock out for this many seconds
'long_duration' => 86400, // 24 hours
// Reset failed attempts after this many seconds
'valid_duration' => 43200, // 12 hours
// Also limit malformed/forged cookies?
'cookies' => true,
// Notify on lockout. Values: '', 'log', 'email', 'log,email'
'lockout_notify' => 'log',
// If notify by email, do so after this number of lockouts
'notify_email_after' => 4,
);
$limit_login_my_error_shown = false; // have we shown our stuff?
$limit_login_just_lockedout = false; // started this pageload???
$limit_login_nonempty_credentials = false; // user and pwd nonempty
add_action( 'plugins_loaded', 'limit_login_setup', 99999 );
function limit_login_setup() {
include dirname( __FILE__ ) . '/core.php';
include dirname( __FILE__ ) . '/admin.php';
load_plugin_textdomain( 'limit-login-attempts', false, plugin_basename( dirname( __FILE__ ) ) . '/languages' );
limit_login_setup_options();
add_action( 'wp_login_failed', 'limit_login_failed' );
if ( limit_login_option('cookies') ) {
limit_login_handle_cookies();
add_action( 'auth_cookie_bad_username', 'limit_login_failed_cookie' );
global $wp_version;
if ( version_compare( $wp_version, '3.0', '>=' ) ) {
add_action( 'auth_cookie_bad_hash', 'limit_login_failed_cookie_hash' );
add_action( 'auth_cookie_valid', 'limit_login_valid_cookie', 10, 2 );
} else {
add_action( 'auth_cookie_bad_hash', 'limit_login_failed_cookie' );
}
}
add_filter( 'wp_authenticate_user', 'limit_login_wp_authenticate_user', 99999, 2 );
add_filter( 'shake_error_codes', 'limit_login_failure_shake' );
add_action( 'login_head', 'limit_login_add_error_message' );
add_action( 'login_errors', 'limit_login_fixup_error_messages' );
add_action( 'admin_menu', 'limit_login_admin_menu' );
/*
* This action should really be changed to the 'authenticate' filter as
* it will probably be deprecated. That is however only available in
* later versions of WP.
*/
add_action( 'wp_authenticate', 'limit_login_track_credentials', 10, 2 );
}