public function firewallBadIPs() { $IP = wfUtils::getIP(); if ($this->isWhitelisted($IP)) { return; } $IPnum = wfUtils::inet_pton($IP); //New range and UA pattern blocking: $r1 = $this->getDB()->querySelect("select id, blockType, blockString from " . $this->ipRangesTable); foreach ($r1 as $blockRec) { if ($blockRec['blockType'] == 'IU') { $ipRangeBlocked = false; $uaPatternBlocked = false; $refBlocked = false; $bDat = explode('|', $blockRec['blockString']); $ipRange = $bDat[0]; $uaPattern = $bDat[1]; $refPattern = isset($bDat[2]) ? $bDat[2] : ''; if ($ipRange) { list($start_range, $end_range) = explode('-', $ipRange); if (preg_match('/[\\.:]/', $start_range)) { $start_range = wfUtils::inet_pton($start_range); $end_range = wfUtils::inet_pton($end_range); } else { $start_range = wfUtils::inet_pton(long2ip($start_range)); $end_range = wfUtils::inet_pton(long2ip($end_range)); } if (strcmp($IPnum, $start_range) >= 0 && strcmp($IPnum, $end_range) <= 0) { $ipRangeBlocked = true; } } if ($uaPattern) { if (wfUtils::isUABlocked($uaPattern)) { $uaPatternBlocked = true; } } if ($refPattern) { if (wfUtils::isRefererBlocked($refPattern)) { $refBlocked = true; } } $doBlock = false; if ($uaPattern && $ipRange && $refPattern) { if ($uaPatternBlocked && $ipRangeBlocked && $refBlocked) { $doBlock = true; } } if ($uaPattern && $ipRange) { if ($uaPatternBlocked && $ipRangeBlocked) { $doBlock = true; } } if ($uaPattern && $refPattern) { if ($uaPatternBlocked && $refBlocked) { $doBlock = true; } } if ($ipRange && $refPattern) { if ($ipRangeBlocked && $refBlocked) { $doBlock = true; } } else { if ($uaPattern) { if ($uaPatternBlocked) { $doBlock = true; } } else { if ($ipRange) { if ($ipRangeBlocked) { $doBlock = true; } } else { if ($refPattern) { if ($refBlocked) { $doBlock = true; } } } } } if ($doBlock) { $this->getDB()->queryWrite("update " . $this->ipRangesTable . " set totalBlocked = totalBlocked + 1, lastBlocked = unix_timestamp() where id=%d", $blockRec['id']); wfActivityReport::logBlockedIP($IP); $this->do503(3600, "Advanced blocking in effect."); } } } //End range/UA blocking // Country blocking if (wfConfig::get('isPaid')) { $blockedCountries = wfConfig::get('cbl_countries', false); $bareRequestURI = wfUtils::extractBareURI($_SERVER['REQUEST_URI']); $bareBypassRedirURI = wfUtils::extractBareURI(wfConfig::get('cbl_bypassRedirURL', '')); $skipCountryBlocking = false; if ($bareBypassRedirURI && $bareRequestURI == $bareBypassRedirURI) { //Run this before country blocking because even if the user isn't blocked we need to set the bypass cookie so they can bypass future blocks. $bypassRedirDest = wfConfig::get('cbl_bypassRedirDest', ''); if ($bypassRedirDest) { self::setCBLCookieBypass(); $this->redirect($bypassRedirDest); //exits } } $bareBypassViewURI = wfUtils::extractBareURI(wfConfig::get('cbl_bypassViewURL', '')); if ($bareBypassViewURI && $bareBypassViewURI == $bareRequestURI) { self::setCBLCookieBypass(); $skipCountryBlocking = true; } if (!$skipCountryBlocking && $blockedCountries && !self::isCBLBypassCookieSet()) { if (is_user_logged_in() && !wfConfig::get('cbl_loggedInBlocked', false)) { //User is logged in and we're allowing logins //Do nothing } else { if (strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false && !wfConfig::get('cbl_loginFormBlocked', false)) { //It's the login form and we're allowing that //Do nothing } else { if (strpos($_SERVER['REQUEST_URI'], '/wp-login.php') === false && !wfConfig::get('cbl_restOfSiteBlocked', false)) { //It's the rest of the site and we're allowing that //Do nothing } else { if ($country = wfUtils::IP2Country($IP)) { foreach (explode(',', $blockedCountries) as $blocked) { if (strtoupper($blocked) == strtoupper($country)) { //At this point we know the user has been blocked if (wfConfig::get('cbl_action') == 'redir') { $redirURL = wfConfig::get('cbl_redirURL'); $eRedirHost = wfUtils::extractHostname($redirURL); $isExternalRedir = false; if ($eRedirHost && $eRedirHost != wfUtils::extractHostname(home_url())) { //It's an external redirect... $isExternalRedir = true; } if (!$isExternalRedir && wfUtils::extractBareURI($redirURL) == $bareRequestURI) { //Is this the URI we want to redirect to, then don't block it //Do nothing /* Uncomment the following if page components aren't loading for the page we redirect to. Uncommenting is not recommended because it means that anyone from a blocked country can crawl your site by sending the page blocked users are redirected to as the referer for every request. But it's your call. } else if(wfUtils::extractBareURI($_SERVER['HTTP_REFERER']) == $redirURL){ //If the referer the page we want to redirect to? Then this might be loading as a component so don't block. //Do nothing */ } else { $this->redirect(wfConfig::get('cbl_redirURL')); } } else { $this->do503(3600, "Access from your area has been temporarily limited for security reasons"); wfConfig::inc('totalCountryBlocked'); } } } } } } } } } if ($rec = $this->getDB()->querySingleRec("select blockedTime, reason from " . $this->blocksTable . " where IP=%s and (permanent=1 OR (blockedTime + %s > unix_timestamp()))", $IPnum, wfConfig::get('blockedTime'))) { $this->getDB()->queryWrite("update " . $this->blocksTable . " set lastAttempt=unix_timestamp(), blockedHits = blockedHits + 1 where IP=%s", $IPnum); $now = $this->getDB()->querySingle("select unix_timestamp()"); $secsToGo = $rec['blockedTime'] + wfConfig::get('blockedTime') - $now; if (wfConfig::get('other_WFNet') && strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false) { //We're on the login page and this IP has been blocked wordfence::wfsnReportBlockedAttempt($IP, 'login'); } $this->do503($secsToGo, $rec['reason']); } }
public function checkForBlockedCountry() { static $hasRun; if (isset($hasRun)) { return; } $hasRun = true; $blockedCountries = wfConfig::get('cbl_countries', false); $bareRequestURI = untrailingslashit(wfUtils::extractBareURI($_SERVER['REQUEST_URI'])); $IP = wfUtils::getIP(); if ($country = wfUtils::IP2Country($IP)) { foreach (explode(',', $blockedCountries) as $blocked) { if (strtoupper($blocked) == strtoupper($country)) { //At this point we know the user has been blocked if (wfConfig::get('cbl_action') == 'redir') { $redirURL = wfConfig::get('cbl_redirURL'); $eRedirHost = wfUtils::extractHostname($redirURL); $isExternalRedir = false; if ($eRedirHost && $eRedirHost != wfUtils::extractHostname(home_url())) { //It's an external redirect... $isExternalRedir = true; } if (!$isExternalRedir && untrailingslashit(wfUtils::extractBareURI($redirURL)) == $bareRequestURI) { //Is this the URI we want to redirect to, then don't block it //Do nothing /* Uncomment the following if page components aren't loading for the page we redirect to. Uncommenting is not recommended because it means that anyone from a blocked country can crawl your site by sending the page blocked users are redirected to as the referer for every request. But it's your call. } else if(wfUtils::extractBareURI($_SERVER['HTTP_REFERER']) == $redirURL){ //If the referer the page we want to redirect to? Then this might be loading as a component so don't block. //Do nothing */ } else { wfConfig::inc('totalCountryBlocked'); $this->initLogRequest(); $this->currentRequest->actionDescription = 'blocked access via country blocking and redirected to URL (' . wfConfig::get('cbl_redirURL') . ')'; $this->currentRequest->statusCode = 503; if (!$this->currentRequest->action) { $this->currentRequest->action = 'blocked:wordfence'; } $this->logHit(); wfActivityReport::logBlockedIP($IP); $this->redirect(wfConfig::get('cbl_redirURL')); } } else { $this->currentRequest->actionDescription = 'blocked access via country blocking'; wfConfig::inc('totalCountryBlocked'); wfActivityReport::logBlockedIP($IP); $this->do503(3600, "Access from your area has been temporarily limited for security reasons"); } } } } }