public static function authenticateFilter($authUser, $username, $passwd)
{
wfConfig::inc('totalLoginHits');
//The total hits to wp-login.php including logins, logouts and just hits.
$IP = wfUtils::getIP();
$secEnabled = wfConfig::get('loginSecurityEnabled');
$twoFactorUsers = wfConfig::get_ser('twoFactorUsers', array());
$userDat = isset($_POST['wordfence_userDat']) ? $_POST['wordfence_userDat'] : false;
$checkTwoFactor = $secEnabled && !self::getLog()->isWhitelisted($IP) && wfConfig::get('isPaid') && isset($twoFactorUsers) && is_array($twoFactorUsers) && sizeof($twoFactorUsers) > 0 && is_object($userDat) && get_class($userDat) == 'WP_User';
if ($checkTwoFactor) {
$twoFactorRecord = false;
$hasActivatedTwoFactorUser = false;
foreach ($twoFactorUsers as &$t) {
if ($t[3] == 'activated') {
$userID = $t[0];
$testUser = get_user_by('ID', $userID);
if (is_object($testUser) && wfUtils::isAdmin($testUser)) {
$hasActivatedTwoFactorUser = true;
}
if ($userID == $userDat->ID) {
$twoFactorRecord =& $t;
}
}
}
if (isset($_POST['wordfence_authFactor']) && $_POST['wordfence_authFactor'] && $twoFactorRecord) {
//User authenticated with name and password, 2FA code ready to check
$userID = $userDat->ID;
if (get_class($authUser) == 'WP_User' && $authUser->ID == $userID) {
//Do nothing. This is the code path the old method of including the code in the password field will take -- since we already have a valid $authUser, skip the nonce verification portion
} else {
if (isset($_POST['wordfence_twoFactorNonce'])) {
$twoFactorNonce = preg_replace('/[^a-f0-9]/i', '', $_POST['wordfence_twoFactorNonce']);
if (!self::verifyTwoFactorIntermediateValues($userID, $twoFactorNonce)) {
self::$authError = new WP_Error('twofactor_required', __('<strong>VERIFICATION FAILED</strong>: Two factor authentication verification failed. Please try again.'));
return self::processBruteForceAttempt(self::$authError, $username, $passwd);
}
} else {
//Code path for old method, invalid password the second time
self::$authError = $authUser;
if (is_wp_error(self::$authError) && (self::$authError->get_error_code() == 'invalid_username' || $authUser->get_error_code() == 'invalid_email' || self::$authError->get_error_code() == 'incorrect_password' || $authUser->get_error_code() == 'authentication_failed') && wfConfig::get('loginSec_maskLoginErrors')) {
self::$authError = new WP_Error('incorrect_password', sprintf(__('<strong>ERROR</strong>: The username or password you entered is incorrect. <a href="%2$s" title="Password Lost and Found">Lost your password</a>?'), $username, wp_lostpassword_url()));
}
return self::processBruteForceAttempt(self::$authError, $username, $passwd);
}
}
if (isset($twoFactorRecord[5])) {
//New method TOTP
$mode = $twoFactorRecord[5];
$code = preg_replace('/[^a-f0-9]/i', '', $_POST['wordfence_authFactor']);
$api = new wfAPI(wfConfig::get('apiKey'), wfUtils::getWPVersion());
try {
$codeResult = $api->call('twoFactorTOTP_verify', array(), array('totpid' => $twoFactorRecord[6], 'code' => $code, 'mode' => $mode));
if (isset($codeResult['notPaid']) && $codeResult['notPaid']) {
//No longer a paid key, let them sign in without two factor
} else {
if (isset($codeResult['ok']) && $codeResult['ok']) {
//Everything's good, let the sign in continue
} else {
if (get_class($authUser) == 'WP_User' && $authUser->ID == $userID) {
//Using the old method of appending the code to the password
if ($mode == 'authenticator') {
self::$authError = new WP_Error('twofactor_invalid', __('<strong>INVALID CODE</strong>: Please sign in again and add a space, the letters <code>wf</code>, and the code from your authenticator app to the end of your password (e.g., <code>wf123456</code>).'));
} else {
self::$authError = new WP_Error('twofactor_invalid', __('<strong>INVALID CODE</strong>: Please sign in again and add a space, the letters <code>wf</code>, and the code sent to your phone to the end of your password (e.g., <code>wf123456</code>).'));
}
} else {
$loginNonce = wfWAFUtils::random_bytes(20);
if ($loginNonce === false) {
//Should never happen but is technically possible
self::$authError = new WP_Error('twofactor_required', __('<strong>AUTHENTICATION FAILURE</strong>: A temporary failure was encountered while trying to log in. Please try again.'));
return self::$authError;
}
$loginNonce = bin2hex($loginNonce);
update_user_meta($userDat->ID, '_wf_twoFactorNonce', $loginNonce);
update_user_meta($userDat->ID, '_wf_twoFactorNonceTime', time());
if ($mode == 'authenticator') {
self::$authError = new WP_Error('twofactor_invalid', __('<strong>INVALID CODE</strong>: You need to enter the code generated by your authenticator app. The code should be a six digit number (e.g., 123456).') . '<!-- wftwofactornonce:' . $userDat->ID . '/' . $loginNonce . ' -->');
} else {
self::$authError = new WP_Error('twofactor_invalid', __('<strong>INVALID CODE</strong>: You need to enter the code generated sent to your phone. The code should be a six digit number (e.g., 123456).') . '<!-- wftwofactornonce:' . $userDat->ID . '/' . $loginNonce . ' -->');
}
}
return self::processBruteForceAttempt(self::$authError, $username, $passwd);
}
}
} catch (Exception $e) {
if (self::isDebugOn()) {
error_log('TOTP validation error: ' . $e->getMessage());
}
}
// Couldn't connect to noc1, let them sign in since the password was correct.
} else {
//Old method phone authentication
$authFactor = $_POST['wordfence_authFactor'];
if (strlen($authFactor) == 4) {
$authFactor = 'wf' . $authFactor;
}
if ($authFactor == $twoFactorRecord[2] && $twoFactorRecord[4] > time()) {
// Set this 2FA code to expire in 30 seconds (for other plugins hooking into the auth process)
$twoFactorRecord[4] = time() + 30;
wfConfig::set_ser('twoFactorUsers', $twoFactorUsers);
} else {
if ($authFactor == $twoFactorRecord[2]) {
$api = new wfAPI(wfConfig::get('apiKey'), wfUtils::getWPVersion());
try {
$codeResult = $api->call('twoFactor_verification', array(), array('phone' => $twoFactorRecord[1]));
if (isset($codeResult['notPaid']) && $codeResult['notPaid']) {
//No longer a paid key, let them sign in without two factor
} else {
if (isset($codeResult['ok']) && $codeResult['ok']) {
$twoFactorRecord[2] = $codeResult['code'];
$twoFactorRecord[4] = time() + 1800;
//30 minutes until code expires
wfConfig::set_ser('twoFactorUsers', $twoFactorUsers);
//save the code the user needs to enter and return an error.
$loginNonce = wfWAFUtils::random_bytes(20);
if ($loginNonce === false) {
//Should never happen but is technically possible
self::$authError = new WP_Error('twofactor_required', __('<strong>AUTHENTICATION FAILURE</strong>: A temporary failure was encountered while trying to log in. Please try again.'));
return self::$authError;
}
$loginNonce = bin2hex($loginNonce);
update_user_meta($userDat->ID, '_wf_twoFactorNonce', $loginNonce);
update_user_meta($userDat->ID, '_wf_twoFactorNonceTime', time());
self::$authError = new WP_Error('twofactor_required', __('<strong>CODE EXPIRED. CHECK YOUR PHONE:</strong> The code you entered has expired. Codes are only valid for 30 minutes for security reasons. We have sent you a new code. Please sign in using your username, password, and the new code we sent you.') . '<!-- wftwofactornonce:' . $userDat->ID . '/' . $loginNonce . ' -->');
return self::$authError;
}
}
//else: No new code was received. Let them sign in with the expired code.
} catch (Exception $e) {
// Couldn't connect to noc1, let them sign in since the password was correct.
}
} else {
//Bad code, so cancel the login and return an error to user.
$loginNonce = wfWAFUtils::random_bytes(20);
if ($loginNonce === false) {
//Should never happen but is technically possible
self::$authError = new WP_Error('twofactor_required', __('<strong>AUTHENTICATION FAILURE</strong>: A temporary failure was encountered while trying to log in. Please try again.'));
return self::$authError;
}
$loginNonce = bin2hex($loginNonce);
update_user_meta($userDat->ID, '_wf_twoFactorNonce', $loginNonce);
update_user_meta($userDat->ID, '_wf_twoFactorNonceTime', time());
self::$authError = new WP_Error('twofactor_invalid', __('<strong>INVALID CODE</strong>: You need to enter your password and the code we sent to your phone. The code should start with \'wf\' and should be four characters (e.g., wfAB12).') . '<!-- wftwofactornonce:' . $userDat->ID . '/' . $loginNonce . ' -->');
return self::processBruteForceAttempt(self::$authError, $username, $passwd);
}
}
}
delete_user_meta($userDat->ID, '_wf_twoFactorNonce');
delete_user_meta($userDat->ID, '_wf_twoFactorNonceTime');
$authUser = $userDat;
//Log in as the user we saved in the wp_authenticate action
} else {
if (get_class($authUser) == 'WP_User') {
//User authenticated with name and password, prompt for the 2FA code
//Verify at least one administrator has 2FA enabled
$requireAdminTwoFactor = $hasActivatedTwoFactorUser && wfConfig::get('loginSec_requireAdminTwoFactor');
if ($twoFactorRecord) {
if ($twoFactorRecord[0] == $userDat->ID && $twoFactorRecord[3] == 'activated') {
//Yup, enabled, so require the code
$loginNonce = wfWAFUtils::random_bytes(20);
if ($loginNonce === false) {
//Should never happen but is technically possible, allow login
$requireAdminTwoFactor = false;
} else {
$loginNonce = bin2hex($loginNonce);
update_user_meta($userDat->ID, '_wf_twoFactorNonce', $loginNonce);
update_user_meta($userDat->ID, '_wf_twoFactorNonceTime', time());
if (isset($twoFactorRecord[5])) {
//New method TOTP authentication
if ($twoFactorRecord[5] == 'authenticator') {
if (self::hasGDLimitLoginsMUPlugin() && function_exists('limit_login_get_address')) {
$retries = get_option('limit_login_retries', array());
$ip = limit_login_get_address();
if (!is_array($retries)) {
$retries = array();
}
if (isset($retries[$ip]) && is_int($retries[$ip])) {
$retries[$ip]--;
} else {
$retries[$ip] = 0;
}
update_option('limit_login_retries', $retries);
}
$allowSeparatePrompt = ini_get('output_buffering') > 0;
if (wfConfig::get('loginSec_enableSeparateTwoFactor') && $allowSeparatePrompt) {
self::$authError = new WP_Error('twofactor_required', __('<strong>CODE REQUIRED</strong>: Please check your authenticator app for the current code. Enter it below to sign in.') . '<!-- wftwofactornonce:' . $userDat->ID . '/' . $loginNonce . ' -->');
return self::$authError;
} else {
self::$authError = new WP_Error('twofactor_required', __('<strong>CODE REQUIRED</strong>: Please check your authenticator app for the current code. Please sign in again and add a space, the letters <code>wf</code>, and the code to the end of your password (e.g., <code>wf123456</code>).'));
return self::$authError;
}
} else {
//Phone TOTP
$api = new wfAPI(wfConfig::get('apiKey'), wfUtils::getWPVersion());
try {
$codeResult = $api->call('twoFactorTOTP_sms', array(), array('totpid' => $twoFactorRecord[6]));
if (isset($codeResult['notPaid']) && $codeResult['notPaid']) {
$requireAdminTwoFactor = false;
//Let them sign in without two factor if their API key has expired or they're not paid and for some reason they have this set up.
} else {
if (isset($codeResult['ok']) && $codeResult['ok']) {
if (self::hasGDLimitLoginsMUPlugin() && function_exists('limit_login_get_address')) {
$retries = get_option('limit_login_retries', array());
$ip = limit_login_get_address();
if (!is_array($retries)) {
$retries = array();
}
if (isset($retries[$ip]) && is_int($retries[$ip])) {
$retries[$ip]--;
} else {
$retries[$ip] = 0;
}
update_option('limit_login_retries', $retries);
}
$allowSeparatePrompt = ini_get('output_buffering') > 0;
if (wfConfig::get('loginSec_enableSeparateTwoFactor') && $allowSeparatePrompt) {
self::$authError = new WP_Error('twofactor_required', __('<strong>CHECK YOUR PHONE</strong>: A code has been sent to your phone and will arrive within 30 seconds. Enter it below to sign in.') . '<!-- wftwofactornonce:' . $userDat->ID . '/' . $loginNonce . ' -->');
return self::$authError;
} else {
self::$authError = new WP_Error('twofactor_required', __('<strong>CHECK YOUR PHONE</strong>: A code has been sent to your phone and will arrive within 30 seconds. Please sign in again and add a space, the letters <code>wf</code>, and the code to the end of your password (e.g., <code>wf123456</code>).'));
return self::$authError;
}
} else {
//oops, our API returned an error.
$requireAdminTwoFactor = false;
//Let them sign in without two factor because the API is broken and we don't want to lock users out of their own systems.
}
}
} catch (Exception $e) {
if (self::isDebugOn()) {
error_log('TOTP SMS error: ' . $e->getMessage());
}
$requireAdminTwoFactor = false;
// Couldn't connect to noc1, let them sign in since the password was correct.
}
}
} else {
//Old method phone authentication
$api = new wfAPI(wfConfig::get('apiKey'), wfUtils::getWPVersion());
try {
$codeResult = $api->call('twoFactor_verification', array(), array('phone' => $twoFactorRecord[1]));
if (isset($codeResult['notPaid']) && $codeResult['notPaid']) {
$requireAdminTwoFactor = false;
//Let them sign in without two factor if their API key has expired or they're not paid and for some reason they have this set up.
} else {
if (isset($codeResult['ok']) && $codeResult['ok']) {
$twoFactorRecord[2] = $codeResult['code'];
$twoFactorRecord[4] = time() + 1800;
//30 minutes until code expires
wfConfig::set_ser('twoFactorUsers', $twoFactorUsers);
//save the code the user needs to enter and return an error.
if (self::hasGDLimitLoginsMUPlugin() && function_exists('limit_login_get_address')) {
$retries = get_option('limit_login_retries', array());
$ip = limit_login_get_address();
if (!is_array($retries)) {
$retries = array();
}
if (isset($retries[$ip]) && is_int($retries[$ip])) {
$retries[$ip]--;
} else {
$retries[$ip] = 0;
}
update_option('limit_login_retries', $retries);
}
$allowSeparatePrompt = ini_get('output_buffering') > 0;
if (wfConfig::get('loginSec_enableSeparateTwoFactor') && $allowSeparatePrompt) {
self::$authError = new WP_Error('twofactor_required', __('<strong>CHECK YOUR PHONE</strong>: A code has been sent to your phone and will arrive within 30 seconds. Enter it below to sign in.') . '<!-- wftwofactornonce:' . $userDat->ID . '/' . $loginNonce . ' -->');
return self::$authError;
} else {
self::$authError = new WP_Error('twofactor_required', __('<strong>CHECK YOUR PHONE</strong>: A code has been sent to your phone and will arrive within 30 seconds. Please sign in again and add a space and the code to the end of your password (e.g., <code>wfABCD</code>).'));
return self::$authError;
}
} else {
//oops, our API returned an error.
$requireAdminTwoFactor = false;
//Let them sign in without two factor because the API is broken and we don't want to lock users out of their own systems.
}
}
} catch (Exception $e) {
$requireAdminTwoFactor = false;
// Couldn't connect to noc1, let them sign in since the password was correct.
}
}
//end: Old method phone authentication
}
}
}
if ($requireAdminTwoFactor && wfUtils::isAdmin($authUser)) {
$username = $authUser->user_login;
self::getLog()->logLogin('loginFailValidUsername', 1, $username);
wordfence::alert("Admin Login Blocked", "A user with username \"{$username}\" who has administrator access tried to sign in to your WordPress site. Access was denied because all administrator accounts are required to have Cellphone Sign-in enabled but this account does not.", wfUtils::getIP());
self::$authError = new WP_Error('twofactor_disabled_required', __('<strong>Cellphone Sign-in Required</strong>: Cellphone Sign-in is required for all administrator accounts. Please contact the site administrator to enable it for your account.'));
return self::$authError;
}
//User is not configured for two factor. Sign in without two factor.
}
}
}
//End: if ($checkTwoFactor)
return self::processBruteForceAttempt($authUser, $username, $passwd);
}
public static function requestDetectProxyCallback($timeout = 0.01, $blocking = false)
{
$nonce = bin2hex(wfWAFUtils::random_bytes(32));
$callback = self::getSiteBaseURL() . '?_wfsf=detectProxy';
wfConfig::set('detectProxyNonce', $nonce, wfConfig::DONT_AUTOLOAD);
wfConfig::set('detectProxyRecommendation', '', wfConfig::DONT_AUTOLOAD);
$payload = array('nonce' => $nonce, 'callback' => $callback);
$siteurl = '';
if (function_exists('get_bloginfo')) {
if (is_multisite()) {
$siteurl = network_home_url();
$siteurl = rtrim($siteurl, '/');
//Because previously we used get_bloginfo and it returns http://example.com without a '/' char.
} else {
$siteurl = home_url();
}
}
wp_remote_post(WFWAF_API_URL_SEC . "?" . http_build_query(array('action' => 'detect_proxy', 'k' => wfConfig::get('apiKey'), 's' => $siteurl, 't' => microtime(true)), null, '&'), array('body' => json_encode($payload), 'headers' => array('Content-Type' => 'application/json'), 'timeout' => $timeout, 'blocking' => $blocking));
//Asynchronous so we don't care about a response at this point.
}
