session_id = substr(str_shuffle('0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'), 0, 24); $this->options = crb_get_settings(); $this->remote_ip = cerber_get_remote_ip(); $this->reCaptchaInit(); $this->deleteGarbage(); // Condition to check reCAPTCHA add_action( 'login_init', array( $this, 'reCaptchaNow' ) ); } /** * @since 6.3.3 */ final public function isURIProhibited() { global $cerber_status; if ( isset( $this->uri_prohibited ) ) { return $this->uri_prohibited; } if ( crb_acl_is_white() ) { $this->uri_prohibited = false; return false; } $script = cerber_last_uri(); $script = urldecode( $script ); // @since 8.1 if ( substr( $script, - 4 ) != '.php' ) { $script .= '.php'; // Apache MultiViews enabled? } if ( $script ) { if ( $script == WP_LOGIN_SCRIPT || $script == WP_SIGNUP_SCRIPT || ( $script == WP_REG_URI && ! get_option( 'users_can_register' ) ) ) { if ( !empty( $this->options['wplogin'] ) ) { $cerber_status = 19; cerber_log( 50 ); cerber_soft_block_add( $this->remote_ip, 702, $script ); $this->uri_prohibited = true; return true; } if ( ! empty( $this->options['loginnowp'] ) || $this->isDeny() ) { cerber_log( 50 ); $this->uri_prohibited = true; return true; } } elseif ( $script == WP_XMLRPC_SCRIPT || $script == WP_TRACKBACK_SCRIPT ) { if ( ! empty( $this->options['xmlrpc'] ) || $this->isDeny() ) { cerber_log( 71 ); $this->uri_prohibited = true; return true; } if ( !cerber_geo_allowed( 'geo_xmlrpc' ) ) { $cerber_status = 16; cerber_log( 71 ); $this->uri_prohibited = true; return true; } } } $this->uri_prohibited = false; return $this->uri_prohibited; } /** * @since 6.3.3 */ final public function CheckProhibitedURI(){ if ($this->isURIProhibited()){ if ( $this->options['page404'] ) { cerber_404_page(); } return true; } return false; } /** * @since 6.3.3 */ final public function InspectRequest() { $deny = false; $act = 18; if ( cerber_is_http_post() ) { if ( ! cerber_is_ip_allowed( null, CRB_CNTX_SAFE ) ) { $deny = true; $act = 18; } } elseif ( cerber_get_non_wp_fields() ) { if ( ! cerber_is_ip_allowed( null, CRB_CNTX_SAFE ) ) { $deny = true; $act = 100; } } if ( ! $deny && $_FILES ) { $file_names = array(); foreach ( $_FILES as $file ) { if ( is_array( $file['name'] ) ) { $file_names = array_merge( $file_names, $file['name'] ); } else { $file_names[] = $file['name']; } } foreach ( $file_names as $item ) { if ( $reason = $this->isProhibitedFilename( $item ) ) { $deny = true; $act = $reason; break; } } } if ( $deny ) { cerber_log( $act ); cerber_forbidden_page(); } } /** * @since 6.3.3 */ final public function isProhibitedFilename( $file_name ) { $prohibited = array( '.htaccess' ); if ( in_array( $file_name, $prohibited ) ) { return 57; } if ( cerber_detect_exec_extension( $file_name, array('js') ) ) { return 56; } return false; } /** * @since 6.3.3 */ final public function isDeny() { if ( isset( $this->deny ) ) { return $this->deny; } $this->acl = cerber_acl_check(); if ( $this->acl == 'B' || ! cerber_is_ip_allowed() ) { $this->deny = true; } else { $this->deny = false; } return $this->deny; } // TODO: replace it with cerber_get_remote_ip() final public function getRemoteIp() { return $this->remote_ip; } final public function getRequestID() { return $this->session_id; } final public function getStatus() { if (isset($this->status)) return $this->status; $this->status = 0; // Default if ( cerber_is_citadel() ) { $this->status = 3; } else { //if ( ! cerber_is_allowed( $this->remote_ip ) ) { if ( cerber_block_check( $this->remote_ip ) ) { $this->status = 2; } else { $tag = cerber_acl_check( $this->remote_ip ); if ( $tag == 'W' ) { //$this->status = 4; } elseif ( $tag == 'B' || lab_is_blocked($this->remote_ip, false)) { $this->status = 1; } } } return $this->status; } /* Return Error message in context */ final public function getErrorMsg() { $status = $this->getStatus(); switch ( $status ) { case 1: case 3: return apply_filters( 'cerber_msg_blocked', __( 'You are not allowed to log in. Ask your administrator for assistance.', 'wp-cerber' ) , $status); case 2: $block = cerber_get_block(); $min = 1 + ( $block->block_until - time() ) / 60; return apply_filters( 'cerber_msg_reached', sprintf( __( 'You have exceeded the number of allowed login attempts. Please try again in %d minutes.', 'wp-cerber' ), $min ), $min ); break; default: return __( 'You are not allowed to log in', 'wp-cerber' ); } } /* Return Remain message in context */ final public function getRemainMsg() { $acl = !$this->options['limitwhite']; $remain = cerber_get_remain_count($this->remote_ip, $acl); if ( $remain < $this->options['attempts'] ) { if ( $remain == 0 ) { $remain = 1; // with some settings or when lockout was manually removed, we need to have 1 attempt. } return apply_filters( 'cerber_msg_remain', sprintf( _n( 'You have only one attempt remaining.', 'You have %d attempts remaining.', $remain, 'wp-cerber' ), $remain ), $remain ); } return false; } final public function getSettings( $name = null ) { if ( ! empty( $name ) ) { if ( isset( $this->options[ $name ] ) ) { return $this->options[ $name ]; } else { return false; } } return $this->options; } /* final public function isProhibited( $username ) { if ( empty( $this->options['prohibited'] ) ) { return false; } return in_array( $username, (array) $this->options['prohibited'] ); }*/ /** * Adding reCAPTCHA widgets * */ final public function reCaptchaInit(){ if ( $this->status == 4 || empty( $this->options['sitekey'] ) || empty( $this->options['secretkey'] )) return; // Native WP forms add_action( 'login_form', function () { global $wp_cerber; $wp_cerber->reCaptcha( 'widget', 'recaplogin' ); } ); add_filter( 'login_form_middle', function ( $value ) { global $wp_cerber; $value .= $wp_cerber->reCaptcha( 'widget', 'recaplogin', false ); return $value; }); add_action( 'lostpassword_form', function () { global $wp_cerber; $wp_cerber->reCaptcha( 'widget', 'recaplost' ); } ); add_action( 'register_form', function () { global $wp_cerber; if ( !did_action( 'woocommerce_register_form_start' ) ) { $wp_cerber->reCaptcha( 'widget', 'recapreg' ); } } ); // Support for WooCommerce forms: @since 3.8 add_action( 'woocommerce_login_form', function () { global $wp_cerber; $wp_cerber->reCaptcha( 'widget', 'recapwoologin' ); } ); add_action( 'woocommerce_lostpassword_form', function () { global $wp_cerber; $wp_cerber->reCaptcha( 'widget', 'recapwoolost' ); } ); add_action( 'woocommerce_register_form', function () { global $wp_cerber; if ( ! did_action( 'woocommerce_register_form_start' ) ) { return; } $wp_cerber->reCaptcha( 'widget', 'recapwooreg' ); } ); add_filter( 'woocommerce_process_login_errors', function ( $validation_error ) { global $wp_cerber; //$wp_cerber->reCaptchaNow(); if ( ! $wp_cerber->reCaptchaValidate('woologin', true) ) { return new WP_Error( 'incorrect_recaptcha', $wp_cerber->reCaptchaMsg('woocommerce-login')); } return $validation_error; }); add_filter( 'allow_password_reset', function ( $var ) { // Note: 'allow_password_reset' also is fired in WP itself global $wp_cerber; if ( isset( $_POST['wc_reset_password'] ) && did_action( 'woocommerce_init' )) { //$wp_cerber->reCaptchaNow(); if ( ! $wp_cerber->reCaptchaValidate( 'woolost' , true) ) { return new WP_Error( 'incorrect_recaptcha', $wp_cerber->reCaptchaMsg('woocommerce-lost')); } } return $var; }); add_filter( 'woocommerce_process_registration_errors', function ( $validation_error ) { global $wp_cerber; //$wp_cerber->reCaptchaNow(); if ( ! $wp_cerber->reCaptchaValidate('wooreg' , true) ) { return new WP_Error( 'incorrect_recaptcha', $wp_cerber->reCaptchaMsg('woocommerce-register')); } return $validation_error; }); } /** * Generates reCAPTCHA HTML * * @param string $part 'style' or 'widget' * @param null $option what plugin setting must be set to show the reCAPTCHA * @param bool $echo if false, return the code, otherwise show it * * @return null|string */ final public function reCaptcha( $part = '', $option = null, $echo = true ) { if ( $this->status == 4 || empty( $this->options['sitekey'] ) || empty( $this->options['secretkey'] ) || ( $option && empty( $this->options[ $option ] ) ) ) { return null; } $sitekey = $this->options['sitekey']; $ret = ''; switch ( $part ) { case 'style': // for default login WP form only - fit it in width nicely. ?> options[ $option ] ) ) { $this->recaptcha_here = true; //if ($this->options['invirecap']) $ret = '
'; if ($this->options['invirecap']) { $ret = ''; } else $ret = ''; //$ret = ''; } break; } if ( $echo ) { echo $ret; $ret = null; } return $ret; /* */ } /** * Validate reCAPTCHA by calling Google service * * @param string $form Form ID (slug) * @param boolean $force Force validate without pre-checks * * @return bool true on success false on failure */ final public function reCaptchaValidate($form = null, $force = false) { if (!$force) { if ( ! $this->recaptcha || $this->status == 4 ) { return true; } } if ($this->recaptcha_verified != null) return $this->recaptcha_verified; if ( $form == 'comment' && $this->options['recapcomauth'] && is_user_logged_in()) return true; if ( ! $form ) { $form = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'login'; } $forms = array( // known pairs: form => specific plugin setting 'lostpassword' => 'recaplost', 'register' => 'recapreg', 'login' => 'recaplogin', 'comment' => 'recapcom', 'woologin' => 'recapwoologin', 'woolost' => 'recapwoolost', 'wooreg' => 'recapwooreg', ); if ( isset( $forms[ $form ] ) ) { if ( empty( $this->options[ $forms[ $form ] ] ) ) { return true; // no validation is required } } else { return true; // we don't know this form } if ( empty( $_POST['g-recaptcha-response'] ) ) { $this->reCaptchaFailed($form); return false; } $result = $this->reCaptchaRequest($_POST['g-recaptcha-response']); if ( ! $result ) { cerber_log( 42 ); return false; } $result = json_decode( $result ); $result = obj_to_arr_deep( $result ); if ( ! empty( $result['success'] ) ) { $this->recaptcha_verified = true; return true; } $this->recaptcha_verified = false; if ( ! empty( $result['error-codes'] ) ) { if ( in_array( 'invalid-input-secret', (array) $result['error-codes'] ) ) { cerber_log( 41 ); } } $this->reCaptchaFailed($form); return false; } final function reCaptchaFailed($context = '') { cerber_log( 40 ); if ($this->options['recaptcha-period'] && $this->options['recaptcha-number'] && $this->options['recaptcha-within']) { $remain = cerber_get_remain_count($this->remote_ip , true, array( 40 ), $this->options['recaptcha-number'], $this->options['recaptcha-within']); if ($remain < 1) cerber_block_add( $this->remote_ip, 705 ); } } /** * A form with possible reCAPTCHA has been submitted. * Allow to process reCAPTCHA by setting a global flag. * Must be called before reCaptchaValidate(); * */ final public function reCaptchaNow() { if ( cerber_is_http_post() && $this->options['sitekey'] && $this->options['secretkey'] ) { $this->recaptcha = true; } } /** * Make a request to the Google reCaptcha web service * * @param string $response Google specific field from the submitted form (widget) * * @return bool|string Response of the Google service or false on failure */ final public function reCaptchaRequest($response = ''){ if (!$response) { if (!empty($_POST['g-recaptcha-response'])) $response = $_POST['g-recaptcha-response']; else return false; } $curl = @curl_init(); // @since 4.32 if (!$curl) { cerber_admin_notice(__( 'ERROR:', 'wp-cerber' ) .' Unable to initialize cURL'); return false; } $opt = curl_setopt_array($curl, array( CURLOPT_URL => GOO_RECAPTCHA_URL, CURLOPT_POST => true, CURLOPT_POSTFIELDS => array( 'secret' => $this->options['secretkey'], 'response' => $response ), CURLOPT_RETURNTRANSFER => true, )); if (!$opt) { cerber_admin_notice(__( 'ERROR:', 'wp-cerber' ) .' '. curl_error($curl)); curl_close($curl); return false; } $result = @curl_exec($curl); if (!$result) { cerber_admin_notice(__( 'ERROR:', 'wp-cerber' ) .' '. curl_error($curl)); $result = false; } curl_close($curl); return $result; } final public function reCaptchaMsg($context = null){ return apply_filters( 'cerber_msg_recaptcha', __( 'Human verification failed. Please click the square box in the reCAPTCHA block below.', 'wp-cerber' ), $context); } final public function setLocked() { if ( ! isset( $this->locked ) ) { $this->locked = 1; } } final public function wasLocked() { if ( ! empty( $this->locked ) ) { return 1; } return 0; } final public function deleteGarbage() { if ( $this->garbage ) { return; } $last = cerber_get_set( 'garbage_collector', null, false ); if ( $last > ( time() - 60 ) ) { // We do this once a minute $this->garbage = true; return; } $time = time(); if ( $list = cerber_db_get_col( 'SELECT ip FROM ' . CERBER_BLOCKS_TABLE . ' WHERE block_until < ' . $time ) ) { $result = cerber_db_query( 'DELETE FROM ' . CERBER_BLOCKS_TABLE . ' WHERE block_until < ' . $time ); crb_event_handler( 'ip_event', array( 'e_type' => 'unlocked', 'ip' => $list, 'result' => $result ) ); } cerber_update_set( 'garbage_collector', time(), null, false ); $this->garbage = true; } } function cerber_init() { static $done = false; if ( $done ) { return; } cerber_pre_checks(); cerber_error_control(); if ( crb_get_settings( 'tiphperr' ) ) { set_error_handler( 'cerber_catch_error' ); } cerber_upgrade_all(); $use_eng = false; if ( is_admin() && crb_get_settings( 'admin_lang' ) ) { $use_eng = true; add_filter( 'override_load_textdomain', function ( $val, $domain, $mofile ) { if ( $domain == 'wp-cerber' ) { $val = true; } return $val; }, 100, 3 ); } if ( ! $use_eng ) { load_plugin_textdomain( 'wp-cerber', false, 'wp-cerber/languages' ); } global $wp_cerber; $wp_cerber = get_wp_cerber(); cerber_beast(); $antibot = cerber_antibot_gene(); if ( $antibot && ! empty( $antibot[1] ) ) { foreach ( $antibot[1] as $item ) { cerber_set_cookie( $item[0], $item[1], time() + 3600 * 24 ); } } // Redirection control: no default aliases for redirections //if ( crb_get_settings( 'noredirect' ) ) { if ( cerber_no_redirect() ) { remove_action( 'template_redirect', 'wp_redirect_admin_locations', 1000 ); } $hooks = apply_filters( 'cerber_antibot_hooks', array() ); if ( ! empty( $hooks['login_register'] ) ) { foreach ( $hooks['login_register'] as $hook ) { add_action( $hook, 'cerber_login_register_stuff', 1000 ); } } $done = true; } /** * Returns correct WP_Cerber object * Protects and sets global $wp_cerber to the proper object * * @return WP_Cerber * @since 6.0 */ function get_wp_cerber(){ global $wp_cerber; static $the_wp_cerber = null; if ( ! isset( $the_wp_cerber ) ) { $the_wp_cerber = new WP_Cerber(); } $wp_cerber = $the_wp_cerber; return $the_wp_cerber; } add_action( 'plugins_loaded', function () { cerber_error_control(); get_wp_cerber(); cerber_inspect_uploads(); // Uploads in the dashboard //cerber_init_cron(); @since 8.6.1 moved to cerber_bg_launcher if ( ! wp_next_scheduled( 'cerber_bg_launcher' ) ) { wp_schedule_event( time(), 'crb_five', 'cerber_bg_launcher' ); } __( '> > > Translator of WP Cerber? To get the PRO license for free, drop your contacts here: https://wpcerber.com/contact/', 'wp-cerber' ); }, 1000 ); function cerber_load_admin_code() { //cerber_cache_enable(); require_once( ABSPATH . 'wp-admin/includes/class-wp-screen.php' ); require_once( ABSPATH . 'wp-admin/includes/screen.php' ); require_once( ABSPATH . 'wp-admin/includes/class-wp-list-table.php' ); require_once( dirname( __FILE__ ) . '/admin/cerber-settings.php' ); require_once( dirname( __FILE__ ) . '/cerber-users.php' ); require_once( dirname( __FILE__ ) . '/dashboard.php' ); //require_once( dirname( __FILE__ ) . '/cerber-maintenance.php' ); // @since 8.5.1 moved to Nexus php files because it requires PHP 5.6 } /** * Some additional tasks... * */ function cerber_extra_vision() { global $cerber_logged, $cerber_status; // Multiple different malicious activities if ( empty( $cerber_logged ) ) { return false; } $ip = cerber_get_remote_ip(); $black = crb_get_activity_set( 'black' ); $black_logged = array_intersect( $black, $cerber_logged ); if ( ! empty( $black_logged ) && cerber_is_ip_allowed() ) { $remain = cerber_get_remain_count( $ip, true, $black ); // @since 6.7.5 if ( $remain < 1 ) { cerber_soft_block_add( $ip, 707 ); $cerber_status = 18; return true; } } // TODO: there should be a matrix activity => limit per period $remain = cerber_get_remain_count( $ip, true, array( 400 ), 10, 30 ); if ( $remain < 1 ) { cerber_block_add( $ip, 721 ); $cerber_status = 18; return true; } return false; } /* Display WordPress login form if the Custom login URL is requested */ if ( defined( 'CERBER_OLD_LP' ) && CERBER_OLD_LP ) { add_action( 'init', 'cerber_wp_login_page', 20 ); // TODO: remove in the next version } function cerber_wp_login_page() { if ( $path = crb_get_settings( 'loginpath' ) ) { if ( cerber_is_login_request() ) { if ( ! defined( 'DONOTCACHEPAGE' ) ) { define( 'DONOTCACHEPAGE', true ); // @since 5.7.6 } @ini_set( 'display_startup_errors', 0 ); @ini_set( 'display_errors', 0 ); add_action( 'login_init', function () { @ini_set( 'display_startup_errors', 0 ); @ini_set( 'display_errors', 0 ); } ); require( ABSPATH . WP_LOGIN_SCRIPT ); // load default wp-login.php form exit; } } } /** * Check if the current HTTP request is a login/register/lost password page request * * @return bool */ function cerber_is_login_request() { static $ret; if ( isset( $ret ) ) { return $ret; } $ret = false; if ( $path = crb_get_settings( 'loginpath' ) ) { $uri = $_SERVER['REQUEST_URI']; if ( $pos = strpos( $uri, '?' ) ) { $uri = substr( $uri, 0, $pos ); } $components = explode( '/', rtrim( $uri, '/' ) ); $last = end( $components ); if ( $path === $last && ! cerber_is_rest_url() ) { $ret = true; } } elseif ( CRB_Request::is_script( '/' . WP_LOGIN_SCRIPT ) ) { $ret = true; } return $ret; } /** * Does the current location (URL) requires a user to be logged in to view * * @param $allowed_url string An URL that is allowed to view without authentication * * @return bool */ function cerber_auth_required( $allowed_url ) { if ( $allowed_url && CRB_Request::is_url_equal( $allowed_url ) ) { return false; } if ( cerber_is_login_request() ) { return false; } if ( CRB_Request::is_script( array( '/' . WP_LOGIN_SCRIPT, '/' . WP_SIGNUP_SCRIPT, '/wp-activate.php' ) ) ) { return false; } if ( CRB_Request::is_url_start_with( wp_login_url() ) ) { return false; } if ( class_exists( 'WooCommerce' ) ) { if ( CRB_Request::is_url_start_with( get_permalink( get_option( 'woocommerce_myaccount_page_id' ) ) ) ) { return false; } } return true; } /* Create message to show it above login form for any simply GET */ add_action( 'login_head', 'cerber_login_head' ); function cerber_login_head() { global $error, $wp_cerber; if ( !$allowed = cerber_is_ip_allowed() ) : ?> reCaptcha( 'style' ); if ( !cerber_is_http_get() ) { return; } if ( ! cerber_can_msg() ) { return; } if ( ! $allowed ) { $error = $wp_cerber->getErrorMsg(); } elseif ( $msg = $wp_cerber->getRemainMsg() ) { $error = $msg; } elseif ( crb_get_settings( 'authonly' ) && ( $m = crb_get_settings( 'authonlymsg' ) ) ) { $error = $m; } } /** * Handling the process of user authentication * */ remove_filter( 'authenticate', 'wp_authenticate_username_password', 20 ); remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 ); add_filter( 'authenticate', function ( $user, $username, $password ) { return cerber_authenticate( $user, $username, $password ); }, 20, 3 ); function cerber_authenticate( $user, $username, $password ) { global $wp_cerber; if ( ! $wp_cerber->reCaptchaValidate() ) { return new WP_Error( 'incorrect_recaptcha', '' . __( 'ERROR:', 'wp-cerber' ) . ' ' . $wp_cerber->reCaptchaMsg('login')); } // Check for prohibited username if ( $username && cerber_is_prohibited( $username ) ) { //cerber_log( 52, $username ); $ret = crb_login_error( $username, 52 ); cerber_block_add( null, 704, $username ); return $ret; // Create with message that is identical the default WP /*return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: The password you entered for the username %s is incorrect.' ), '' . $username . '' ) );*/ } $user = wp_authenticate_username_password( $user, $username, $password ); $user = wp_authenticate_email_password( $user, $username, $password ); // @since 8.4.2 // Should be moved under 'wp_authenticate_user' hook see below? if ( ( $user instanceof WP_User ) && $user->ID ) { if ( crb_get_settings( 'ds_4acc' ) && CRB_DS::is_ready( 1 ) ) { if ( ! CRB_DS::is_user_valid( $user->ID ) ) { return crb_login_error( $username, 53, 35 ); } $pwd = CRB_DS::get_user_pass( $user->ID ); if ( ! $pwd || ! wp_check_password( $password, $pwd, $user->ID ) ) { return crb_login_error( $username, 53, 36 ); } } } // @since 4.18 it is replacement for 'wp_login_failed' action hook // see WP function wp_authenticate() $ignore_codes = array( 'empty_username', 'empty_password' ); if ( is_wp_error( $user ) && ! in_array( $user->get_error_code(), $ignore_codes ) ) { /*$user_id = null; if ( ( $data = $user->get_error_data() ) && ! empty( $data['user_id'] ) ) { $user_id = $data['user_id']; } cerber_login_failed( $username, $user_id );*/ cerber_login_failed( $username ); } return $user; } /* Stop the authentication process for an EXISTING user Invoking in: 'wp_authenticate_username_password()' 'wp_authenticate_email_password()' */ add_filter( 'wp_authenticate_user', function ( $user, $password ) { // former cerber_stop_authentication() global $wp_cerber, $cerber_status; $deny = false; $user_msg = ''; if ( $b = crb_is_user_blocked( $user->ID ) ) { $user_msg = $b['blocked_msg']; $cerber_status = 25; $deny = true; } elseif ( crb_acl_is_white() ) { // @since 8.2.2 $deny = false; } elseif ( ! cerber_is_ip_allowed() ) { $deny = true; } elseif ( ! cerber_geo_allowed( 'geo_login', $user ) ) { $cerber_status = 16; $deny = true; } elseif ( lab_is_blocked( cerber_get_remote_ip() ) ) { $cerber_status = 15; $deny = true; } if ( $deny ) { status_header( 403 ); $error = new WP_Error(); if ( ! $user_msg ) { $user_msg = $wp_cerber->getErrorMsg(); } $error->add( 'cerber_wp_error', $user_msg, array( 'user_id' => $user->ID ) ); return $error; } return $user; }, PHP_INT_MAX, 2 ); function crb_login_error( $username, $act = null, $status = null ) { global $cerber_status; $cerber_status = $status; if ( $act ) { cerber_log( $act, $username ); } // Create with message that is identical the default WP return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: The password you entered for the username %s is incorrect.' ), '' . $username . '' ) ); } add_action( 'wp_login', function ( $login, $user ) { cerber_user_login( $login, $user ); }, 0, 2 ); /** * @param $login string * @param $user WP_User */ function cerber_user_login( $login, $user ) { global $wp_cerber_user_id; $wp_cerber_user_id = $user->ID; if ( ! empty( $_POST['log'] ) && ! empty( $_POST['pwd'] ) ) { // default WP login form $user_login = htmlspecialchars( $_POST['log'] ); } else { $user_login = $login; } $fa = CRB_2FA::enforce( $user_login, $user ); if ( is_wp_error( $fa ) ) { cerber_diag_log( $fa->get_error_message() . ' | RID: ' . get_wp_cerber()->getRequestID(), '2FA' ); } cerber_login_history( $user->ID ); cerber_log( 5, $user_login, $user->ID ); } /** * Catching user switching and authentications without using a login form */ add_action( 'set_auth_cookie', function () { add_action( 'set_current_user', function () { // deferred to allow the possible 'wp_login' action to be logged first global $current_user; if ( $current_user instanceof WP_User ) { cerber_user_login( $current_user->user_login, $current_user ); } } ); } ); function cerber_login_history( $user_id ) { $cus = cerber_get_set( 'cerber_user', $user_id ); if ( ! $cus || ! is_array( $cus ) ) { $cus = array(); } $cus['last_login'] = array( 'ip' => cerber_get_remote_ip(), 'ua' => sha1( crb_array_get( $_SERVER, 'HTTP_USER_AGENT', '' ) ) ); if ( ! isset( $cus['2fa_history'] ) ) { $cus['2fa_history'] = array( 0, time() ); } else { $cus['2fa_history'][0] ++; } cerber_update_set( 'cerber_user', $cus, $user_id ); } /** * * Handler for failed login attempts * * @param $user_login * @param int $user_id User ID * */ //add_action( 'wp_login_failed', 'cerber_login_failed' ); // @since 4.18 function cerber_login_failed( $user_login, $user_id = 0 ) { global $cerber_status; static $is_processed = false; if ( $is_processed ) return; $is_processed = true; $ip = cerber_get_remote_ip(); $acl = cerber_acl_check( $ip ); if ( ! cerber_get_user( $user_login ) ) { $no_user = true; } else { $no_user = false; } $ac = 7; if ( $no_user ) { $ac = 51; } elseif ( ! cerber_is_ip_allowed( $ip ) || $cerber_status == 15 || $cerber_status == 16 || $cerber_status == 25 ) { // TODO should be refactored together with cerber_stop_authentication $ac = 53; } cerber_log( $ac, $user_login, $user_id ); // White? Stop further actions. if ( $acl == 'W' && !crb_get_settings( 'limitwhite' )) { return; } if ( crb_get_settings( 'usefile' ) ) { cerber_file_log( $user_login, $ip ); } if ( ! cerber_is_wp_ajax() ) { // Needs additional researching and, maybe, refactoring status_header( 403 ); } // Blacklisted? No more actions are needed. if ( $acl == 'B' ) { return; } // Must the Citadel mode be activated? if ( crb_get_settings( 'citadel_on' ) && ( $per = crb_get_settings( 'ciperiod' ) ) && ! cerber_is_citadel() ) { $range = time() - $per * 60; $lockouts = cerber_db_get_var( 'SELECT count(ip) FROM ' . CERBER_LOG_TABLE . ' WHERE activity = 7 AND stamp > ' . $range ); if ( $lockouts >= crb_get_settings( 'cilimit' ) ) { cerber_enable_citadel(); } } if ( $no_user && crb_get_settings( 'nonusers' ) ) { cerber_block_add( $ip, 703, $user_login); } elseif ( cerber_get_remain_count($ip, false) < 1 ) { //Limit on the number of login attempts is reached cerber_block_add( $ip, 701, '', null ); } } // ------------ User Sessions // do_action( "added_{$meta_type}_meta", $mid, $object_id, $meta_key, $_meta_value ); add_action( 'added_user_meta', function ( $meta_id, $user_id, $meta_key, $_meta_value ) { if ( $meta_key === 'session_tokens' ) { crb_update_session_data( $user_id, $_meta_value ); } }, 10, 4 ); // do_action( "updated_{$meta_type}_meta", $meta_id, $object_id, $meta_key, $_meta_value ); add_action( 'updated_user_meta', function ( $meta_id, $user_id, $meta_key, $_meta_value ) { if ( $meta_key === 'session_tokens' ) { crb_update_session_data( $user_id, $_meta_value ); } }, 10, 4 ); // do_action( "deleted_{$meta_type}_meta", $meta_ids, $object_id, $meta_key, $_meta_value ); add_action( 'deleted_user_meta', function ( $meta_ids, $user_id, $meta_key, $_meta_value ) { if ( $meta_key === 'session_tokens' ) { $query = 'DELETE FROM ' . cerber_get_db_prefix() . CERBER_USS_TABLE; if ( $user_id ) { $query .= ' WHERE user_id = ' . $user_id; } cerber_db_query( $query ); } }, 10, 4 ); /** * Keep the sessions table up to date * * @param $user_id * @param array $sessions List of user sessions from "session_tokens" user meta * * @return bool */ function crb_update_session_data( $user_id, $sessions = null ) { global $wpdb; $table = cerber_get_db_prefix() . CERBER_USS_TABLE; if ( $sessions === null ) { $user_meta = cerber_db_get_var( 'SELECT um.* FROM ' . $wpdb->usermeta . ' um JOIN ' . $wpdb->users . ' us ON (um.user_id = us.ID) WHERE um.user_id = ' . $user_id . ' AND um.meta_key = "session_tokens"' ); if ( $user_meta && ! empty( $user_meta['meta_value'] ) ) { $sessions = @unserialize( $user_meta['meta_value'] ); } } if ( ! $sessions ) { cerber_db_query( 'DELETE FROM ' . $table . ' WHERE user_id = ' . $user_id ); return true; } $list = array_keys( $sessions ); cerber_db_query( 'DELETE FROM ' . $table . ' WHERE user_id = ' . $user_id . ' AND wp_session_token NOT IN ("' . implode( '","', $list ) . '")' ); $exist = cerber_db_get_col( 'SELECT wp_session_token FROM ' . $table . ' WHERE user_id = ' . $user_id ); if ( $exist ) { $new = array_diff( $list, $exist ); // Should be just one element or none } else { $new = $list; } foreach ( $new as $id ) { $data = $sessions[ $id ]; $session_id = get_wp_cerber()->getRequestID(); $ip = $data['ip']; //$ip = cerber_get_remote_ip(); $country = (string) lab_get_country( $ip ); cerber_db_query( 'INSERT INTO ' . $table . ' (user_id, ip, country, started, expires, session_id, wp_session_token) VALUES (' . $user_id . ',"' . $ip . '","' . $country . '","' . $data['login'] . '","' . $data['expiration'] . '","' . $session_id . '","' . $id . '")' ); } return true; } /** * Synchronize sessions in a bulk mode * * @param bool $full If true will perform full sync from scratch * * @return bool */ function cerber_sync_sessions( $full = true ) { global $wpdb; $table = cerber_get_db_prefix() . CERBER_USS_TABLE; if ( ! $full && cerber_db_get_var( 'SELECT user_id FROM ' . $table . ' LIMIT 1' ) ) { return false; } cerber_db_query( 'DELETE FROM ' . $table ); $query = 'SELECT um.* FROM ' . $wpdb->usermeta . ' um JOIN ' . $wpdb->users . ' us ON (um.user_id = us.ID) WHERE um.meta_key = "session_tokens"'; if ( ! $metas = cerber_db_get_results( $query ) ) { return false; } foreach ( $metas as $user_meta ) { $sessions = @unserialize( $user_meta['meta_value'] ); if ( empty( $sessions ) ) { continue; } foreach ( $sessions as $id => $data ) { if ( $data['expiration'] < time() ) { continue; } if ( crb_is_user_blocked( $user_meta['user_id'] ) ) { continue; } $country = (string) lab_get_country( $data['ip'] ); cerber_db_query( 'INSERT INTO ' . $table . ' (user_id, ip, country, started, expires, wp_session_token) VALUES (' . $user_meta['user_id'] . ',"' . $data['ip'] . '","' . $country . '","' . $data['login'] . '","' . $data['expiration'] . '","' . $id . '")' ); } } return true; } // Enforce restrictions for the current user add_action( 'set_current_user', function () { // the normal way global $current_user; cerber_restrict_user( $current_user->ID ); }, 0 ); add_action( 'init', function () { // backup for 'set_current_user' hook which might not be invoked cerber_restrict_user( get_current_user_id() ); }, 0 ); function cerber_restrict_user( $user_id ) { static $done; if ( $done || ! $user_id ) { return; } $done = true; if ( crb_is_user_blocked( $user_id ) || ! CRB_DS::is_user_valid( $user_id ) || crb_acl_is_black() // @since 8.2.4 || ! cerber_geo_allowed( 'geo_login', $user_id ) ) { // @since 8.2.3 cerber_user_logout(); if ( is_admin() ) { wp_redirect( cerber_get_home_url() ); } else { wp_safe_redirect( CRB_Request::full_url() ); } exit; } CRB_2FA::restrict_and_verify( $user_id ); if ( ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX ) && is_admin() && ! is_super_admin() ) { if ( cerber_get_user_policy( 'nodashboard', $user_id ) ) { wp_redirect( home_url() ); exit; } } if ( cerber_get_user_policy( 'notoolbar', $user_id ) ) { show_admin_bar( false ); } } add_filter( 'login_redirect', function ( $redirect_to, $requested_redirect_to, $user ) { if ( $to = crb_redirect_by_policy( $user, 'rdr_login' ) ) { return $to; } return $redirect_to; }, PHP_INT_MAX, 3 ); add_filter( 'logout_redirect', function ( $redirect_to, $requested_redirect_to, $user ) { if ( $to = crb_redirect_by_policy( $user, 'rdr_logout' ) ) { return $to; } if ( ( $path = crb_get_settings( 'loginpath' ) ) && empty( $requested_redirect_to ) && cerber_is_login_request() ) { $redirect_to = cerber_get_site_url() . '/' . $path . '/?loggedout=true'; // Replace the default WP logout redirection } return $redirect_to; }, PHP_INT_MAX, 3 ); if ( crb_get_settings( 'loginpath' ) ) { add_filter( 'lostpassword_redirect', function ( $redirect_to ) { if ( ( $path = crb_get_settings( 'loginpath' ) ) && cerber_is_login_request() ) { $redirect_to = '/' . $path . '/?checkemail=confirm'; // Replace the default WP logout redirection } return $redirect_to; }, PHP_INT_MAX ); add_filter( 'registration_redirect', function ( $redirect_to ) { if ( ( $path = crb_get_settings( 'loginpath' ) ) && cerber_is_login_request() ) { $redirect_to = '/' . $path . '/?checkemail=registered'; // Replace the default WP logout redirection } return $redirect_to; }, PHP_INT_MAX ); } function cerber_parse_redir( $url, $user ) { if ( strpos( $url, '{{' ) ) { $url = preg_replace( '/{{user_id}}/', $user->ID, $url ); } return $url; } function crb_redirect_by_policy( $user, $policy ) { if ( $user && ! is_wp_error( $user ) && ( $to = cerber_get_user_policy( $policy, $user ) ) ) { $force_redirect_to = cerber_parse_redir( $to, $user ); if ( ! strpos( $force_redirect_to, '://' ) ) { $force_redirect_to = cerber_get_site_url() . '/' . ltrim( $force_redirect_to, '/' ); } return $force_redirect_to; } return false; } function cerber_user_logout( $status = null ) { global $cerber_status, $current_user, $userdata, $user_ID; $cerber_status = ( ! $status ) ? 26 : absint( $status ); if ( $current_user instanceof WP_User ) { $uid = $current_user->ID; } else { $uid = get_current_user_id(); } @wp_logout(); CRB_2FA::delete_2fa( $uid ); $current_user = null; $userdata = null; $user_ID = null; } // Registration ----------------------------------------------------------------------- function cerber_is_registration_prohibited( $user_login, $user_email = '' ) { global $wp_cerber, $cerber_status; /* if ( crb_acl_is_white() ) { return false; }*/ $code = null; $msg = null; if ( crb_is_reg_limit_reached() ) { $cerber_status = 17; cerber_log( 54 ); $code = 'ip_denied'; $msg = '' . __( 'ERROR:', 'wp-cerber' ) . ' ' . apply_filters( 'cerber_msg_denied', __( 'You are not allowed to register.', 'wp-cerber' ), 'register' ); } elseif ( cerber_is_bot( 'botsreg' ) ) { cerber_log( 54 ); // TODO should be separate code to detect bot activity? $code = 'bot_detected'; $msg = '' . __( 'ERROR:', 'wp-cerber' ) . ' ' . apply_filters( 'cerber_msg_denied', __( 'You are not allowed to register.', 'wp-cerber' ), 'register' ); } elseif ( ! $wp_cerber->reCaptchaValidate() ) { $code = 'incorrect_recaptcha'; $msg = '' . __( 'ERROR:', 'wp-cerber' ) . ' ' . $wp_cerber->reCaptchaMsg( 'register' ); } elseif ( cerber_is_prohibited( $user_login ) ) { $cerber_status = 30; cerber_log( 54 ); $code = 'prohibited_login'; $msg = '' . __( 'ERROR:', 'wp-cerber' ) . ' ' . apply_filters( 'cerber_msg_prohibited', __( 'Username is not allowed. Please choose another one.', 'wp-cerber' ), 'register' ); } elseif ( ! cerber_is_email_permited( $user_email ) ) { $cerber_status = 31; cerber_log( 54 ); $code = 'prohibited_email'; $msg = '' . __( 'ERROR:', 'wp-cerber' ) . ' ' . apply_filters( 'cerber_msg_prohibited_email', __( 'Email address is not permitted.', 'wp-cerber' ) . ' ' . __( 'Please choose another one.', 'wp-cerber' ), 'register' ); } elseif ( ! cerber_is_ip_allowed() || lab_is_blocked( cerber_get_remote_ip() ) ) { cerber_log( 54 ); $code = 'ip_denied'; $msg = '' . __( 'ERROR:', 'wp-cerber' ) . ' ' . apply_filters( 'cerber_msg_denied', __( 'You are not allowed to register.', 'wp-cerber' ), 'register' ); } elseif ( ! cerber_geo_allowed( 'geo_register' ) ) { $cerber_status = 16; // TODO: refactor cerber_log, include this status as a second parameter cerber_log( 54 ); // TODO should be separate code? $code = 'country_denied'; $msg = '' . __( 'ERROR:', 'wp-cerber' ) . ' ' . apply_filters( 'cerber_msg_denied', __( 'You are not allowed to register.', 'wp-cerber' ), 'register' ); } if ( $code ) { return array( $code, $msg ); } return false; } /** * Restrict email addresses * * @param $email string * * @return bool */ function cerber_is_email_permited( $email ) { if ( ! $email ) { return true; } if ( ( ! $rule = crb_get_settings( 'emrule' ) ) || ( ! $list = (array) crb_get_settings( 'emlist' ) ) ) { return true; } if ( $rule == 1 ) { $ret = false; } elseif ( $rule == 2 ) { $ret = true; } else { return true; } foreach ( $list as $item ) { if ( substr( $item, 0, 1 ) == '/' && substr( $item, - 1 ) == '/' ) { $pattern = $item . 'i'; // we permit to specify any REGEX if ( @preg_match( $pattern, $email ) ) { return $ret; } } elseif ( false !== strpos( $item, '*' ) ) { //$wildcard = '[\w\-\.@]+?'; $wildcard = '.+?'; $pattern = '/^' . str_replace( array( '.', '*' ), array( '\.', $wildcard ), $item ) . '$/i'; if ( @preg_match( $pattern, $email ) ) { return $ret; } } elseif ( $email === $item ) { return $ret; } } return ! $ret; } /** * Limit on user registrations per IP * * @return bool */ function crb_is_reg_limit_reached() { if ( ! lab_lab() ) { return false; } if ( ! crb_get_settings( 'reglimit_min' ) || ! crb_get_settings( 'reglimit_num' ) ) { return false; } if ( crb_acl_is_white() ) { return false; } $ip = cerber_get_remote_ip(); $stamp = absint( time() - 60 * crb_get_settings( 'reglimit_min' ) ); $count = cerber_db_get_var( 'SELECT count(ip) FROM ' . CERBER_LOG_TABLE . ' WHERE ip = "' . $ip . '" AND activity = 2 AND stamp > ' . $stamp ); if ( $count >= crb_get_settings( 'reglimit_num' ) ) { lab_save_push( $ip, 344 ); return true; } return false; } // Fires in register_new_user() add_filter( 'registration_errors', function ( $errors, $sanitized_user_login, $user_email ) { $result = cerber_is_registration_prohibited( $sanitized_user_login, $user_email ); if ( $result ) { return new WP_Error( $result[0], $result[1] ); } return $errors; }, 10, 3 ); // Fires in wp_insert_user() add_filter( 'pre_user_login', function ( $login ) { if ( ! is_admin() && cerber_is_registration_prohibited( $login ) ) { return null; } return $login; }, PHP_INT_MAX ); // Validation for MU and BuddyPress add_filter( 'wpmu_validate_user_signup', function ( $signup_data ) { $sanitized_user_login = sanitize_user( $signup_data['user_name'], true ); if ( $check = cerber_is_registration_prohibited( $sanitized_user_login, $signup_data['user_email'] ) ) { $signup_data['errors'] = new WP_Error( 'user_name', $check[1] ); } return $signup_data; }, PHP_INT_MAX ); // Filter out prohibited usernames add_filter( 'illegal_user_logins', function () { return (array) crb_get_settings( 'prohibited' ); }, PHP_INT_MAX ); add_filter( 'option_users_can_register', function ( $value ) { //if ( ! cerber_is_allowed() || !cerber_geo_allowed( 'geo_register' )) { if ( ! cerber_is_ip_allowed() || crb_is_reg_limit_reached() ) { return false; } return $value; }, PHP_INT_MAX ); // Lost password form -------------------------------------------------------------------- /** * Validate reCAPTCHA for the WordPress lost password form */ add_action( 'login_form_' . 'lostpassword', 'cerber_lost_captcha' ); function cerber_lost_captcha() { global $wp_cerber, $cerber_lost; if ( ! $wp_cerber->reCaptchaValidate() ) { $_POST['user_login'] = null; // workaround due to lack of any way to control lost password form $cerber_lost = '' . __( 'ERROR:', 'wp-cerber' ) . ' ' . $wp_cerber->reCaptchaMsg('lostpassword'); } } /** * Display message on the WordPress lost password form screen */ add_action( 'lostpassword_form', 'cerber_lost_show_msg' ); function cerber_lost_show_msg() { global $cerber_lost; if ( ! $cerber_lost ) { return; } ?> '1', 'post_id' => $comment_post_ID ) ); if ( $comments ) { $loc = get_comment_link( $comments[0]->comment_ID ); } else { $loc = get_permalink( $comment_post_ID ) . '#cerber-recaptcha-msg'; } wp_safe_redirect( $loc ); exit; } } ); /** * If submit comments via REST API is not allowed * */ add_filter( 'rest_allow_anonymous_comments', function ( $allowed, $request ) { global $cerber_status; if ( ! cerber_is_ip_allowed() ) { $allowed = false; } if ( ! cerber_geo_allowed( 'geo_comment' ) ) { cerber_log(19); $cerber_status = 16; $allowed = false; } elseif ( lab_is_blocked( cerber_get_remote_ip() ) ) { $allowed = false; } return $allowed; }, 10, 2 ); /** * Check if a submitted comment is allowed * * @return bool */ function cerber_is_comment_allowed(){ global $wp_cerber; if (is_admin()) return true; $deny = null; if ( ! cerber_is_ip_allowed() ) { $deny = 19; } elseif ( cerber_is_bot('botscomm') ) { $remain = cerber_get_remain_count( null, true, array( 16 ), 3, 60 ); if ($remain < 1) cerber_block_add( null, 706, '', 60 ); $deny = 16; } elseif ( ! $wp_cerber->reCaptchaValidate( 'comment' , true ) ) { $deny = 16; } elseif ( lab_is_blocked( cerber_get_remote_ip() ) ) { $deny = 19; } if ( $deny ) { cerber_log( $deny ); $ret = false; } else { $ret = true; } return $ret; } /** * Showing reCAPTCHA widget. * Displaying error message on the comment form for a human. * */ add_filter( 'comment_form_submit_field', function ( $value ) { global $wp_cerber, $post; if ( cerber_get_cookie( 'cerber_post_id' ) == $post->ID ) { //echo '' . $msg; } } return $errors; } add_filter( 'shake_error_codes', 'cerber_login_failure_shake' ); // Shake it, baby! function cerber_login_failure_shake( $shake_error_codes ) { $shake_error_codes[] = 'cerber_wp_error'; return $shake_error_codes; } /* Replace default login/logout URL with Custom login page URL */ add_filter( 'site_url', 'cerber_login_logout', 9999, 4 ); add_filter( 'network_site_url', 'cerber_login_logout', 9999, 3 ); function cerber_login_logout( $url, $path, $scheme, $blog_id = 0 ) { // $blog_id only for 'site_url' if ( $login_path = crb_get_settings( 'loginpath' ) ) { $url = str_replace( WP_LOGIN_SCRIPT, $login_path . '/', $url ); } return $url; } /* Replace default logout redirect URL with Custom login page URL */ add_filter( 'wp_redirect', 'cerber_login_redirect', 9999, 2 ); function cerber_login_redirect( $location, $status ) { if ( ( $path = crb_get_settings( 'loginpath' ) ) && ( 0 === strpos( $location, WP_LOGIN_SCRIPT . '?' ) ) ) { $loc = explode( '?', $location ); $location = cerber_get_home_url() . '/' . $path . '/?' . $loc[1]; } return $location; } // Access control ======================================================================================== add_action( 'init', function () { if ( crb_get_settings( 'adminphp' ) ) { if ( defined( 'CONCATENATE_SCRIPTS' ) ) { cerber_add_issue( 'conscripts', 'The PHP constant CONCATENATE_SCRIPTS is already defined somewhere else', 'adminphp' ); } //elseif ( ! is_user_logged_in() ) { elseif ( ! cerber_check_groove_x() ) { define( 'CONCATENATE_SCRIPTS', false ); } } if ( ! is_admin() && ! cerber_is_wp_cron() ) { cerber_access_control(); cerber_auth_access(); } cerber_post_control(); if ( ! defined( 'CERBER_OLD_LP' ) || ! CERBER_OLD_LP ) { // TODO: remove in the next version cerber_wp_login_page(); // @since 8.3.4 } }, 0 ); /** * Restrict access to some vital parts of WP * */ function cerber_access_control() { global $wp_cerber, $cerber_status; if ( crb_acl_is_white() ) { return; } $wp_cerber = get_wp_cerber(); if ( $wp_cerber->isURIProhibited() ) { cerber_404_page(); } $opt = crb_get_settings(); // REST API if ( $wp_cerber->isDeny() ) { cerber_block_rest_api(); } elseif ( cerber_is_rest_url() ) { $rest_allowed = true; /*if ( ! empty( $opt['norest'] ) ) { $rest_allowed = false; if ( $opt['restauth'] && is_user_logged_in() ) { $rest_allowed = true; } elseif ( cerber_is_route_allowed() ) { $rest_allowed = true; } } if ( $rest_allowed && cerber_is_route_blocked() ) { $rest_allowed = false; }*/ if ( ! cerber_is_rest_permitted() ) { $rest_allowed = false; } if ( $rest_allowed && ! cerber_geo_allowed( 'geo_restapi' ) ) { $rest_allowed = false; $cerber_status = 16; } if ( ! $rest_allowed ) { cerber_block_rest_api(); } } // Some XML-RPC stuff if ( $wp_cerber->isDeny() || ! empty( $opt['xmlrpc'] ) ) { add_filter( 'xmlrpc_enabled', '__return_false' ); add_filter( 'pings_open', '__return_false' ); add_filter( 'bloginfo_url', 'cerber_pingback_url', 10, 2 ); remove_action( 'wp_head', 'rsd_link', 10 ); remove_action( 'wp_head', 'wlwmanifest_link', 10 ); } // Feeds if ( $wp_cerber->isDeny() || ! empty( $opt['nofeeds'] ) ) { remove_action( 'wp_head', 'feed_links', 2 ); remove_action( 'wp_head', 'feed_links_extra', 3 ); remove_action( 'do_feed_rdf', 'do_feed_rdf', 10 ); remove_action( 'do_feed_rss', 'do_feed_rss', 10 ); remove_action( 'do_feed_rss2', 'do_feed_rss2', 10 ); remove_action( 'do_feed_atom', 'do_feed_atom', 10 ); remove_action( 'do_pings', 'do_all_pings', 10 ); add_action( 'do_feed_rdf', 'cerber_404_page', 1 ); add_action( 'do_feed_rss', 'cerber_404_page', 1 ); add_action( 'do_feed_rss2', 'cerber_404_page', 1 ); add_action( 'do_feed_atom', 'cerber_404_page', 1 ); add_action( 'do_feed_rss2_comments', 'cerber_404_page', 1 ); add_action( 'do_feed_atom_comments', 'cerber_404_page', 1 ); } } function cerber_auth_access() { $opt = crb_get_settings(); if ( ! empty( $opt['authonlyacl'] ) && crb_acl_is_white() ) { return; } if ( ! empty( $opt['authonly'] ) && ! is_user_logged_in() && cerber_auth_required( $opt['authonlyredir'] ) ) { if ( $opt['authonlyredir'] ) { $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); wp_redirect( add_query_arg( 'redirect_to', $redirect, $opt['authonlyredir'] ) ); exit; } auth_redirect(); } } /** * Antispam & Antibot for forms * */ function cerber_post_control() { global $cerber_status; if ( ! cerber_is_http_post() || crb_acl_is_white() ) { return; } if ( ! cerber_antibot_enabled( 'botsany' ) && ! cerber_get_geo_rules( 'geo_submit' ) ) { return; } // Exceptions ----------------------------------------------------------------------- if ( cerber_is_antibot_exception() ) { return; } // Let's make the checks $deny = false; if ( ! cerber_is_ip_allowed(null, CRB_CNTX_SAFE) ) { $deny = true; cerber_log( 18 ); } elseif ( cerber_is_bot( 'botsany' ) ) { $deny = true; cerber_log( 17 ); } elseif ( ! cerber_geo_allowed( 'geo_submit' ) ) { $deny = true; $cerber_status = 16; // TODO: refactor cerber_log, include this status as a second parameter cerber_log( 18 ); } elseif ( lab_is_blocked( null, true ) ) { $deny = true; $cerber_status = 18; cerber_log( 18 ); } if ( $deny ) { cerber_forbidden_page(); } } /** * Exception for POST request control * * @return bool */ function cerber_is_antibot_exception(){ if ( cerber_is_wp_cron() ) { return true; } // Admin || AJAX requests by unauthorized users if ( is_admin() ) { if ( cerber_is_wp_ajax() ) { if ( is_user_logged_in() ) { return true; } if ( class_exists( 'WooCommerce' ) ) { // Background processes launcher? P.S. wc_privacy_cleanup if ( crb_arrays_similar( $_GET, array( 'nonce' => 'crb_is_alphanumeric', 'action' => 'crb_is_alphanumeric' ) ) && ! preg_grep( '/[^\d]/', array_keys( $_POST ) ) ) { // If other than numeric keys in array return true; } } } else { return true; } } // Standard WordPress Comments if ( 0 === strpos( trim( $_SERVER['REQUEST_URI'], '/' ), 'wp-comments-post.php' ) ) { return true; } // XML-RPC if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) { return true; } // Trackback if ( is_trackback() ) { return true; } // Login page if ( cerber_is_login_request() ) { return true; } // REST API (except Contact Form 7 submission) if ( cerber_is_rest_url() ) { if ( false === strpos( $_SERVER['REQUEST_URI'], 'contact-form-7' ) ) { return true; } } if ( class_exists( 'WooCommerce' ) ) { if ( cerber_is_permalink_enabled() ) { if ( CRB_Request::is_url_start_with( cerber_get_home_url() . '/wc-api/' ) ) { return true; } } elseif ( ! empty( $_GET['wc-api'] ) ) { if ( cerber_check_remote_domain( array( '*.paypal.com', '*.stripe.com' ) ) ) { return true; } } } // Upgrading WP, see update-core.php if ( count( $_GET ) == 1 && count( $_POST ) == 0 && ( $p = cerber_get_get( 'step' ) ) && ( $p == 'upgrade_db' ) && substr( cerber_script_filename(), - 21 ) == '/wp-admin/upgrade.php' ) { return true; } // Cloud Scanner if ( cerber_is_cloud_request() ) { return true; } if ( nexus_is_valid_request() ) { return true; } return false; } /** * What antibot mode must be used. * * @return int 1 = Cookies + Fields, 2 = Cookies only */ function cerber_antibot_mode() { global $wp; //static $list; if ( cerber_is_wp_ajax() ) { if ( crb_get_settings( 'botssafe' ) ) { return 2; } if ( ! empty( $_POST['action'] ) ) { if ( $_POST['action'] == 'heartbeat' ) { // WP heartbeat //$nonce_state = wp_verify_nonce( $_POST['_nonce'], 'heartbeat-nonce' ); return 2; } } } if ( cerber_get_uri_script() ) { return 1; } // Check for third party exceptions if ( class_exists( 'WooCommerce' ) ) { if ( ! empty( $_GET['wc-ajax'] ) && //$_GET['wc-ajax'] == 'get_refreshed_fragments' && count( $_GET ) == 1 && ( count( $_POST ) <= 1 ) ) { return 2; } if ( cerber_is_permalink_enabled() ) { //if ( function_exists( 'wc_get_page_id' ) && 0 === strpos( cerber_get_site_root() . cerber_purify_uri(), get_permalink( wc_get_page_id( 'checkout' ) ) ) ) { if ( function_exists( 'wc_get_page_id' ) && CRB_Request::is_url_start_with( get_permalink( wc_get_page_id( 'checkout' ) ) ) ) { return 2; } } else { if ( ! empty( $_GET['order-received'] ) && ! empty( $_GET['key'] ) ) { return 2; } } } if ( class_exists( 'GFForms' ) ) { if ( count( $_GET ) == 2 && ! empty( $_GET['gf_page'] ) && ! empty( $_GET['id'] ) && is_user_logged_in() ) { return 2; } } return 1; } /* * Disable pingback URL (hide from HEAD) */ function cerber_pingback_url( $output, $show ) { if ( $show == 'pingback_url' ) { $output = ''; } return $output; } /** * Disable REST API * */ function cerber_block_rest_api() { // OLD WP add_filter( 'json_enabled', '__return_false' ); add_filter( 'json_jsonp_enabled', '__return_false' ); // WP 4.4, deprecated since 4.7 if ( version_compare( cerber_get_wp_version(), '4.7', '<' ) ) { add_filter( 'rest_enabled', '__return_false', 9999 ); } // WP 4.7 add_filter( 'rest_jsonp_enabled', '__return_false' ); // Links remove_action( 'wp_head', 'rest_output_link_wp_head', 10 ); remove_action( 'template_redirect', 'rest_output_link_header', 11 ); // Default REST API hooks from default-filters.php remove_action( 'init', 'rest_api_init' ); remove_action( 'rest_api_init', 'rest_api_default_filters', 10 ); remove_action( 'rest_api_init', 'register_initial_settings', 10 ); remove_action( 'rest_api_init', 'create_initial_rest_routes', 99 ); remove_action( 'parse_request', 'rest_api_loaded' ); if ( cerber_is_rest_url() ) { cerber_log( 70 ); cerber_forbidden_page(); } } /* * Redirection control: standard admin/login redirections * */ add_filter( 'wp_redirect', function ( $location ) { global $current_user; if ( ( ! $current_user || $current_user->ID == 0 ) && cerber_no_redirect() ) { //$str = urlencode( '/wp-admin/' ); $rdr = explode( 'redirect_to=', $location ); /*if ( isset( $rdr[1] ) && strpos( $rdr[1], $str ) ) { cerber_404_page(); }*/ if ( isset( $rdr[1] ) ) { $redirect_to = urldecode( $rdr[1] ); // a normal $redirect_to = urldecode( $redirect_to ); // @since 8.1 - may be twice encoded to bypass if ( strpos( $redirect_to, '/wp-admin/' ) ) { cerber_404_page(); } } } return $location; }, 0 ); /** * @since 7.0 */ function cerber_no_redirect() { if ( crb_get_settings( 'noredirect' ) && !cerber_check_groove_x()) { return true; } return false; } /* * Stop user enumeration * */ add_action( 'template_redirect', function () { if ( crb_get_settings( 'stopenum' ) ) { if ( ! $a = crb_array_get( $_GET, 'author' ) ) { if ( ! $a = crb_array_get( $_POST, 'author' ) ) { // @since 8.1 return; } } if ( is_numeric( trim( $a ) ) && ! is_admin() ) { cerber_404_page(); } } }, 0 ); /* if ( $wp_cerber->getSettings( 'hashauthor' ) ) { add_filter( 'request', function ( $vars ) { if (isset($vars['author_name']) && !is_admin()) { $vars['author_name'] = '><'; } return $vars; } ); } */ /* Can login form message be shown? */ function cerber_can_msg() { if ( ! isset( $_REQUEST['action'] ) ) { return true; } if ( $_REQUEST['action'] == 'login' ) { return true; } return false; //if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ); } // Cookies --------------------------------------------------------------------------------- /* Mark user with Cerber Groove @since 1.3 */ add_action( 'auth_cookie_valid', 'cerber_cookie_one', 10, 2 ); function cerber_cookie_one( $cookie_elements = null, $user = null ) { if ( ! $user ) { $user = wp_get_current_user(); } // Mark user with Cerber Groove // TODO: remove filter, add IP address and user agent $expire = time() + apply_filters( 'auth_cookie_expiration', 14 * 24 * 3600, $user->ID, true ) + ( 24 * 3600 ); cerber_set_groove( $expire ); } /* Mark switched user with Cerber Groove @since 1.6 */ add_action( 'set_logged_in_cookie', 'cerber_cookie2', 10, 5 ); function cerber_cookie2( $logged_in_cookie, $expire, $expiration, $user_id, $logged_in ) { cerber_set_groove( $expire ); } /* Track BAD cookies with non-existing users or bad passwords (hash) */ add_action( 'auth_cookie_bad_username', 'cerber_cookie_bad' ); add_action( 'auth_cookie_bad_hash', 'cerber_cookie_bad' ); function cerber_cookie_bad( $cookie_elements ) { cerber_login_failed( $cookie_elements['username'] ); } /** * Is bot detection engine enabled in a given rule_id * * @param $location string|array ID of the location * * @return bool true if enabled */ function cerber_antibot_enabled( $location ) { if ( crb_get_settings( 'botsnoauth' ) && is_user_logged_in() ) { return false; } if ( is_array( $location ) ) { foreach ( $location as $loc ) { if ( crb_get_settings( $loc ) ) { return true; } } } else { if ( crb_get_settings( $location ) ) { return true; } } return false; } /** * Print out the antibot/antispam jQuery code * * @param $location string|array Location (setting) */ function cerber_antibot_code($location) { if ( ! cerber_antibot_enabled( $location ) ) { return; } $values = cerber_antibot_gene(); if ( empty( $values ) || !is_array( $values ) ) { return; } ?> roles; } else { $user = get_userdata( $user ); $roles = $user->roles; } if ( $roles ) { foreach ( $roles as $role ) { $ret = cerber_check_geo( $rule_id . '_' . $role ); if ( $ret !== 0 ) { // This rule exists and country was successfully checked return $ret; } } } } $ret = cerber_check_geo( $rule_id ); if ( $ret === 0 ) { return true; } return $ret; } function cerber_check_geo( $rule_id ) { if ( ! $rule = cerber_get_geo_rules( $rule_id ) ) { return 0; } if ( ! $country = lab_get_country( cerber_get_remote_ip(), false ) ) { return 0; } if ( in_array( $country, $rule['list'] ) ) { if ( $rule['type'] == 'W' ) { return true; } return false; } if ( $rule['type'] == 'W' ) { return false; } return true; } /** * Retrieve and return GEO rule(s) from the DB * * @param string $rule_id ID of the rule * * @return bool|array False if no rule configured */ function cerber_get_geo_rules( $rule_id = '' ) { static $rules; global $wpdb; if ( ! isset( $rules ) || cerber_is_http_post() ) { if ( is_multisite() ) { $geo = cerber_db_get_var( 'SELECT meta_value FROM ' . $wpdb->sitemeta . ' WHERE meta_key = "geo_rule_set"' ); } else { $geo = cerber_db_get_var( 'SELECT option_value FROM ' . $wpdb->options . ' WHERE option_name = "geo_rule_set"' ); } if ( $geo ) { $rules = unserialize( $geo ); } else { $rules = false; return false; } } if ( $rule_id ) { $ret = ( ! empty( $rules[ $rule_id ] ) ) ? $rules[ $rule_id ] : false; } else { $ret = $rules; } return $ret; } /** * Set user session expiration * */ add_filter( 'auth_cookie_expiration', function ( $expire, $user_id ) { if ( ! $time = cerber_get_user_policy( 'auth_expire', $user_id ) ) { $time = crb_get_settings( 'auth_expire' ); } if ( $time ) { $expire = 60 * $time; } return $expire; }, 10, 2 ); // add_action( 'wp_logout', function(){}); add_action( 'clear_auth_cookie', function () { $uid = get_current_user_id(); if ( $uid ) { cerber_log( 6, '', $uid ); CRB_2FA::delete_2fa( $uid ); } cerber_set_cookie( 'cerber_nexus_id', 0, time(), '/' ); } ); // add_action( 'lostpassword_post', 'cerber_password_post' ); add_action( 'retrieve_password', function ( $user_login ) { cerber_log( 21, $user_login ); } ); add_action( 'password_reset', 'crb_pass_reset' ); add_action( 'crb_after_reset', 'crb_pass_reset', 10, 2); function crb_pass_reset( $user, $user_id = null) { if ( ! $user && $user_id ) { $user = get_user_by( 'id', $user_id ); } if ( ! $user ) { return; } cerber_log( 20, $user->user_login, $user->ID ); } // Fires in wp_insert_user() add_action( 'user_register', function ( $user_id ) { // @since 5.6 $cid = get_current_user_id(); if ($user = get_user_by( 'ID', $user_id )) { if ( $cid && $cid != $user_id ) { $ac = 1; } else { $ac = 2; } cerber_log( $ac, $user->user_login, $user_id ); crb_log_user_ip( $user_id, $cid ); } }); // Fires after a new user has been created in WP dashboard. add_action( 'edit_user_created_user', function ( $user_id, $notify = null ) { if ( $user_id && $user = get_user_by( 'ID', $user_id ) ) { cerber_log( 1, $user->user_login, $user_id ); crb_log_user_ip( $user_id ); } }, 10, 2 ); // Log IP address of user registration independently function crb_log_user_ip( $user_id, $by_user = null ) { if ( ! $user_id ) { return; } if ( ! $by_user ) { $by_user = get_current_user_id(); } add_user_meta( $user_id, '_crb_reg_', array( 'IP' => cerber_get_remote_ip(), 'user' => $by_user ) ); } // Lockouts routines --------------------------------------------------------------------- /** * Lock out IP address if it is an alien IP only (browser does not have valid Cerber groove) * * @param $ip string IP address to block * @param integer $reason_id ID of reason of blocking * @param string $details Reason of blocking * @param null $duration Duration of blocking * * @return bool|false|int */ function cerber_soft_block_add( $ip, $reason_id, $details = '', $duration = null ) { if ( cerber_check_groove() ) { return false; } return cerber_block_add( $ip, $reason_id, $details, $duration ); } /** * Lock out IP address * * @param $ip_address string IP address to block * @param integer $reason_id ID of reason of blocking * @param string $details Reason of blocking * @param int $duration Duration of blocking * * @return bool|false|int */ function cerber_block_add( $ip_address = '', $reason_id = 1, $details = '', $duration = null ) { global $cerber_blocked; if ( cerber_is_cloud_request() ) { return false; } $wp_cerber = get_wp_cerber(); //$wp_cerber->setProcessed(); if ( empty( $ip_address ) || ! filter_var( $ip_address, FILTER_VALIDATE_IP ) ) { $ip_address = cerber_get_remote_ip(); } if ( cerber_acl_check( $ip_address ) ) { return false; } $reason_id = absint( $reason_id ); $update = false; if ( $row = cerber_get_block( $ip_address ) ) { if ( $row->reason_id == $reason_id ) { return false; } $update = true; } if ( crb_get_settings( 'subnet' ) ) { $ip = cerber_get_subnet_ipv4( $ip_address ); $activity = 11; } else { $ip = $ip_address; $activity = 10; } lab_save_push( $ip_address, $reason_id, $details ); $reason = cerber_get_reason( $reason_id ); if ( $details ) { $reason .= ': ' . $details; } $reason_escaped = cerber_real_escape( $reason ); if ( ! $duration ) { $duration = cerber_calc_duration( $ip ); } $until = time() + $duration; if ( ! $update ) { $result = cerber_db_query( 'INSERT INTO ' . CERBER_BLOCKS_TABLE . ' (ip,block_until,reason,reason_id) VALUES ("' . $ip . '",' . $until . ',"' . $reason_escaped . '",' . $reason_id . ')' ); } else { $result = cerber_db_query( 'UPDATE ' . CERBER_BLOCKS_TABLE . ' SET block_until = ' . $until . ', reason = "' . $reason_escaped . '", reason_id = ' . $reason_id . ' WHERE ip = "' . $ip . '"' ); } if ( $result ) { $result = true; $cerber_blocked = $reason_id; cerber_log( $activity, null, null, $ip_address ); $wp_cerber->setLocked(); crb_event_handler( 'ip_event', array( 'e_type' => 'locked', 'ip' => $ip_address, 'reason_id' => $reason_id, 'reason' => $reason, 'update' => $update ) ); do_action( 'cerber_ip_locked', array( 'IP' => $ip_address, 'reason' => $reason ) ); } else { $result = false; cerber_db_error_log(); } if ( crb_get_settings( 'notify' ) ) { $count = cerber_blocked_num(); if ( $count > crb_get_settings( 'above' ) ) { cerber_send_email( 'lockout', '', $ip_address ); } } return $result; } /** * * Check if an IP address is currently blocked. With C subnet also. * * @param string $ip an IP address * * @return bool true if IP is locked out */ function cerber_block_check( $ip = '' ) { // @since 4.8 if ( cerber_get_block( $ip ) ) { return true; } return false; } /** * * Return the lockout row for an IP if it is blocked. With C subnet also. * * @param string $ip an IP address * * @return object|bool object if IP is locked out, false otherwise */ function cerber_get_block( $ip = '' ) { if ( ! $ip ) { $ip = cerber_get_remote_ip(); } if ( ! filter_var( $ip, FILTER_VALIDATE_IP ) ) { return false; } $where = ' WHERE ip = "' . $ip . '"'; if ( cerber_is_ipv4( $ip ) ) { $subnet = cerber_get_subnet_ipv4( $ip ); $where .= ' OR ip = "' . $subnet . '"'; } if ( $ret = cerber_db_get_row( 'SELECT * FROM ' . CERBER_BLOCKS_TABLE . $where, MYSQL_FETCH_OBJECT ) ) { return $ret; } return false; } /** * Return the number of currently locked out IPs * * @return int the number of currently locked out IPs * @since 3.0 */ function cerber_blocked_num() { return absint( cerber_db_get_var( 'SELECT count(ip) FROM ' . CERBER_BLOCKS_TABLE ) ); } /** * Calculate duration for a lockout of an IP address based on settings * * @param string $ip * * @return integer Duration in seconds */ function cerber_calc_duration( $ip ) { $range = time() - crb_get_settings( 'aglast' ) * 3600; $lockouts = cerber_db_get_var( 'SELECT COUNT(ip) FROM ' . CERBER_LOG_TABLE . ' WHERE ip = "' . $ip . '" AND activity IN (10,11) AND stamp > ' . $range ); if ( $lockouts >= crb_get_settings( 'aglocks' ) ) { $duration = crb_get_settings( 'agperiod' ) * 3600; } else { $duration = crb_get_settings( 'lockout' ) * 60; } $duration = absint( $duration ); if ( $duration < 60 ) { $duration = 60; } return $duration; } /** * Calculation of remaining attempts * * @param $ip string an IP address * @param $check_acl bool if true will check the White IP ACL first * @param $activity array List of activity IDs to calculate for * @param $allowed int Allowed attempts within $period * @param $period int Period for count attempts in minutes * * @return int Allowed attempts for present moment */ function cerber_get_remain_count( $ip = '', $check_acl = true, $activity = array( 7, 51, 52 ), $allowed = null, $period = null ) { if ( ! $ip ) { $ip = cerber_get_remote_ip(); } else { if ( ! $ip = filter_var( $ip, FILTER_VALIDATE_IP ) ) { return 0; } } if ( ! $allowed ) { $allowed = absint( crb_get_settings( 'attempts' ) ); } if ( $check_acl && crb_acl_is_white( $ip ) ) { return $allowed; // whitelist = infinity attempts } if ( ! $period ) { $period = absint( crb_get_settings( 'period' ) ); } $range = time() - $period * 60; $in = implode( ',', array_filter( array_map( 'absint', $activity ) ) ); $attempts = cerber_db_get_var( 'SELECT count(ip) FROM ' . CERBER_LOG_TABLE . ' WHERE ip = "' . $ip . '" AND activity IN (' . $in . ') AND stamp > ' . $range ); if ( ! $attempts ) { return $allowed; } else { $ret = $allowed - $attempts; } $ret = $ret < 0 ? 0 : $ret; return $ret; } /** * Is a given IP is allowed to do restricted things? * Here Cerber makes its decision. * * @param $ip string IP address * @param $context int What context? * * @return bool */ function cerber_is_ip_allowed( $ip = '', $context = null ) { global $cerber_status; if ( ! $ip ) { $ip = cerber_get_remote_ip(); } elseif ( ! filter_var( $ip, FILTER_VALIDATE_IP ) ) { return false; } $tag = cerber_acl_check( $ip ); if ( $tag == 'W' ) { return true; } if ( $tag == 'B' ) { $cerber_status = 14; return false; } if ( $b = cerber_get_block( $ip ) ) { if ( ! in_array( $b->reason_id, crb_context_get_allowed( $context ) ) ) { $cerber_status = 13; return false; } } if ( $context != CRB_CNTX_NEXUS && cerber_is_citadel() ) { $cerber_status = 19; return false; } if ( lab_is_blocked( $ip, false ) ) { $cerber_status = 15; return false; } return true; } /** * @param int $context_id * * @return array */ function crb_context_get_allowed( $context_id ) { $sets = array( CRB_CNTX_SAFE => array( 701, 703, 704, 721 ) ); if ( $context_id && isset( $sets[ $context_id ] ) ) { return $sets[ $context_id ]; } return array(); } /** * Check if a given username is not permitted to log in or register * * @param $username string * * @return bool true if username is prohibited */ function cerber_is_prohibited( $username ) { if ( ! $username ) { return false; } if ( $list = (array) crb_get_settings( 'prohibited' ) ) { foreach ( $list as $item ) { if ( mb_substr( $item, 0, 1 ) == '/' && mb_substr( $item, - 1 ) == '/' ) { $pattern = trim( $item, '/' ); if ( @mb_ereg_match( $pattern, $username, 'i' ) ) { return true; } } elseif ($username === $item){ return true; } } } return false; } // TODO: Merge with $wp_cerber->getStatus(); function cerber_get_status( $ip ) { global $cerber_status; if ( ! empty( $cerber_status ) ) { return absint($cerber_status); } if ( cerber_block_check( $ip ) ) { return 13; } $tag = cerber_acl_check( $ip ); if ( $tag == 'W' ) { return 0; } if ( $tag == 'B' ) { return 14; } if ( cerber_is_citadel() ) { return 12; } if ( lab_is_blocked( $ip, false ) ) { return 15; } return 0; } // Access lists (ACL) routines ------------------------------------------------ /** * Is an IP whitelisted? * * @param $ip string * * @return bool */ function crb_acl_is_white( $ip = null ){ if ( cerber_acl_check( $ip, 'W' ) ) { return true; } return false; } /** * Is an IP blacklisted? * * @param $ip string * * @return bool */ function crb_acl_is_black( $ip = '' ) { $tag = cerber_acl_check( $ip ); if ( $tag === 'W' ) { return false; } elseif ( $tag === 'B' ) { return true; } return false; } /** * Check ACLs for given IP. Some extra lines for performance reason. * * @param string $ip * @param string $tag * @param int $acl_slice * * @return bool|string */ function cerber_acl_check( $ip = null, $tag = '', $acl_slice = 0 ) { static $cache; if ( ! $ip ) { $ip = cerber_get_remote_ip(); } $key = cerber_get_id_ip( $ip ) . (string) $tag; if ( isset( $cache[ $key ] ) ) { return $cache[ $key ]; } if ( cerber_is_ipv6( $ip ) ) { $ret = cerber_ipv6_acl_check( $ip, $tag, $acl_slice ); $cache[ $key ] = $ret; return $ret; } $long = ip2long( $ip ); $acl_slice = absint( $acl_slice ); if ( $tag ) { if ( $tag !== 'W' && $tag !== 'B' ) { $ret = false; } elseif ( cerber_db_get_var( 'SELECT ip FROM ' . CERBER_ACL_TABLE . ' WHERE acl_slice = ' . $acl_slice . ' AND ver6 = 0 AND ip_long_begin <= ' . $long . ' AND ' . $long . ' <= ip_long_end AND tag = "' . $tag . '" LIMIT 1' ) ) { $ret = true; } else { $ret = false; } $cache[ $key ] = $ret; return $ret; } else { // We use two queries because of possible overlapping an IP and its network if ( $ret = cerber_db_get_var( 'SELECT tag FROM ' . CERBER_ACL_TABLE . ' WHERE acl_slice = ' . $acl_slice . ' AND ver6 = 0 AND ip_long_begin <= ' . $long . ' AND ' . $long . ' <= ip_long_end AND tag = "W" LIMIT 1' ) ) { $cache[ $key ] = $ret; return $ret; } if ( $ret = cerber_db_get_var( 'SELECT tag FROM ' . CERBER_ACL_TABLE . ' WHERE acl_slice = ' . $acl_slice . ' AND ver6 = 0 AND ip_long_begin <= ' . $long . ' AND ' . $long . ' <= ip_long_end AND tag = "B" LIMIT 1' ) ) { $cache[ $key ] = $ret; return $ret; } $cache[ $key ] = false; return false; } } /** * IPv6 version of cerber_acl_check() with ranges * * @param string $ip * @param string $tag * @param int $acl_slice * * @return bool|null|string */ function cerber_ipv6_acl_check( $ip, $tag = '', $acl_slice = 0 ) { if ( ! $ip ) { $ip = cerber_get_remote_ip(); } list ( $d0, $d1, $d2 ) = crb_ipv6_split( $ip ); $acl_slice = absint( $acl_slice ); if ( $tag ) { if ( $tag != 'W' && $tag != 'B' ) { return false; } if ( ! $list = cerber_db_get_col( 'SELECT v6range FROM ' . CERBER_ACL_TABLE . ' WHERE acl_slice = ' . $acl_slice . ' AND ver6 = 1 AND ip_long_begin <= ' . $d0 . ' AND ' . $d0 . ' <= ip_long_end AND tag = "' . $tag . '"' ) ) { return false; } if ( ! crb_ipv6_is_in_range_list( $d1, $d2, $list ) ) { return false; } return true; } else { if ( ! $list = cerber_db_get_results( 'SELECT v6range,tag FROM ' . CERBER_ACL_TABLE . ' WHERE acl_slice = ' . $acl_slice . ' AND ver6 = 1 AND ip_long_begin <= ' . $d0 . ' AND ' . $d0 . ' <= ip_long_end' ) ) { return false; } return crb_ipv6_get_tag( $d1, $d2, $list ); } } function crb_ipv6_is_in_range( $ip, $range ) { list ( $d0, $d1, $d2 ) = crb_ipv6_split( $ip ); if ( $range['begin'] >= $d0 || $d0 >= $range['end'] ) { return false; } $list = array( $range['IPV6range'] ); if ( crb_ipv6_is_in_range_list( $d1, $d2, $list ) ) { return true; } return false; } /** * @param int $d1 * @param int $d2 * @param array $list * * @return bool */ function crb_ipv6_is_in_range_list( $d1, $d2, &$list ) { foreach ( $list as $v6range ) { list( $begin1, $begin2, $end1, $end2 ) = explode( '#', $v6range, 4 ); if ( crb_compare_numbers( $d1, $d2, $begin1, $begin2 ) && crb_compare_numbers( $end1, $end2, $d1, $d2 ) ) { return true; } } return false; } /** * Check to what ACL a given IP belongs with white list priority * * @param $d1 * @param $d2 * @param $v6rows * * @return bool|string false if IP is not in any list, 'B' if is in the black, 'W' if is in the white */ function crb_ipv6_get_tag( $d1, $d2, &$v6rows ) { $black = false; foreach ( $v6rows as $row ) { if ( $black && ( $row['tag'] == 'B' ) ) { continue; } list( $begin1, $begin2, $end1, $end2 ) = explode( '#', $row['v6range'], 4 ); if ( crb_compare_numbers( $d1, $d2, $begin1, $begin2 ) && crb_compare_numbers( $end1, $end2, $d1, $d2 ) ) { if ( $row['tag'] == 'W' ) { return 'W'; } $black = true; } } if ( $black ) { return 'B'; } return false; } /** * Return true if the number $a1.$a2 is bigger or equal the number $b1.$b2 * * @param $a1 integer * @param $a2 integer * @param $b1 integer * @param $b2 integer * * @return bool */ function crb_compare_numbers( $a1, $a2, $b1, $b2 ) { if ( $a1 > $b1 ) { return true; } if ( $a1 < $b1 ) { return false; } if ( $a1 == $b1 ) { if ( $a2 >= $b2 ) { return true; } return false; } } /** * Split an IPv6 into 3 integer numbers that can be handled by PHP and MySQL * 15 bytes HEX number converted to integer is a maximum for PHP 7.X * * @param string $ip Valid IPv6 * * @return array */ function crb_ipv6_split( $ip ) { $hex = (string) bin2hex( inet_pton( $ip ) ); return array( hexdec( substr( $hex, 0, 15 ) ), hexdec( substr( $hex, 15, 15 ) ), hexdec( substr( $hex, 30, 2 ) ) ); } function crb_ipv6_prepare( $begin, $end ) { list ( $b0, $b1, $b2 ) = crb_ipv6_split( $begin ); list ( $e0, $e1, $e2 ) = crb_ipv6_split( $end ); return array( $b0, $e0, $b1 . '#' . $b2 . '#' . $e1 . '#' . $e2 ); } /* * Logging directly to the file * * CERBER_FAIL_LOG optional, full path including filename to the log file * CERBER_LOG_FACILITY optional, use to specify what type of program is logging the messages * * */ function cerber_file_log( $user_login, $ip ) { if ( defined( 'CERBER_FAIL_LOG' ) ) { if ( $log = @fopen( CERBER_FAIL_LOG, 'a' ) ) { $pid = absint( @posix_getpid() ); @fwrite( $log, date( 'M j H:i:s ' ) . $_SERVER['SERVER_NAME'] . ' Cerber(' . $_SERVER['HTTP_HOST'] . ')[' . $pid . ']: Authentication failure for ' . $user_login . ' from ' . $ip . "\n" ); @fclose( $log ); } } else { @openlog( 'Cerber(' . $_SERVER['HTTP_HOST'] . ')', LOG_NDELAY | LOG_PID, defined( 'CERBER_LOG_FACILITY' ) ? CERBER_LOG_FACILITY : LOG_AUTH ); @syslog( LOG_NOTICE, 'Authentication failure for ' . $user_login . ' from ' . $ip ); @closelog(); } } /* Return wildcard - string like subnet Class C */ function cerber_get_subnet_ipv4( $ip ) { return preg_replace( '/\.\d{1,3}$/', '.*', $ip ); } /* Check if given IP address or wildcard or CIDR is valid */ function cerber_is_ip_or_net( $ip ) { if ( filter_var( $ip, FILTER_VALIDATE_IP ) ) { return true; } // WILDCARD: 192.168.1.* $ip = str_replace( '*', '0', $ip ); //if ( @inet_pton( $ip ) ) { if ( filter_var( $ip, FILTER_VALIDATE_IP ) ) { return true; } // CIDR: 192.168.1/24 if ( strpos( $ip, '/' ) ) { $cidr = explode( '/', $ip ); $net = $cidr[0]; $mask = absint( $cidr[1] ); $dots = substr_count( $net, '.' ); if ( $dots < 3 ) { if ( $dots == 1 ) { $net .= '.0.0'; } elseif ( $dots == 2 ) { $net .= '.0'; } } if ( ! cerber_is_ipv4( $net ) ) { return false; } if ( ! is_numeric( $mask ) ) { return false; } return true; } return false; } /** * Tries to recognize a valid IP range (with a dash) in a given string. * Supports IPv4 & IPv6 * * @param string $string String to detect for an IP range * * @return array|bool|string Return IP range as an array for a valid range, string in case of a single IP, false otherwise */ function cerber_parse_ip_range( $string ) { if ( cerber_is_ip_or_net( $string ) ) { return $string; } $explode = explode( '-', $string, 2 ); if ( ! is_array( $explode ) || 2 != count( $explode ) ) { return false; } $begin_ip = filter_var( trim( $explode[0] ), FILTER_VALIDATE_IP ); $end_ip = filter_var( trim( $explode[1] ), FILTER_VALIDATE_IP ); if ( ! $begin_ip || ! $end_ip ) { return false; } if ( cerber_is_ipv4( $begin_ip ) && cerber_is_ipv4( $end_ip ) ) { $begin = ip2long( $begin_ip ); $end = ip2long( $end_ip ); if ( $begin >= $end ) { return false; } $ver6 = 0; $v6range = ''; } elseif ( cerber_is_ipv6( $begin_ip ) && cerber_is_ipv6( $end_ip ) ) { $ver6 = 1; list( $begin, $end, $v6range ) = crb_ipv6_prepare( $begin_ip, $end_ip ); // @since 8.6.1 check for a valid IPv6 range: begin < end if ( $begin > $end ) { return false; } list( $begin1, $begin2, $end1, $end2 ) = explode( '#', $v6range, 4 ); if ( crb_compare_numbers( $begin1, $begin2, $end1, $end2 ) ) { return false; } } else { return false; } return array( 'range' => $begin_ip . ' - ' . $end_ip, 'begin_ip' => $begin_ip, 'end_ip' => $end_ip, 'begin' => $begin, 'end' => $end, 'IPV6' => $ver6, 'IPV6range' => $v6range ); } /** * Convert a network wildcard string like x.x.x.* to an IP v4 range * * @param $wildcard string * * @return array|bool|string False if no wildcard found, otherwise result of cerber_parse_ip() */ function cerber_wildcard2range( $wildcard ) { if ( false === strpos( $wildcard, '*' ) ) { return false; } if ( ! strpos( $wildcard, ':' ) ) { $begin = str_replace( '*', '0', $wildcard ); $end = str_replace( '*', '255', $wildcard ); if ( ! cerber_is_ipv4( $begin ) || ! cerber_is_ipv4( $end ) ) { return false; } } else { $begin = str_replace( ':*', ':0000', $wildcard ); $end = str_replace( ':*', ':ffff', $wildcard ); if ( ! cerber_is_ipv6( $begin ) || ! cerber_is_ipv6( $end ) ) { return false; } } return cerber_parse_ip_range( $begin . ' - ' . $end ); } /** * Convert a CIDR to an IP v4 range * * @param $cidr string * * @return array|bool|string */ function cerber_cidr2range( $cidr = '' ) { if ( ! strpos( $cidr, '/' ) ) { return false; } $cidr = explode( '/', $cidr ); $net = $cidr[0]; $mask = absint( $cidr[1] ); $dots = substr_count( $net, '.' ); if ( $dots < 3 ) { // not completed CIDR if ( $dots == 1 ) { $net .= '.0.0'; } elseif ( $dots == 2 ) { $net .= '.0'; } } if ( ! cerber_is_ipv4( $net ) ) { return false; } if ( ! is_numeric( $mask ) ) { return false; } $begin = long2ip( ( ip2long( $net ) ) & ( ( - 1 << ( 32 - (int) $mask ) ) ) ); $end = long2ip( ( ip2long( $net ) ) + pow( 2, ( 32 - (int) $mask ) ) - 1 ); return cerber_parse_ip_range( $begin . ' - ' . $end ); } /** * Tries to recognize if a given string contains an IP range/CIDR/wildcard * Supports IPv4 & IPv6 * * If returns false, there is no IP in the string in any form * * @param $string string Anything * * @return array|string Return an array if an IP range recognized, string with IP in case of a single IP, false otherwise */ function cerber_any2range( $string ) { if ( ! $string || ! is_string( $string ) ) { return false; } $string = trim( $string ); if ( filter_var( $string, FILTER_VALIDATE_IP ) ) { return $string; } // Do not change the order! $ret = cerber_wildcard2range( $string ); if ( ! $ret ) { $ret = cerber_cidr2range( $string ); } if ( ! $ret ) { $ret = crb_ipv6_cidr2range( $string ); } if ( ! $ret ) { $ret = cerber_parse_ip_range( $string ); // must be last due to checking for cidr and wildcard } return $ret; } function crb_ipv6_cidr2range( $cidr ) { if ( ! strpos( $cidr, '/' ) ) { return false; } list( $net, $mask ) = explode( '/', $cidr ); $mask = (int) $mask; if ( ! cerber_is_ipv6( $net ) || ! is_integer( $mask ) || $mask < 0 || $mask > 128 ) { return false; } $begin_hex = (string) bin2hex( inet_pton( $net ) ); $begin_ip = cerber_ipv6_expand( $net ); // These are cases that PHP can't handle as integers $exceptions = array( 65 => '7fffffffffffffff', 1 => '7fffffffffffffffffffffffffffffff', 0 => 'ffffffffffffffffffffffffffffffff' ); if ( isset( $exceptions[ $mask ] ) ) { $add = $exceptions[ $mask ]; } elseif ( $mask >= 66 ) { $add = (string) dechex( pow( 2, ( 128 - $mask ) ) - 1 ); } else { // $mask <= 64 $add = (string) dechex( pow( 2, ( 128 - $mask - 64 ) ) - 1 ) . 'ffffffffffffffff'; } $end_hex = str_pad( crb_summ_hex( $begin_hex, $add ), 32, '0', STR_PAD_LEFT ); $end_ip = implode( ':', str_split( $end_hex, 4 ) ); return cerber_parse_ip_range( $begin_ip . ' - ' . $end_ip ); } /** * Calculate the summ of two any HEX numbers * * @param string $hex1 Number with no 0x prefix * @param string $hex2 Number with no 0x prefix * * @return string */ function crb_summ_hex( $hex1, $hex2) { $hex1 = ltrim( $hex1, '0' ); $hex2 = ltrim( $hex2, '0' ); if ( strlen( $hex1 ) > strlen( $hex2 ) ) { $h1 = $hex1; $h2 = $hex2; } else { $h1 = $hex2; $h2 = $hex1; } $h1 = str_split( (string) $h1 ); $h2 = str_split( (string) $h2 ); $h1 = array_reverse( array_map( 'hexdec', $h1 ) ); $h2 = array_reverse( array_map( 'hexdec', $h2 ) ); $max1 = count( $h1 ) - 1; $max2 = count( $h2 ) - 1; $i = 0; $r = 0; $finish = false; while ( $i <= $max1 && ! $finish ) { if ( $i <= $max2 ) { $h1[ $i ] = $h1[ $i ] + $h2[ $i ] + $r; } else { if ( ! $r ) { $finish = true; } $h1[ $i ] += $r; } if ( $h1[ $i ] >= 16 ) { $r = 1; $h1[ $i ] -= 16; } else { $r = 0; } $i ++; } if ( $r ) { $h1[] = 1; } $h1 = array_reverse( array_map( 'dechex', $h1 ) ); return implode( '', $h1 ); } /* Check for given IP address or subnet belong to this session. */ function cerber_is_myip( $ip ) { global $wp_cerber; if ( ! is_string( $ip ) ) { return false; } $remote_ip = cerber_get_remote_ip(); if ( $ip == $remote_ip ) { return true; } if ( $ip == cerber_get_subnet_ipv4( $remote_ip ) ) { return true; } return false; } /** * Supports IPv4 & IPv6 ranges * * @param array $range * @param string $ip * * @return bool */ function cerber_is_ip_in_range( $range, $ip ) { if ( ! is_array( $range ) ) { return false; } // $range = IPv6 range if ( $range['IPV6'] ) { if ( cerber_is_ipv4( $ip ) ) { return false; } return crb_ipv6_is_in_range( $ip, $range ); } // $range = IPv4 range if ( cerber_is_ipv6( $ip ) ) { return false; } $long = ip2long( $ip ); if ( $range['begin'] <= $long && $long <= $range['end'] ) { return true; } return false; } /** * Display 404 page to bump bots and bad guys * * @param bool $simple If true force displaying basic 404 page */ function cerber_404_page($simple = false) { global $wp_query; if ( !$simple ) { if ( function_exists( 'status_header' ) ) { status_header( '404' ); } if ( isset( $wp_query ) && is_object( $wp_query ) ) { $wp_query->set_404(); } if ( 0 == crb_get_settings( 'page404' ) ) { $template = null; if ( function_exists( 'get_404_template' ) ) { $template = get_404_template(); } if ( function_exists( 'apply_filters' ) ) { $template = apply_filters( 'cerber_404_template', $template ); } if ( $template && @file_exists( $template ) ) { include( $template ); exit; } } } header( 'HTTP/1.0 404 Not Found', true, 404 ); echo '
The requested URL ' . esc_url( $_SERVER['REQUEST_URI'] ) . ' was not found on this server.
'; cerber_traffic_log(); // do not remove! exit; } /* Display Forbidden page */ function cerber_forbidden_page() { $wp_cerber = get_wp_cerber(); $sid = strtoupper( $wp_cerber->getRequestID() ); status_header( '403' ); header( 'HTTP/1.0 403 Access Forbidden', true, 403 ); ?>Your request looks suspiciously similar to automated requests from spam posting software or it has been denied by a security policy configured by the website administrator.
If you believe you should be able to perform this request, please let us know.
RID:
' . $site_name .'
'. __('Weekly Report','wp-cerber'). '
'.__('Activity details','wp-cerber').'
'.__('Attempts to log in with non-existing usernames','wp-cerber').'
' . implode( '
', $db_error ) . '
'; } cerber_stop_activating( '' . __( 'WP Cerber is now active and has started protecting your site', 'wp-cerber' ) . '
' . '' . __( 'Your IP address is added to the', 'wp-cerber' ) . ' ' . __( 'White IP Access List', 'wp-cerber' ) . '
' . __( 'Getting Started Guide', 'wp-cerber' ) . '
' . //'' . __( "It's important to check security settings.", 'wp-cerber' ) . ' Read Cerber\'s blog ' . //' Subscribe to Cerber\'s newsletter
' . '
'. // ' . __( 'Main Settings', 'wp-cerber' ) . '' . //' ' . __( 'Security Scanner', 'wp-cerber' ) . '' . //' ' . __( 'Access Lists', 'wp-cerber' ) . '' . //' ' . __( 'Antispam', 'wp-cerber' ) . '' . //' ' . __( 'Hardening', 'wp-cerber' ) . '' . //' ' . __( 'Notifications', 'wp-cerber' ) . '' . ' ' . __( 'Import settings', 'wp-cerber' ) . '' . ' ' . __( 'Enable slave mode', 'wp-cerber' ) . '' . ' Follow Cerber on Twitter' . ' Subscribe to Cerber\'s newsletter' . '
' ); if ( ! defined( 'CRB_JUST_MARRIED' ) || ! CRB_JUST_MARRIED ) { return; } cerber_send_email( 'activated' ); $p = get_file_data( cerber_plugin_file(), array( 'Version' => 'Version' ), 'plugin' ); $p['time'] = time(); $p['user'] = get_current_user_id(); cerber_update_set( '_activated', $p ); }); /* Abort activating plugin! */ function cerber_stop_activating( $msg ) { //deactivate_plugins( cerber_plug_in() ); deactivate_plugins( CERBER_PLUGIN_ID ); wp_die( $msg ); } // Closure can't be used register_uninstall_hook( cerber_plugin_file(), 'cerber_finito' ); function cerber_finito() { if ( ! is_super_admin() ) { return; } $dir = cerber_get_the_folder(); if ( $dir && file_exists( $dir ) ) { $fs = cerber_init_wp_filesystem(); if ( ! is_wp_error( $fs ) ) { $fs->rmdir( $dir, true ); } } $list = array( '_cerber_subs', '_cerber_up', '_cerber_report', 'cerber-groove', 'cerber-groove-x', '_cerberkey_', 'cerber-antibot', 'cerber_admin_info', '_cerber_db_errors' ); $list = array_merge( $list, cerber_get_setting_list() ); foreach ( $list as $opt ) { delete_site_option( $opt ); } // Must be executed last cerber_db_query( 'DROP TABLE IF EXISTS ' . implode( ',', cerber_get_tables() ) ); } /** * Upgrade database tables, data and plugin settings * * @since 3.0 * */ function cerber_upgrade_all( $force = false ) { global $cerber_doing_upgrade; $ver = get_site_option( '_cerber_up' ); if ( $force || ! $ver || $ver['v'] != CERBER_VER ) { $d = @ini_get( 'display_errors'); @ini_set( 'display_errors', 0 ); @ignore_user_abort( true ); crb_raise_limits(); $cerber_doing_upgrade = true; @define( 'CRB_DOING_UPGRADE', 1 ); crb_clear_admin_msg(); cerber_create_db(); cerber_upgrade_db(); cerber_acl_fixer(); cerber_antibot_gene( true ); cerber_upgrade_settings(); cerber_htaccess_sync( 'main' ); wp_clear_scheduled_hook( 'cerber_hourly' ); // @since 5.8 cerber_sync_sessions(); // @since 8.3.3 cerber_push_the_news( CERBER_VER ); update_site_option( '_cerber_up', array( 'v' => CERBER_VER, 't' => time() ) ); cerber_delete_expired_set( true ); CRB_Cache::reset(); lab_get_key( true ); $cerber_doing_upgrade = false; delete_site_transient( 'update_plugins' ); @ini_set( 'display_errors', $d ); } } /** * Creates DB tables if they don't exist * * @param bool $recreate If true, recreate some tables completely (with data lost) * * @return array Errors */ function cerber_create_db($recreate = true) { global $wpdb; $wpdb->hide_errors(); $db_errors = array(); $sql = array(); if ( ! cerber_is_table( CERBER_LOG_TABLE ) ) { $sql[] = " CREATE TABLE IF NOT EXISTS " . CERBER_LOG_TABLE . " ( ip varchar(39) CHARACTER SET ascii NOT NULL COMMENT 'Remote IP', user_login varchar(60) NOT NULL COMMENT 'Username from HTTP request', user_id bigint(20) unsigned NOT NULL DEFAULT '0', stamp bigint(20) unsigned NOT NULL COMMENT 'Unix timestamp', activity int(10) unsigned NOT NULL DEFAULT '0', KEY ip (ip) ) DEFAULT CHARSET=utf8 COMMENT='Cerber activity log'; "; } if ( ! cerber_is_table( CERBER_ACL_TABLE ) ) { $sql[] = " CREATE TABLE IF NOT EXISTS " . CERBER_ACL_TABLE . " ( ip varchar(39) CHARACTER SET ascii NOT NULL COMMENT 'IP', tag char(1) NOT NULL COMMENT 'Type: B or W', comments varchar(250) NOT NULL ) DEFAULT CHARSET=utf8 COMMENT='Cerber IP Access Lists'; "; } if ( ! cerber_is_table( CERBER_BLOCKS_TABLE ) ) { $sql[] = " CREATE TABLE IF NOT EXISTS " . CERBER_BLOCKS_TABLE . " ( ip varchar(39) CHARACTER SET ascii NOT NULL COMMENT 'Remote IP', block_until bigint(20) unsigned NOT NULL COMMENT 'Unix timestamp', reason varchar(250) NOT NULL COMMENT 'Why IP was blocked', reason_id int(11) unsigned NOT NULL DEFAULT '0', UNIQUE KEY ip (ip) ) DEFAULT CHARSET=utf8 COMMENT='Cerber list of currently blocked IPs'; "; } if ( ! cerber_is_table( CERBER_LAB_TABLE ) ) { $sql[] = " CREATE TABLE IF NOT EXISTS " . CERBER_LAB_TABLE . " ( ip varchar(39) CHARACTER SET ascii NOT NULL COMMENT 'Remote IP', reason_id int(11) unsigned NOT NULL DEFAULT '0', stamp bigint(20) unsigned NOT NULL COMMENT 'Unix timestamp', details text NOT NULL ) DEFAULT CHARSET=utf8 COMMENT='Cerber lab cache'; "; } if ( $recreate || ! cerber_is_table( CERBER_LAB_IP_TABLE ) ) { if ( $recreate && cerber_is_table( CERBER_LAB_IP_TABLE ) ) { $sql[] = 'DROP TABLE IF EXISTS ' . CERBER_LAB_IP_TABLE; } $sql[] = " CREATE TABLE IF NOT EXISTS " . CERBER_LAB_IP_TABLE . " ( ip varchar(39) CHARACTER SET ascii NOT NULL COMMENT 'IP', reputation INT(11) UNSIGNED NOT NULL COMMENT 'Reputation of IP', expires INT(11) UNSIGNED NOT NULL COMMENT 'Unix timestamp', PRIMARY KEY (ip) ) DEFAULT CHARSET=utf8 COMMENT='Cerber lab IP cache'; "; } if ( $recreate || ! cerber_is_table( CERBER_LAB_NET_TABLE ) ) { if ( $recreate && cerber_is_table( CERBER_LAB_NET_TABLE ) ) { $sql[] = 'DROP TABLE IF EXISTS ' . CERBER_LAB_NET_TABLE; } $sql[] = ' CREATE TABLE IF NOT EXISTS ' . CERBER_LAB_NET_TABLE . ' ( ip varchar(39) CHARACTER SET ascii NOT NULL DEFAULT "" COMMENT "IP address", ip_long_begin BIGINT UNSIGNED NOT NULL DEFAULT "0", ip_long_end BIGINT UNSIGNED NOT NULL DEFAULT "0", country CHAR(3) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL DEFAULT "" COMMENT "Country code", expires INT(11) UNSIGNED NOT NULL DEFAULT "0", PRIMARY KEY (ip), UNIQUE KEY begin_end (ip_long_begin, ip_long_end) ) DEFAULT CHARSET=utf8 COMMENT="Cerber lab network cache"; '; } if ( ! cerber_is_table( CERBER_GEO_TABLE ) ) { $sql[] = ' CREATE TABLE IF NOT EXISTS ' . CERBER_GEO_TABLE . ' ( country CHAR(3) NOT NULL DEFAULT "" COMMENT "Country code", locale CHAR(10) NOT NULL DEFAULT "" COMMENT "Locale i18n", country_name VARCHAR(250) NOT NULL DEFAULT "" COMMENT "Country name", PRIMARY KEY (country, locale) ) DEFAULT CHARSET=utf8; '; } if ( ! cerber_is_table( CERBER_TRAF_TABLE ) ) { $sql[] = ' CREATE TABLE IF NOT EXISTS ' . CERBER_TRAF_TABLE . ' ( ip varchar(39) CHARACTER SET ascii NOT NULL, ip_long BIGINT UNSIGNED NOT NULL DEFAULT "0", hostname varchar(250) NOT NULL DEFAULT "", uri text NOT NULL, request_fields MEDIUMTEXT NOT NULL, request_details MEDIUMTEXT NOT NULL, session_id char(32) CHARACTER SET ascii NOT NULL, user_id bigint(20) UNSIGNED NOT NULL DEFAULT 0, stamp decimal(14,4) NOT NULL, processing int(10) NOT NULL DEFAULT 0, country char(3) CHARACTER SET ascii NOT NULL DEFAULT "", request_method char(8) CHARACTER SET ascii NOT NULL, http_code int(10) UNSIGNED NOT NULL, wp_id bigint(20) UNSIGNED NOT NULL DEFAULT 0, wp_type int(10) UNSIGNED NOT NULL DEFAULT 0, is_bot int(10) UNSIGNED NOT NULL DEFAULT 0, blog_id int(10) UNSIGNED NOT NULL DEFAULT 0, KEY stamp (stamp) ) DEFAULT CHARSET=utf8; '; } if ( ! cerber_is_table( cerber_get_db_prefix() . CERBER_SCAN_TABLE ) ) { $sql[] = ' CREATE TABLE IF NOT EXISTS ' . cerber_get_db_prefix(). CERBER_SCAN_TABLE . ' ( scan_id INT(10) UNSIGNED NOT NULL, scan_type INT(10) UNSIGNED NOT NULL DEFAULT 1, scan_mode INT(10) UNSIGNED NOT NULL DEFAULT 0, scan_status INT(10) UNSIGNED NOT NULL DEFAULT 0, file_name_hash VARCHAR(255) CHARACTER SET ascii NOT NULL DEFAULT "", file_name TEXT NOT NULL, file_type INT(10) UNSIGNED NOT NULL DEFAULT 0, file_hash VARCHAR(255) CHARACTER SET ascii NOT NULL DEFAULT "", file_md5 VARCHAR(255) CHARACTER SET ascii NOT NULL DEFAULT "", file_hash_repo VARCHAR(255) CHARACTER SET ascii NOT NULL DEFAULT "", hash_match INT(10) UNSIGNED NOT NULL DEFAULT 0, file_size BIGINT(20) UNSIGNED NOT NULL DEFAULT 0, file_perms INT(11) NOT NULL DEFAULT 0, file_writable INT(10) UNSIGNED NOT NULL DEFAULT 0, file_mtime INT(10) UNSIGNED NOT NULL DEFAULT 0, extra TEXT NOT NULL, PRIMARY KEY (scan_id, file_name_hash) ) DEFAULT CHARSET=utf8; '; } if ( ! cerber_is_table( cerber_get_db_prefix() . CERBER_SETS_TABLE ) ) { $sql[] = ' CREATE TABLE IF NOT EXISTS ' . cerber_get_db_prefix() . CERBER_SETS_TABLE . ' ( the_key VARCHAR(255) CHARACTER SET ascii NOT NULL, the_id BIGINT(20) NOT NULL DEFAULT 0, the_value LONGTEXT NOT NULL, expires BIGINT(20) UNSIGNED NOT NULL DEFAULT 0, PRIMARY KEY (the_key, the_id) ) DEFAULT CHARSET=utf8; '; } if ( ! cerber_is_table( CERBER_QMEM_TABLE ) ) { $sql[] = ' CREATE TABLE IF NOT EXISTS ' . CERBER_QMEM_TABLE . ' ( ip varchar(39) CHARACTER SET ascii NOT NULL, http_code int(10) UNSIGNED NOT NULL, stamp int(10) UNSIGNED NOT NULL, KEY ip_stamp (ip, stamp) ) DEFAULT CHARSET=utf8; '; } if ( ! cerber_is_table( cerber_get_db_prefix() . CERBER_USS_TABLE ) ) { $sql[] = ' CREATE TABLE IF NOT EXISTS ' . cerber_get_db_prefix() . CERBER_USS_TABLE . ' ( user_id bigint(20) UNSIGNED NOT NULL, ip varchar(39) CHARACTER SET ascii NOT NULL, country char(3) CHARACTER SET ascii NOT NULL DEFAULT "", started int(10) UNSIGNED NOT NULL, expires int(10) UNSIGNED NOT NULL, session_id char(32) CHARACTER SET ascii NOT NULL DEFAULT "", wp_session_token varchar(250) CHARACTER SET ascii NOT NULL, KEY user_id (user_id) ) DEFAULT CHARSET=utf8; '; } foreach ( $sql as $query ) { if ( ! $wpdb->query( $query ) && $wpdb->last_error ) { $db_errors[] = array( $wpdb->last_error, $wpdb->last_query ); } } return $db_errors; } /** * Upgrade structure of existing DB tables * * @return array Errors occured during upgrading * * @since 3.0 */ function cerber_upgrade_db( $force = false ) { /*$wpdb->hide_errors(); if ( $force ) { $wpdb->suppress_errors(); }*/ $sql = array(); // @since 3.0 $sql[] = 'ALTER TABLE ' . CERBER_LOG_TABLE . ' CHANGE stamp stamp DECIMAL(14,4) NOT NULL'; // @since 3.1 if ( $force || ! cerber_is_column( CERBER_LOG_TABLE, 'ip_long' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_LOG_TABLE . ' ADD ip_long BIGINT UNSIGNED NOT NULL DEFAULT "0" AFTER ip, ADD INDEX (ip_long)'; } if ( $force || ! cerber_is_column( CERBER_ACL_TABLE, 'ip_long_begin' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_ACL_TABLE . ' ADD ip_long_begin BIGINT UNSIGNED NOT NULL DEFAULT "0" AFTER ip, ADD ip_long_end BIGINT UNSIGNED NOT NULL DEFAULT "0" AFTER ip_long_begin'; } /*if ( $force || !cerber_is_index( CERBER_ACL_TABLE, 'ip_begin_end' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_ACL_TABLE . ' ADD UNIQUE ip_begin_end (ip, ip_long_begin, ip_long_end)'; }*/ if ( $force || cerber_is_index( CERBER_ACL_TABLE, 'ip' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_ACL_TABLE . ' DROP INDEX ip'; } // @since 4.8.2 if ( $force || cerber_is_index( CERBER_ACL_TABLE, 'begin_end' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_ACL_TABLE . ' DROP INDEX begin_end'; } /*if ( $force || !cerber_is_index( CERBER_ACL_TABLE, 'begin_end_tag' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_ACL_TABLE . ' ADD INDEX begin_end_tag (ip_long_begin, ip_long_end, tag)'; }*/ // @since 4.9 if ( $force || ! cerber_is_column( CERBER_LOG_TABLE, 'session_id' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_LOG_TABLE . ' ADD session_id CHAR(32) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL DEFAULT "", ADD country CHAR(3) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL DEFAULT "" COMMENT "Country code", ADD details VARCHAR(250) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL DEFAULT "" COMMENT "Details about HTTP request"; '; } // @since 6.1 if ( $force || ! cerber_is_index( CERBER_LOG_TABLE, 'session_index' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_LOG_TABLE . ' ADD INDEX session_index (session_id)'; } // @since 7.0.3 $sql[] = 'DROP TABLE IF EXISTS ' . CERBER_SCAN_TABLE; // @since 7.1 if ( $force || ! cerber_is_column( cerber_get_db_prefix() . CERBER_SCAN_TABLE, 'file_status' ) ) { $sql[] = 'ALTER TABLE ' . cerber_get_db_prefix() . CERBER_SCAN_TABLE . " ADD file_status INT UNSIGNED NOT NULL DEFAULT '0' AFTER scan_status"; } // @since 7.5.2 if ( $force || ! cerber_is_column( CERBER_BLOCKS_TABLE, 'reason_id' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_BLOCKS_TABLE . ' ADD reason_id int(11) unsigned NOT NULL DEFAULT "0"'; } // @since 7.8.6 if ( $force || ! cerber_is_column( CERBER_TRAF_TABLE, 'php_errors' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_TRAF_TABLE . ' ADD php_errors TEXT NOT NULL AFTER blog_id'; } // @since 8.5.4 if ( $force || ! cerber_is_column( CERBER_ACL_TABLE, 'ver6' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_ACL_TABLE . ' ADD acl_slice SMALLINT UNSIGNED NOT NULL DEFAULT 0, ADD ver6 SMALLINT UNSIGNED NOT NULL DEFAULT 0, ADD v6range VARCHAR(255) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL DEFAULT "", ADD req_uri VARCHAR(255) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL DEFAULT "", MODIFY ip VARCHAR(81) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL '; } if ( $force || ! cerber_is_index( CERBER_ACL_TABLE, 'main_for_selects' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_ACL_TABLE . ' ADD INDEX main_for_selects (acl_slice, ver6, ip_long_begin, ip_long_end, tag)'; } if ( $force || cerber_is_index( CERBER_ACL_TABLE, 'begin_end_tag' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_ACL_TABLE . ' DROP INDEX begin_end_tag'; } if ( $force || cerber_is_index( CERBER_ACL_TABLE, 'ip_begin_end' ) ) { $sql[] = 'ALTER TABLE ' . CERBER_ACL_TABLE . ' DROP INDEX ip_begin_end'; } /*if ( ! empty( $sql ) ) { foreach ( $sql as $query ) { if ( ! $wpdb->query( $query ) && $wpdb->last_error ) { $db_errors[] = array( $wpdb->last_error, $wpdb->last_query ); } } }*/ if ( ! empty( $sql ) ) { foreach ( $sql as $query ) { cerber_db_query( $query ); } } cerber_acl_fixer(); if ( $db_errors = cerber_db_get_errors( true ) ) { update_site_option( '_cerber_db_errors', $db_errors ); } if ( nexus_is_master() ) { nexus_upgrade_db(); } return $db_errors; } function cerber_get_tables() { return array( CERBER_LOG_TABLE, CERBER_QMEM_TABLE, CERBER_TRAF_TABLE, CERBER_ACL_TABLE, CERBER_BLOCKS_TABLE, CERBER_LAB_TABLE, CERBER_LAB_IP_TABLE, CERBER_LAB_NET_TABLE, CERBER_GEO_TABLE, cerber_get_db_prefix() . CERBER_SCAN_TABLE, cerber_get_db_prefix() . CERBER_SETS_TABLE, cerber_get_db_prefix() . CERBER_MS_TABLE, cerber_get_db_prefix() . CERBER_MS_LIST_TABLE, cerber_get_db_prefix() . CERBER_USS_TABLE, ); } /** * Updating old activity log records to the new row format (has been introduced in v 3.1) * * @since 4.0 * */ function cerber_up_data() { $ips = cerber_db_get_col( 'SELECT DISTINCT ip FROM ' . CERBER_LOG_TABLE . ' WHERE ip_long = 0 LIMIT 50' ); if ( ! $ips ) { return; } foreach ( $ips as $ip ) { if ( cerber_is_ipv4( $ip ) ) { $ip_long = ip2long( $ip ); } else { $ip_long = 1; } cerber_db_query( 'UPDATE ' . CERBER_LOG_TABLE . ' SET ip_long = ' . $ip_long . ' WHERE ip = "' . $ip .'" AND ip_long = 0'); } } /** * Upgrade outdated / corrupted rows in ACL * */ function cerber_acl_fixer() { $ips = cerber_db_get_col( 'SELECT ip FROM ' . CERBER_ACL_TABLE . ' WHERE ip_long_begin = 0 OR ip_long_end = 0 OR ip_long_begin = 7777777777' ); if ( ! $ips ) { return; } foreach ( $ips as $ip ) { // Code from cerber_acl_add() $v6range = ''; $ver6 = 0; if ( cerber_is_ipv4( $ip ) ) { $begin = ip2long( $ip ); $end = ip2long( $ip ); } elseif ( cerber_is_ipv6( $ip ) ) { $ip = cerber_ipv6_short( $ip ); list( $begin, $end, $v6range ) = crb_ipv6_prepare( $ip, $ip ); $ver6 = 1; } elseif ( ( $range = cerber_any2range( $ip ) ) && is_array( $range ) ) { $ver6 = $range['IPV6']; $begin = $range['begin']; $end = $range['end']; $v6range = $range['IPV6range']; } else { continue; } $set = 'ip_long_begin = ' . $begin . ', ip_long_end = ' . $end . ', ver6 = ' . $ver6 . ', v6range = "' . $v6range . '" WHERE ip = "' . $ip . '"'; cerber_db_query( 'UPDATE ' . CERBER_ACL_TABLE . ' SET ' . $set ); } } add_action( 'deac' . 'tivate_' . CERBER_PLUGIN_ID, function ( $ip ) { wp_clear_scheduled_hook( 'cerber_bg_launcher' ); wp_clear_scheduled_hook( 'cerber_hourly_1' ); wp_clear_scheduled_hook( 'cerber_hourly_2' ); wp_clear_scheduled_hook( 'cerber_daily' ); cerber_htaccess_clean_up(); cerber_set_boot_mode( 0 ); cerber_delete_expired_set( true ); cerber_delete_set( 'plugins_done' ); cerber_delete_set( '_background_tasks' ); $pi = get_file_data( cerber_plugin_file(), array( 'Version' => 'Version' ), 'plugin' ); $pi ['v'] = time(); $pi ['u'] = get_current_user_id(); cerber_update_set( '_cerber_o' . 'ff', $pi ); $f = 'cerb' . 'er_se' . 'nd_em' . 'ail'; $f( 'sh' . 'utd' . 'own' ); CRB_Cache::reset(); crb_event_handler( 'deactivated', array() ); } ); /* Fix an issue with the empty user_id field in the comments table. */ add_filter( 'preprocess_comment', 'cerber_add_uid' ); function cerber_add_uid( $commentdata ) { $current_user = wp_get_current_user(); $commentdata['user_ID'] = $current_user->ID; return $commentdata; } /** * Load jQuery on the page * */ add_action( 'login_enqueue_scripts', 'cerber_login_scripts' ); function cerber_login_scripts() { if ( cerber_antibot_enabled( array('botsreg', 'botsany') ) ) { wp_enqueue_script( 'jquery' ); } } add_action( 'wp_enqueue_scripts', 'cerber_scripts' ); function cerber_scripts() { global $wp_cerber; if ( ( ( is_singular() || is_archive() ) && cerber_antibot_enabled( array( 'botscomm', 'botsany' ) ) ) || ( $wp_cerber->getSettings( 'sitekey' ) && $wp_cerber->getSettings( 'secretkey' ) ) ) { wp_enqueue_script( 'jquery' ); } } /** * Footer stuff like JS code * Explicit rendering reCAPTCHA * */ add_action( 'login_footer', 'cerber_login_register_stuff', 1000 ); function cerber_login_register_stuff() { global $wp_cerber; cerber_antibot_code(array( 'botsreg', 'botsany' )); // Universal JS if (!$wp_cerber->recaptcha_here) return; $sitekey = $wp_cerber->getSettings('sitekey'); if (!$wp_cerber->getSettings('invirecap')){ // Classic version (visible reCAPTCHA) echo ''; } else { // Pure JS version with explicit rendering ?> recaptcha_here ) { return; } // jQuery version with support visible and invisible reCAPTCHA ?> ' . $t ); if ( $c >= $limit ) { cerber_soft_block_add( $ip, 711 ); $cerber_status = 18; } } } function cerber_catch_error( $errno, $errstr = null, $errfile = null, $errline = null ) { global $cerber_php_errors; if ( ! $errno ) { return false; } if ( ! isset( $cerber_php_errors ) || ! is_array( $cerber_php_errors ) ) { $cerber_php_errors = array(); } $cerber_php_errors[] = array( $errno, $errstr, $errfile, $errline ); return false; } function cerber_traffic_log(){ global $cerber_php_errors, $wp_query, $wp_cerber_user_id, $wp_cerber_start_stamp, $blog_id; static $logged = false; if ( $logged || cerber_is_cloud_request() ) { return; } $wp_cerber = get_wp_cerber(); $wp_type = 700; if ( cerber_is_wp_ajax() ) { /* if ( isset( $_POST['action'] ) && $_POST['action'] == 'heartbeat' ) { return; }*/ $wp_type = 500; } elseif ( is_admin() ) { $wp_type = 501; } elseif ( cerber_is_wp_cron() ) { $wp_type = 502; } elseif ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) { $wp_type = 515; } elseif ( cerber_is_rest_url() ) { $wp_type = 520; } // Public part starts with 600 elseif ( $wp_query && is_object( $wp_query ) ) { $wp_type = 600; if ( $wp_query->is_singular ) { $wp_type = 601; } elseif ( $wp_query->is_tag ) { $wp_type = 603; } elseif ( $wp_query->is_category ) { $wp_type = 604; } elseif ( $wp_query->is_search ) { $wp_type = 605; } } if ( function_exists( 'http_response_code' ) ) { // PHP >= 5.4.0, PHP 7 $http_code = http_response_code(); } else { $http_code = 200; if ( $wp_type > 600 ) { if ( $wp_query->is_404 ) { $http_code = 404; } } } $user_id = 0; if ( function_exists( 'get_current_user_id' ) ) { $user_id = get_current_user_id(); } if ( ! $user_id && $wp_cerber_user_id ) { $user_id = absint( $wp_cerber_user_id ); } if ( ! cerber_to_log( $wp_type, $http_code, $user_id ) ) { return; } $logged = true; if ( $ua = crb_array_get( $_SERVER, 'HTTP_USER_AGENT', '' ) ) { $ua = substr( $ua, 0, 1000 ); } $bot = cerber_is_crawler( $ua ); if ( $bot && crb_get_settings( 'tinocrabs' ) ) { return; } $ip = cerber_get_remote_ip(); $ip_long = 0; if ( cerber_is_ipv4( $ip ) ) { $ip_long = ip2long( $ip ); } $wp_id = 0; if ( $wp_query && is_object( $wp_query ) ) { $wp_id = absint( $wp_query->get_queried_object_id() ); } $session_id = $wp_cerber->getRequestID(); if ( is_ssl() ) { $scheme = 'https'; } else { $scheme = 'http'; } $uri = $scheme . '://'. $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; $method = preg_replace( '/[^\w]/', '', $_SERVER['REQUEST_METHOD'] ); // Request fields $fields = ''; if ( crb_get_settings( 'tifields' ) ) { $fields = array(); if ( ! empty( $_POST ) ) { $fields[1] = cerber_prepare_fields( cerber_mask_fields( (array) $_POST ) ); } if ( ! empty( $_GET ) ) { $fields[2] = cerber_prepare_fields( (array) $_GET ); } if ( ! empty( $_FILES ) ) { $fields[3] = $_FILES; } if ( ! empty( $fields ) ) { $fields = serialize( $fields ); } else { $fields = ''; } } // Extra request details $details = array(); $details[1] = $ua; if ( ! empty( $_SERVER['HTTP_REFERER'] ) ) { //$ref = mb_substr( $_SERVER['HTTP_REFERER'], 0, 1048576 ); // 1 Mb for ASCII $details[2] = filter_var( $_SERVER['HTTP_REFERER'], FILTER_SANITIZE_URL ); } /* if ( ! empty( $_FILES ) ) { $details[3] = $_FILES; }*/ if ( $wp_type == 605 && ! empty( $_GET['s'] ) ) { $details[4] = $_GET['s']; } if ( $wp_type == 515 ) { // TODO: add a setting to enable it because there is a user/password in the php://input //$details[5] = file_get_contents('php://input'); } if ( crb_get_settings( 'tihdrs' ) ) { $hds = crb_getallheaders(); unset( $hds['Cookie'] ); unset( $hds['cookie'] ); $details[6] = $hds; } if ( crb_get_settings( 'tisenv' ) ) { $srv = $_SERVER; unset( $srv['HTTP_COOKIE'] ); $details[7] = $srv; } if ( crb_get_settings( 'ticandy' ) && ! empty( $_COOKIE ) ) { $details[8] = $_COOKIE; } if ( !empty( $details ) ) { $details = cerber_prepare_fields( $details ); $details = serialize($details); } else { $details = ''; } // Software errors $php_err = ''; if ( crb_get_settings( 'tiphperr' ) ) { if ( $cerber_php_errors && is_array( $cerber_php_errors ) ) { //$err_not = array( E_NOTICE, E_WARNING ); $i = 0; foreach ( $cerber_php_errors as $key => $e ) { if ( $e[0] == E_NOTICE ) { //unset( $cerber_php_errors[ $key ] ); } else { $i ++; } if ( $i > 25 ) { // Save no more errors break; } } if ( $cerber_php_errors ) { $cerber_php_errors = array_values( $cerber_php_errors ); $cerber_php_errors = array_slice( $cerber_php_errors, 0, 25 ); $php_err = serialize( $cerber_php_errors ); } } } // Timestamps if ( ! empty( $wp_cerber_start_stamp ) && is_numeric( $wp_cerber_start_stamp ) ) { $start = (float) $wp_cerber_start_stamp; // define this variable: $wp_cerber_start_stamp = microtime( true ); in wp-config.php } else { $start = cerber_request_time(); } $processing = (int) ( 1000 * ( microtime( true ) - $start ) ); $uri = cerber_real_escape( $uri ); $fields = cerber_real_escape( $fields ); $details = cerber_real_escape( $details ); $php_err = cerber_real_escape( $php_err ); $query = 'INSERT INTO ' . CERBER_TRAF_TABLE . ' (ip, ip_long, uri, request_fields , request_details, session_id, user_id, stamp, processing, request_method, http_code, wp_id, wp_type, is_bot, blog_id, php_errors ) VALUES ("' . $ip . '", ' . $ip_long . ',"' . $uri . '","' . $fields . '","' . $details . '", "' . $session_id . '", ' . $user_id . ', ' . $start . ',' . $processing . ', "' . $method . '", ' . $http_code . ',' . $wp_id . ', ' . $wp_type . ', ' . $bot . ', ' . absint( $blog_id ) . ',"' . $php_err . '")'; $ret = cerber_db_query( $query ); if ( ! $ret ) { //cerber_diag_log( print_r( cerber_db_get_errors(), 1 ) ); // mysqli_error($wpdb->dbh); // TODO: Daily software error report /* echo mysqli_sqlstate($wpdb->dbh); echo $wpdb->last_error; echo "\n"; echo $uri; echo "
\n"; echo '
ERR '.$query.$wpdb->last_error; echo '
'.$wpdb->_real_escape( $uri ); */ } } /** * To log or not to log current request? * * @param $wp_type integer * @param $http_code integer * @param $user_id integer * * @return bool * @since 6.0 */ function cerber_to_log( $wp_type, $http_code, $user_id ) { global $cerber_logged, $cerber_blocked, $wp_cerber; if ( nexus_is_valid_request() ) { return false; } $mode = crb_get_settings( 'timode' ); if ( $mode == 0 ) { return false; } if ( $mode == 2 ) { if ( $wp_type < 515 ) { // Pure admin requests if ( $wp_type < 502 && ! $user_id ) { // @since 6.3 return true; } //if ( $wp_type == 500 && 'admin-ajax.php' != cerber_get_uri_script() ) { // @since 7.8 if ( $wp_type == 500 && ! CRB_Request::is_script( '/wp-admin/admin-ajax.php' ) ) { // @since 7.9.1 return true; } return false; } return true; } // Smart mode --------------------------------------------------------- if ( ! empty( $cerber_logged ) ) { $tmp = $cerber_logged; unset( $tmp[7] ); unset( $tmp[51] ); if ( ! empty( $tmp ) ) { return true; } } if ( $cerber_blocked ) { return true; } if ( $wp_type < 515 ) { if ( $wp_type < 502 && ! $user_id ) { // @since 6.3 if ( ! empty( $_GET ) || ! empty( $_POST ) || ! empty( $_FILES ) ) { return true; } } if ( $wp_type == 500 && ! CRB_Request::is_script( '/wp-admin/admin-ajax.php' ) ) { // @since 7.8 return true; } return false; } if ( $http_code >= 400 || $wp_type < 600 || $user_id || ! empty( $_POST ) || ! empty( $_FILES ) || isset( $_GET['s'] ) || cerber_get_non_wp_fields() ) { return true; } if ( cerber_is_http_post() || cerber_get_uri_script() ) { return true; } return false; } /** * Mask sensitive request fields before saving in DB (avoid information leaks) * * @param $fields array * * @return array * @since 6.0 */ function cerber_mask_fields( $fields ) { $to_mask = array( 'pwd', 'pass', 'password', 'password_1', 'password_2', 'cerber-cloud-key' ); if ( $list = (array) crb_get_settings( 'timask' ) ) { $to_mask = array_merge( $to_mask, $list ); } foreach ( $to_mask as $mask_field ) { if ( ! empty( $fields[ $mask_field ] ) ) { $fields[ $mask_field ] = str_pad( '', mb_strlen( $fields[ $mask_field ] ), '*' ); } } return $fields; } /** * Recursive prepare values in array for inserting into DB * * @param $list * * @return mixed * @since 6.0 */ function cerber_prepare_fields( $list ) { foreach ( $list as &$field ) { if ( is_array( $field ) ) { $field = cerber_prepare_fields( $field ); } else { if ( ! $field ) { $field = ''; } else { $field = mb_substr( $field, 0, 1048576 ); // 1 Mb for ASCII } } } $list = stripslashes_deep( $list ); return $list; } /** * Return non WordPress public query $_GET fields (parameters) * * @return array * @since 6.0 */ function cerber_get_non_wp_fields() { global $wp_query; static $result; if ( isset( $result ) ) { return $result; } $get_keys = array_keys( $_GET ); if ( empty( $get_keys ) ) { $result = array(); return $result; } if ( is_object( $wp_query ) ) { $keys = $wp_query->fill_query_vars( array() ); } elseif ( class_exists( 'WP_Query' ) ) { $tmp = new WP_Query(); $keys = $tmp->fill_query_vars( array() ); } else { $keys = array(); } $wp_keys = array_keys( $keys ); // WordPress GET fields for frontend // Some well-known fields $wp_keys[] = 'redirect_to'; $wp_keys[] = 'reauth'; $wp_keys[] = 'action'; $wp_keys[] = '_wpnonce'; $wp_keys[] = 'loggedout'; $wp_keys[] = 'doing_wp_cron'; // WP Customizer fields $wp_keys = array_merge( $wp_keys, array( 'nonce', '_method', 'wp_customize', 'changeset_uuid', 'customize_changeset_uuid', 'customize_theme', 'theme', 'customize_messenger_channel', 'customize_autosaved' ) ); $result = array_diff( $get_keys, $wp_keys ); if ( ! $result ) { $result = array(); } return $result; } /** * * @since 6.0 */ function cerber_beast() { global $cerber_status; if ( is_admin() || cerber_is_wp_cron() || ( defined( 'WP_CLI' ) && WP_CLI ) ) { return; } $wp_cerber = get_wp_cerber(); $wp_cerber->CheckProhibitedURI(); // TI -------------------------------------------------------------------- if ( ! $ti_mode = crb_get_settings( 'tienabled' ) ) { return; } // White list by IP if ( crb_get_settings( 'tiipwhite' ) && crb_acl_is_white() ) { return; // @since 7.9 } // White list by URI //$uri = cerber_purify_uri(); $uri = CRB_Request::URI(); if ( $tiwhite = crb_get_settings( 'tiwhite' ) ) { foreach ( (array) $tiwhite as $item ) { if ( substr( $item, 0, 1 ) == '{' && substr( $item, - 1 ) == '}' ) { $pattern = '/' . substr( $item, 1, - 1 ) . '/i'; if ( @preg_match( $pattern, $uri ) ) { return; } } elseif ( $item == $uri ) { return; } } } // Step one $wp_cerber->InspectRequest(); // Step two //$uri_script = cerber_get_uri_script(); $uri_script = CRB_Request::script(); if ( $uri_script && $script_filename = cerber_script_filename() ) { // Scanning for executable scripts? if ( ! cerber_script_exists( $uri ) && ! cerber_is_login_request() ) { $cerber_status = 19; cerber_log( 55 ); if ( $ti_mode > 1 ) { cerber_soft_block_add( null, 708 ); } cerber_forbidden_page(); } // Direct access to a PHP script $deny = false; if ( crb_acl_is_black() ) { $deny = true; $cerber_status = 14; } //elseif ( ! in_array( $uri_script, cerber_get_wp_scripts() ) ) { elseif ( ! CRB_Request::is_script( cerber_get_wp_scripts() ) ) { if ( ! cerber_is_ip_allowed() ) { $deny = true; $cerber_status = 13; } elseif ( lab_is_blocked( null, true ) ) { $deny = true; $cerber_status = 15; } } if ( $deny ) { cerber_log( 50 ); cerber_forbidden_page(); } } // Step three cerber_screen_request_fields(); // Step four cerber_inspect_uploads(); } /** * Inspects POST & GET fields * */ function cerber_screen_request_fields(){ global $cerber_in_context; $white = array(); $found = false; if ( ! empty( $_GET ) ) { $cerber_in_context = 1; $found = cerber_inspect_array( $_GET, array( 's' ) ); } if ( ! empty( $_POST ) && ! $found ) { if ( CRB_Request::is_script( '/' . WP_COMMENT_SCRIPT ) ) { $white = array( 'comment' ); } $cerber_in_context = 2; $found = cerber_inspect_array( $_POST, $white ); } if ( $found ) { cerber_log( $found ); cerber_soft_block_add( null, 709); cerber_forbidden_page(); } } /** * Recursively inspects values in a given multi-dimensional array * * @param array $array * @param array $white A list of elements to skip * * @return bool|int */ function cerber_inspect_array( &$array, $white = array() ) { global $cerber_status; static $rec_limit = null; if ( ! $array ) { return false; } if ( $rec_limit === null ) { $rec_limit = CERBER_CIREC_LIMIT; } else { $rec_limit --; if ( $rec_limit <= 0 ) { $rec_limit = null; $cerber_status = 20; return 100; } } foreach ( $array as $key => $value ) { if ( in_array( $key, $white ) ) { continue; } if ( is_array( $value ) ) { $found = cerber_inspect_array( $value ); } else { $found = cerber_inspect_value( $value, true ); } if ( $found ) { return $found; } } $rec_limit ++; return false; } function cerber_inspect_value( &$value = '', $reset = false ) { global $cerber_status, $crb_x64; static $rec_limit = null; // Real recursion limit if ( ! $value || is_numeric( $value ) ) { return false; } if ( $reset ) { $rec_limit = null; } if ( $rec_limit === null ) { $rec_limit = CERBER_CIREC_LIMIT; } else { $rec_limit --; if ( $rec_limit <= 0 ) { $rec_limit = null; $cerber_status = 21; return 100; } } $found = false; if ( $varbyref = cerber_is_base64_encoded( $value ) ) { $found = cerber_inspect_value( $varbyref ); } else { $parsed = cerber_detect_php_code( $value ); if ( ! empty( $parsed[0] ) ) { $cerber_status = 22; $found = 100; } elseif ( ! empty( $parsed[1] ) ) { foreach ( $parsed[1] as $string ) { $found = cerber_inspect_value( $string ); if ( $found ) { break; } } } if ( ! $found && cerber_detect_other_code( $value ) ) { $cerber_status = 23; $found = 100; } if ( ! $found && cerber_detect_js_code( $value ) ) { $cerber_status = 24; $found = 100; } } $rec_limit ++; return $found; } /** * @param $value string * * @return array A list of suspicious code patterns */ function cerber_detect_php_code( &$value ) { static $list; if ( ! $list ) { $list = cerber_get_php_unsafe(); } $ret = array( array(), array() ); $code_tokens = array( T_STRING, T_EVAL ); $clean = preg_replace( "/[\r\n\s]+/", '', cerber_remove_comments( $value ) ); if ( $tokens = @token_get_all( ' 0 ) { $str = preg_replace( '#/\*(?:[^*]*(?:\*(?!/))*)*\*/#', '', $str ); // Remove comments if ( $co == 1 ) { if ( strlen( $value ) != strlen( $str ) ) { $score ++; } } } if ( preg_match( '/\b(?:SELECT|INSERT|UPDATE|DELETE)\b/i', $str ) ) { // SQL? $score ++; $p = stripos( $str, 'UNION' ); if ( $p !== false ) { $score ++; if ( $co == 1 ) { return true; } } if ( preg_match( '/\b(?:information_schema|FROM_BASE64|wp_users|xp_cmdshell|LOAD_FILE)\b/i', $value ) ) { return true; } if ( $co < 1 ) { return false; } // $_GET & $_POST if ( preg_match( '/\b(?:name_const|unhex)\b/i', $value ) ) { $score ++; } if ( $score > 3 ) { return true; } $char = substr_count( strtoupper( $value ), 'CHAR' ); if ( $char > 1 ) { return true; } $score += $char; if ( $score > 3 ) { return true; } } return false; } /** * Detects ob/fus/cated JS * * @param $val * * @return bool */ function cerber_detect_js_code( $val ) { $val = trim( $val ); if ( empty( $val ) || is_numeric( $val ) ) { return false; } $val = preg_replace( "/[\s]+/", '', $val ); if ( strlen( $val ) < 32 ) { return false; } // HEX if ( preg_match_all( '/(["\'])(\\\\x[0-9a-fA-F]{2})+?\1/m', $val, $matches ) ) { $found = array_map( function ( $v ) { return trim( $v, '\'"' ); }, $matches[0] ); $found = str_replace( '\x', '', $found ); // -- V2 /* $pieces = array(); foreach ( $found as $str) { echo $str.'-'; $hexs = str_split( $str, 2 ); $pieces[] = implode( '', array_map( function ( $v ) { return chr( hexdec( $v ) ); }, $hexs ) ); }*/ // V1 $hexs = str_split( implode( '', $found ), 2 ); $decoded = implode( '', array_map( function ( $hex ) { return chr( hexdec( $hex ) ); }, $hexs ) ); if ( preg_match( '/(fromCharCode|createElement|appendChild|script|eval|unescape|getElement|querySelector|XMLHttpRequest|FileSystemObject)/i', $decoded ) ) { return true; } } if ( preg_match_all( '/((?:\d|0x)[\da-fA-F]{1,4})\s*(?:,|\))/m', $val, $matches ) ) { $decoded = cerber_fromcharcode( implode( ',', $matches[1] ) ); $p = cerber_get_js_patterns(); list ($xdata, $severity) = cerber_process_patterns( $decoded, $p ); if ( $xdata ) { return true; } } return false; } function cerber_process_patterns( $str, $patterns ) { $xdata = array(); $severity = array(); foreach ( $patterns as $pa ) { if ($pa[1] == 2) { // 2 = REGEX $matches = array(); if ( preg_match_all( '/' . $pa[2] . '/i', $str, $matches, PREG_OFFSET_CAPTURE ) ) { if ( ! empty( $pa['not_func'] ) && function_exists( $pa['not_func'] ) ) { foreach ( $matches[0] as $key => $match ) { if ( call_user_func( $pa['not_func'], $match[0] ) ) { unset( $matches[0][ $key ] ); } } } if ( ! empty( $pa['func'] ) && function_exists( $pa['func'] ) ) { foreach ( $matches[0] as $key => $match ) { if ( ! call_user_func( $pa['func'], $match[0] ) ) { unset( $matches[0][ $key ] ); } } } if ( ! empty( $matches[0] ) ) { $xdata[] = array( 2, $pa[0], array_values( $matches[0] ) ); $severity[] = $pa[3]; } } } else { if ( false !== stripos( $str, $pa[2] ) ) { $xdata[] = array( 2, $pa[0], array( array( $pa[2] ) ) ); $severity[] = $pa[3]; } } } return array( $xdata, $severity ); } function cerber_inspect_uploads() { static $found = null; if ( $found !== null ) { return $found; // avoid double inspection } if ( empty( $_FILES ) ) { return $found; } $files = array(); foreach ( $_FILES as $file ) { if ( is_array( $file['tmp_name'] ) ) { $files = array_merge( $files, $file['tmp_name'] ); } else { $files[] = $file['tmp_name']; } } $found = false; foreach ( $files as $file_name ) { if ( $file_name && is_file( $file_name ) && $f = @fopen( $file_name, 'r' ) ) { $str = @fread( $f, 100000 ); @fclose( $f ); if ( cerber_inspect_value( $str ) ) { $found = 56; if ( ! @unlink( $file_name ) ) { // if a system doesn't permit us to delete the file in the tmp uploads folder $target = cerber_get_the_folder() . 'must_be_deleted.tmp'; @move_uploaded_file( $file_name, $target ); @unlink( $target ); } } } } if ( $found ) { cerber_log( $found ); cerber_soft_block_add( null, 710); } return $found; } function cerber_error_control() { if ( crb_get_settings( 'nophperr' ) ) { @ini_set( 'display_startup_errors', 0 ); @ini_set( 'display_errors', 0 ); } } // Menu routines --------------------------------------------------------------- // Hide/show menu items in public add_filter( 'wp_get_nav_menu_items', function ( $items, $menu, $args ) { if ( is_admin() ) { return $items; } $logged = is_user_logged_in(); foreach ( $items as $key => $item ) { // For *MENU*CERBER* See cerber_nav_menu_box() !!! if ( 0 === strpos( $item->attr_title, '*MENU*CERBER*' ) ) { $menu_id = explode( '|', $item->attr_title ); switch ( $menu_id[1] ) { case 'wp-cerber-login-url': if ( $logged ) { unset( $items[ $key ] ); } break; case 'wp-cerber-logout-url': if ( ! $logged ) { unset( $items[ $key ] ); } break; case 'wp-cerber-reg-url': if ( $logged ) { unset( $items[ $key ] ); } break; case 'wp-cerber-wc-login-url': if ( $logged ) { unset( $items[ $key ] ); } break; case 'wp-cerber-wc-logout-url': if ( ! $logged ) { unset( $items[ $key ] ); } break; } } } return $items; }, 10, 3 ); // Set actual URL for a menu item based on a special value in title attribute add_filter( 'nav_menu_link_attributes', function ( $atts ) { // For *MENU*CERBER* See cerber_nav_menu_box() !!! if ( 0 === strpos( $atts['title'], '*MENU*CERBER*' ) ) { $title = explode( '|', $atts['title'] ); $atts['title'] = ''; $url = '#'; // See cerber_nav_menu_items() !!! switch ( $title[1] ) { case 'wp-cerber-login-url': $url = wp_login_url(); break; case 'wp-cerber-logout-url': $url = wp_logout_url(); break; case 'wp-cerber-reg-url': if ( get_option( 'users_can_register' ) ) { $url = wp_registration_url(); } break; case 'wp-cerber-wc-login-url': if ( class_exists( 'WooCommerce' ) ) { $url = get_permalink( get_option( 'woocommerce_myaccount_page_id' ) ); } break; case 'wp-cerber-wc-logout-url': if ( class_exists( 'WooCommerce' ) ) { $url = wc_logout_url(); } break; } $atts['href'] = $url; } return $atts; }, 1 );