Last active
December 28, 2015 00:09
-
-
Save nikolov-tmw/7410859 to your computer and use it in GitHub Desktop.
WordPress login lock - try to prevent automated brute force attacks. Just place the login-lock.php file in /wp-content/mu-plugins/ and add the code in .htaccess to your root's .htaccess file. Note that if you have WordPress in a sub-directory, you would have to change the RewriteBase on line 8.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Add this code to the .htaccess in your root WordPress directory | |
# If your wordpress files are in a sub-directory, just change the RewriteBase | |
# to something like: | |
# RewriteBase /wordpress/ | |
# If your wordpress files are in a sub-directory called "wordpress" | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteBase / | |
# Redirect to home page upon log-out | |
RewriteCond %{REQUEST_FILENAME} -f | |
RewriteCond %{REQUEST_URI} wp-login\.php | |
RewriteCond %{QUERY_STRING} ^loggedout=true$ | |
RewriteRule . /index.php [R=301,L] | |
# Disallow access when not using the correct URL | |
RewriteCond %{REQUEST_FILENAME} -f | |
RewriteCond %{REQUEST_URI} wp-login\.php | |
RewriteCond %{QUERY_STRING} !__nonce=your-super-duper-unique-and-long-phrase-here | |
RewriteRule . /index.php [F,L] | |
</IfModule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/* | |
Plugin Name: Login Lock | |
Plugin Description: Tries to prevent automated bruteforce attacks on your WordPress site. Put this file in your "wp-content/mu-plugins/" directory. Then change the value for "LL_NONCE_KEY" and "LL_NONCE_VALUE" to something else. Then go to your wp-login page - for instance http://mydomain.com/wp-login.php?LL_NONCE_KEY=LL_NONCE_VALUE - but of course don't forget to replace "LL_NONCE_KEY" and "LL_NONCE_VALUE" with the actual values that you've set. | |
*/ | |
define( 'LL_NONCE_KEY', '__nonce' ); | |
define( 'LL_NONCE_VALUE', 'your-super-duper-unique-and-long-phrase-here' ); | |
// Checks whether we're on the login page. | |
function ll_is_login_page() { | |
return stripos( $_SERVER['SCRIPT_FILENAME'], 'wp-login.php' ) !== false; | |
} | |
if ( ll_is_login_page() ) { | |
function ll_enqueue_login_jquery() { | |
wp_enqueue_script( 'jquery' ); | |
} | |
add_action( 'login_enqueue_scripts', 'll_enqueue_login_jquery', 10 ); | |
if ( ! isset( $_GET[ LL_NONCE_KEY ] ) || $_GET[ LL_NONCE_KEY ] != LL_NONCE_VALUE ) { | |
wp_die( 'Unauthorized access! There is an ongoing bruteforce attack at the moment, so log-in has been disabled. Besides you probably should not be here any way. Do you want to <a href="' . home_url( '/' ) . '">go home?</a>', 'Unauthorized access!', array( 'response' => 503, 'back_link' => home_url( '/' ) ) ); | |
} | |
// Adds some JavaScript that will change the links and the form's "action" attribute to reflect | |
// the proper values so you don't get "Unauthorized access!" | |
function login_lock_login_footer() { | |
if ( isset( $_GET[ LL_NONCE_KEY ] ) && $_GET[ LL_NONCE_KEY ] == LL_NONCE_VALUE ) { ?> | |
<script type="text/javascript"> | |
(function($){ | |
$(document).ready(function(){ | |
$('form').attr( 'action', add_query_args( $('form').attr('action') ) ); | |
$('body a').each(function(){ | |
$(this).attr( 'href', add_query_args( $(this).attr('href') ) ); | |
}); | |
}) | |
function add_query_args( url ) { | |
// Don't add the arguments twice - just in case | |
// Also add the arguments only to wp-login.php related links | |
if ( ! has_query_args( url ) && url.indexOf( 'wp-login.php' ) !== -1 ) { | |
var args = '<?php echo esc_js( LL_NONCE_KEY . "=" . LL_NONCE_VALUE ); ?>'; | |
if ( url.indexOf( '?' ) !== -1 ) { | |
url += '&' + args; | |
} else { | |
url += '?' + args; | |
}; | |
}; | |
return url; | |
} | |
function has_query_args( url ) { | |
return url.indexOf( '<?php echo esc_js( LL_NONCE_KEY . "=" . LL_NONCE_VALUE ); ?>' ) !== -1; | |
} | |
})(jQuery) | |
</script> | |
<?php | |
} | |
} | |
add_action( 'login_footer', 'login_lock_login_footer', 10 ); | |
} | |
function ll_login_url( $login_url ) { | |
return add_query_arg( LL_NONCE_KEY, LL_NONCE_VALUE, $login_url ); | |
} | |
add_filter( 'login_url', 'll_login_url', 10 ); | |
add_filter( 'register_url', 'll_login_url', 10 ); | |
function ll_logout_url( $logout_url ) { | |
return add_query_arg( LL_NONCE_KEY, LL_NONCE_VALUE, $logout_url ); | |
} | |
add_filter( 'logout_url', 'll_logout_url', 10 ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment