Skip to content

Instantly share code, notes, and snippets.

@Pross
Last active September 5, 2024 01:36
Show Gist options
  • Save Pross/5461836 to your computer and use it in GitHub Desktop.
Save Pross/5461836 to your computer and use it in GitHub Desktop.
DenyHosts for wordpress
<?php
/*
Plugin Name: DenyHosts
Plugin URI: http://pross.org.uk
Description: Block bad login attempts.
Version: 1.0
Author: Pross
*/
class DenyHosts {
var $block_init = 1; // set to 1 to check bans on init action too.
function __construct() {
if( $this->block_init && '/wp-login.php' == $_SERVER['REQUEST_URI'] )
add_action( 'init', array( &$this, 'check_bans' ) );
add_action( 'login_head', array( &$this, 'check_bans' ) );
add_action('wp_login_failed', array( &$this, 'failed_attempt' ) );
}
function check_bans() {
$data = get_option( 'denyhosts_bans', array() );
$ip = $_SERVER['REMOTE_ADDR'];
if( $data[ $ip ] )
$this->block();
}
function failed_attempt() {
$data = get_option( 'denyhosts_temp', array() );
$ip = $_SERVER['REMOTE_ADDR'];
if( $data[ $ip ] > 3 )
$this->add_ban( $ip );
if( isset( $data[ $ip ] ) )
$data[ $ip ]++;
else
$data[ $ip ] = 1;
update_option( 'denyhosts_temp', $data );
}
function add_ban( $ip ) {
$data = get_option( 'denyhosts_bans', array() );
$data[ $ip ] = 1;
update_option( 'denyhosts_bans', $data );
$temps = get_option( 'denyhosts_temp' );
unset( $temps[ $ip ] );
update_option( 'denyhosts_temp', $temps );
wp_mail( get_option( 'admin_email' ), 'IP BLOCKED', sprintf( 'IP: %s has just been blocked on %s. Total IPs blocked: %s', $ip, get_option( 'blogname' ), count( $data ) ) );
$this->block();
}
function block() {
if( $this->block_init ) {
header("Status: 403 Forbidden");
die( '<h1>Access Denied.</h1>');
}
?>
<style type="text/css">html{background:#f9f9f9;}body{background:#fff;color:#333;font-family:sans-serif;-webkit-border-radius:3px;border-radius:3px;border:1px solid #dfdfdf;max-width:700px;height:auto;margin:2em auto;padding:1em 2em;}h1{border-bottom:1px solid #dadada;clear:both;color:#666;font:24px Georgia, "Times New Roman", Times, serif;margin:30px 0 0;padding:0 0 7px;}#error-page{margin-top:50px;}#error-page p{font-size:14px;line-height:1.5;margin:25px 0 20px;}#error-page code{font-family:Consolas, Monaco, monospace;}</style></head>
<body id='error-page'>
<?php printf( '<h1>Access Denied!</h1><p>Your IP <strong>%s</strong> has been blocked and logged.</p></body></html>', $_SERVER['REMOTE_ADDR'] );
exit();
}
}
new DenyHosts;
@nodesocket
Copy link

In the function block(), maybe you should return a proper status code as well, instead of returning 200.

header("Status: 403 Forbidden");

@Pross
Copy link
Author

Pross commented Apr 26, 2013

Yea i thought of that, but if its on the login page, headers are already sent.

@Pross
Copy link
Author

Pross commented Apr 26, 2013

Actually yea, updated with a 403 if its set to block on 'init'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment