Changeset 3049221

Timestamp:

03/11/2024 03:26:35 PM (21 months ago)

Author:

wfryan

Message:

1.1.10 - March 11, 2024

• Change: Removed the extra site link from the CAPTCHA verification email message to avoid confusion with the verify link
• Change: CAPTCHA verification when enabled now additionally applies to 2FA logins (may send an email verification on low scores) and no longer reveals whether a user exists for the submitted account credentials (credit: Raxis)

Location:

wordfence-login-security

Files:

• tags/1.1.10 (copied) (copied from wordfence-login-security/trunk)
• tags/1.1.10/classes/controller/captcha.php (modified) (1 diff)
• tags/1.1.10/classes/controller/settings.php (modified) (1 diff)
• tags/1.1.10/classes/controller/users.php (modified) (1 diff)
• tags/1.1.10/classes/controller/wordfencels.php (modified) (3 diffs)
• tags/1.1.10/classes/model/tokenbucket.php (modified) (2 diffs)
• tags/1.1.10/classes/utility/sleep.php (added)
• tags/1.1.10/css/admin-global.1707926306.css (deleted)
• tags/1.1.10/css/admin-global.1710170444.css (added)
• tags/1.1.10/css/admin.1707926306.css (deleted)
• tags/1.1.10/css/admin.1710170444.css (added)
• tags/1.1.10/css/colorbox.1707926306.css (deleted)
• tags/1.1.10/css/colorbox.1710170444.css (added)
• tags/1.1.10/css/embedded.1707926306.css (deleted)
• tags/1.1.10/css/embedded.1710170444.css (added)
• tags/1.1.10/css/font-awesome.1707926306.css (deleted)
• tags/1.1.10/css/font-awesome.1710170444.css (added)
• tags/1.1.10/css/ionicons.1707926306.css (deleted)
• tags/1.1.10/css/ionicons.1710170444.css (added)
• tags/1.1.10/css/jquery-ui.min.1707926306.css (deleted)
• tags/1.1.10/css/jquery-ui.min.1710170444.css (added)
• tags/1.1.10/css/jquery-ui.structure.min.1707926306.css (deleted)
• tags/1.1.10/css/jquery-ui.structure.min.1710170444.css (added)
• tags/1.1.10/css/jquery-ui.theme.min.1707926306.css (deleted)
• tags/1.1.10/css/jquery-ui.theme.min.1710170444.css (added)
• tags/1.1.10/css/login.1707926306.css (deleted)
• tags/1.1.10/css/login.1710170444.css (added)
• tags/1.1.10/css/wfselect2.min.1707926306.css (deleted)
• tags/1.1.10/css/wfselect2.min.1710170444.css (added)
• tags/1.1.10/css/woocommerce-account.1707926306.css (deleted)
• tags/1.1.10/css/woocommerce-account.1710170444.css (added)
• tags/1.1.10/js/admin-global.1707926306.js (deleted)
• tags/1.1.10/js/admin-global.1710170444.js (added)
• tags/1.1.10/js/admin.1707926306.js (deleted)
• tags/1.1.10/js/admin.1710170444.js (added)
• tags/1.1.10/js/chart.umd.1707926306.js (deleted)
• tags/1.1.10/js/chart.umd.1710170444.js (added)
• tags/1.1.10/js/jquery.colorbox.1707926306.js (deleted)
• tags/1.1.10/js/jquery.colorbox.1710170444.js (added)
• tags/1.1.10/js/jquery.colorbox.min.1707926306.js (deleted)
• tags/1.1.10/js/jquery.colorbox.min.1710170444.js (added)
• tags/1.1.10/js/jquery.qrcode.min.1707926306.js (deleted)
• tags/1.1.10/js/jquery.qrcode.min.1710170444.js (added)
• tags/1.1.10/js/jquery.tmpl.min.1707926306.js (deleted)
• tags/1.1.10/js/jquery.tmpl.min.1710170444.js (added)
• tags/1.1.10/js/login.1707926306.js (deleted)
• tags/1.1.10/js/login.1710170444.js (added)
• tags/1.1.10/js/wfselect2.min.1707926306.js (deleted)
• tags/1.1.10/js/wfselect2.min.1710170444.js (added)
• tags/1.1.10/languages/wordfence-login-security.pot (modified) (10 diffs)
• tags/1.1.10/readme.txt (modified) (2 diffs)
• tags/1.1.10/views/email/login-verification.php (modified) (2 diffs)
• tags/1.1.10/views/options/option-captcha-threshold.php (modified) (2 diffs)
• tags/1.1.10/wordfence-login-security.php (modified) (2 diffs)
• trunk/classes/controller/captcha.php (modified) (1 diff)
• trunk/classes/controller/settings.php (modified) (1 diff)
• trunk/classes/controller/users.php (modified) (1 diff)
• trunk/classes/controller/wordfencels.php (modified) (3 diffs)
• trunk/classes/model/tokenbucket.php (modified) (2 diffs)
• trunk/classes/utility/sleep.php (added)
• trunk/css/admin-global.1707926306.css (deleted)
• trunk/css/admin-global.1710170444.css (added)
• trunk/css/admin.1707926306.css (deleted)
• trunk/css/admin.1710170444.css (added)
• trunk/css/colorbox.1707926306.css (deleted)
• trunk/css/colorbox.1710170444.css (added)
• trunk/css/embedded.1707926306.css (deleted)
• trunk/css/embedded.1710170444.css (added)
• trunk/css/font-awesome.1707926306.css (deleted)
• trunk/css/font-awesome.1710170444.css (added)
• trunk/css/ionicons.1707926306.css (deleted)
• trunk/css/ionicons.1710170444.css (added)
• trunk/css/jquery-ui.min.1707926306.css (deleted)
• trunk/css/jquery-ui.min.1710170444.css (added)
• trunk/css/jquery-ui.structure.min.1707926306.css (deleted)
• trunk/css/jquery-ui.structure.min.1710170444.css (added)
• trunk/css/jquery-ui.theme.min.1707926306.css (deleted)
• trunk/css/jquery-ui.theme.min.1710170444.css (added)
• trunk/css/login.1707926306.css (deleted)
• trunk/css/login.1710170444.css (added)
• trunk/css/wfselect2.min.1707926306.css (deleted)
• trunk/css/wfselect2.min.1710170444.css (added)
• trunk/css/woocommerce-account.1707926306.css (deleted)
• trunk/css/woocommerce-account.1710170444.css (added)
• trunk/js/admin-global.1707926306.js (deleted)
• trunk/js/admin-global.1710170444.js (added)
• trunk/js/admin.1707926306.js (deleted)
• trunk/js/admin.1710170444.js (added)
• trunk/js/chart.umd.1707926306.js (deleted)
• trunk/js/chart.umd.1710170444.js (added)
• trunk/js/jquery.colorbox.1707926306.js (deleted)
• trunk/js/jquery.colorbox.1710170444.js (added)
• trunk/js/jquery.colorbox.min.1707926306.js (deleted)
• trunk/js/jquery.colorbox.min.1710170444.js (added)
• trunk/js/jquery.qrcode.min.1707926306.js (deleted)
• trunk/js/jquery.qrcode.min.1710170444.js (added)
• trunk/js/jquery.tmpl.min.1707926306.js (deleted)
• trunk/js/jquery.tmpl.min.1710170444.js (added)
• trunk/js/login.1707926306.js (deleted)
• trunk/js/login.1710170444.js (added)
• trunk/js/wfselect2.min.1707926306.js (deleted)
• trunk/js/wfselect2.min.1710170444.js (added)
• trunk/languages/wordfence-login-security.pot (modified) (10 diffs)
• trunk/readme.txt (modified) (1 diff)
• trunk/views/email/login-verification.php (modified) (2 diffs)
• trunk/views/options/option-captcha-threshold.php (modified) (2 diffs)
• trunk/wordfence-login-security.php (modified) (2 diffs)

wordfence-login-security/tags/1.1.10/classes/controller/captcha.php

@@ -57 +57 @@
      */
     public function threshold() {
-        return Controller_Settings::shared()->get_float(Controller_Settings::OPTION_RECAPTCHA_THRESHOLD, 0.5);
+        return max(0.1, Controller_Settings::shared()->get_float(Controller_Settings::OPTION_RECAPTCHA_THRESHOLD, 0.5));
     }
 

wordfence-login-security/tags/1.1.10/classes/controller/settings.php

@@ -218 +218 @@
                 return is_numeric($value) && $value > 0;
             case self::OPTION_RECAPTCHA_THRESHOLD:
-                return is_numeric($value) && $value >= 0 && $value <= 1;
+                return is_numeric($value) && $value > 0 && $value <= 1;
             case self::OPTION_RECAPTCHA_SITE_KEY:
                 if (empty($value)) {

wordfence-login-security/tags/1.1.10/classes/controller/users.php

@@ -318 +318 @@
     public function record_captcha_score($user, $score) {
         if (!Controller_CAPTCHA::shared()->enabled()) { return; }
-        if ($this->has_2fa_active($user)) { return; } //2FA activated users do not retrieve a score
         
         if ($user) { update_user_meta($user->ID, 'wfls-last-captcha-score', $score); }

wordfence-login-security/tags/1.1.10/classes/controller/wordfencels.php

@@ -559 +559 @@
 
         $isLogin = !(defined('WORDFENCE_LS_AUTHENTICATION_CHECK') && WORDFENCE_LS_AUTHENTICATION_CHECK); //Checking for the purpose of prompting for 2FA, don't enforce it here
+        $isCombinedCheck = (defined('WORDFENCE_LS_CHECKING_COMBINED') && WORDFENCE_LS_CHECKING_COMBINED);
         $combinedTwoFactor = false;
 
@@ -610 +611 @@
          * 3. A filter does not override it. This is to allow plugins with REST endpoints that handle authentication
          *    themselves to opt out of the requirement.
-         * 4. The user does not have 2FA enabled. 2FA exempts the user from requiring email verification if the score is 
-         *    below the threshold.
+         * 4. The user is not providing a combined credentials + 2FA authentication login request.
          * 5. The request is not a WooCommerce login while WC integration is disabled
          */
-        if ($isLogin && !empty($username) && (!$this->_is_woocommerce_login() || Controller_Settings::shared()->get_bool(Controller_Settings::OPTION_ENABLE_WOOCOMMERCE_INTEGRATION))) { //Login attempt, not just a wp-login.php page load
+        if (!$combinedTwoFactor && !$isCombinedCheck && !empty($username) && (!$this->_is_woocommerce_login() || Controller_Settings::shared()->get_bool(Controller_Settings::OPTION_ENABLE_WOOCOMMERCE_INTEGRATION))) { //Login attempt, not just a wp-login.php page load
 
             $requireCAPTCHA = Controller_CAPTCHA::shared()->is_captcha_required();
+            $performVerification = false;
             
-            $performVerification = false;
             $token = Controller_CAPTCHA::shared()->get_token();
             if ($requireCAPTCHA && empty($token) && !Controller_CAPTCHA::shared()->test_mode()) { //No CAPTCHA token means forced additional verification (if neither 2FA nor test mode are active)
@@ -624 +624 @@
             }
             
+            if (is_object($user) && $user instanceof \WP_User && $this->validate_email_verification_token($user)) { //Skip the CAPTCHA check if the email address was verified
+                $requireCAPTCHA = false;
+                $performVerification = false;
+                
+                //Reset token rate limit
+                $identifier = sprintf('wfls-captcha-%d', $user->ID);
+                $tokenBucket = new Model_TokenBucket('rate:' . $identifier, 3, 1 / (WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES * Model_TokenBucket::MINUTE)); //Maximum of three requests, refilling at a rate of one per token expiration period
+                $tokenBucket->reset();
+            }
+            
+            $score = false;
             if ($requireCAPTCHA && !$performVerification) {
                 $score = Controller_CAPTCHA::shared()->score($token);
-                if ($score === false && !Controller_CAPTCHA::shared()->test_mode()) { //An invalid token will require additional verification (if neither 2FA nor test mode are active)
+                if ($score === false && !Controller_CAPTCHA::shared()->test_mode()) { //An invalid token will require additional verification (if test mode is not active)
                     $performVerification = true;
                 }
-            }
-
-            if (!isset($score)) { $score = false; }
+                else if (is_object($user) && $user instanceof \WP_User) {
+                    Controller_Users::shared()->record_captcha_score($user, $score);
+                }
+            }
             
-            if (is_object($user) && $user instanceof \WP_User) {
-                if (Controller_Users::shared()->has_2fa_active($user)) { //CAPTCHA enforcement skipped for users with 2FA active
-                    $requireCAPTCHA = false;
-                    $performVerification = false;
-                }
-                
-                Controller_Users::shared()->record_captcha_score($user, $score);
-
-                //Skip the CAPTCHA check if the email address was verified
-                if ($this->validate_email_verification_token($user)) {
-                    $requireCAPTCHA = false;
-                    $performVerification = false;
-                }
-                
-                if ($requireCAPTCHA && ($performVerification || !Controller_CAPTCHA::shared()->is_human($score))) {
-                    if ($this->has_woocommerce() && array_key_exists('woocommerce-login-nonce', $_POST)) {
-                        $loginUrl = get_permalink(get_option('woocommerce_myaccount_page_id'));
+            if ($requireCAPTCHA) {
+                if ($performVerification || !Controller_CAPTCHA::shared()->is_human($score)) {
+                    if (is_object($user) && $user instanceof \WP_User) {
+                        $identifier = sprintf('wfls-captcha-%d', $user->ID);
+                        $tokenBucket = new Model_TokenBucket('rate:' . $identifier, 3, 1 / (WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES * Model_TokenBucket::MINUTE)); //Maximum of three requests, refilling at a rate of one per token expiration period
+                        if ($tokenBucket->consume(1)) {
+                            if ($this->has_woocommerce() && array_key_exists('woocommerce-login-nonce', $_POST)) {
+                                $loginUrl = get_permalink(get_option('woocommerce_myaccount_page_id'));
+                            }
+                            else {
+                                $loginUrl = wp_login_url();
+                            }
+                            $verificationUrl = add_query_arg(
+                                array(
+                                    'wfls-email-verification' => rawurlencode(Controller_Users::shared()->generate_verification_token($user))
+                                ),
+                                $loginUrl
+                            );
+                            $view = new Model_View('email/login-verification', array(
+                                'siteName' => get_bloginfo('name', 'raw'),
+                                'verificationURL' => $verificationUrl,
+                                'ip' => Model_Request::current()->ip(),
+                                'canEnable2FA' => Controller_Users::shared()->can_activate_2fa($user),
+                            ));
+                            wp_mail($user->user_email, __('Login Verification Required', 'wordfence-login-security'), $view->render(), "Content-Type: text/html");
+                        }
                     }
-                    else {
-                        $loginUrl = wp_login_url();
-                    }
-                    $verificationUrl = add_query_arg(
-                        array(
-                            'wfls-email-verification' => rawurlencode(Controller_Users::shared()->generate_verification_token($user))
-                        ),
-                        $loginUrl
-                    );
-                    $view = new Model_View('email/login-verification', array(
-                        'siteName' => get_bloginfo('name', 'raw'),
-                        'siteURL' => rtrim(site_url(), '/') . '/',
-                        'verificationURL' => $verificationUrl,
-                        'ip' => Model_Request::current()->ip(),
-                        'canEnable2FA' => Controller_Users::shared()->can_activate_2fa($user),
-                    ));
-                    wp_mail($user->user_email, __('Login Verification Required', 'wordfence-login-security'), $view->render(), "Content-Type: text/html");
-
-                    return new \WP_Error('wfls_captcha_verify', wp_kses(__('<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. Please check the email address associated with the account for a verification link.', 'wordfence-login-security'), array('strong'=>array())));
-                }
-
+
+                    Utility_Sleep::sleep(Model_Crypto::random_int(0, 2000) / 1000);
+                    return new \WP_Error('wfls_captcha_verify', wp_kses(__('<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. If there is a valid account for the provided login credentials, please check the email address associated with it for a verification link to continue logging in.', 'wordfence-login-security'), array('strong' => array())));
+                }
             }
         }
 
         if (!$combinedTwoFactor) {
-
             if ($isLogin && $user instanceof \WP_User) {
                 if (Controller_Users::shared()->has_2fa_active($user)) {

wordfence-login-security/tags/1.1.10/classes/model/tokenbucket.php

@@ -140 +140 @@
         }
         else {
+            $this->_unlock();
             return false;
         }
@@ -171 +172 @@
     }
     
+    public function reset() {
+        if (!$this->_lock()) { return false; }
+        
+        if ($this->_backing == self::BACKING_WP_OPTIONS) {
+            delete_transient('wflsbucket:' . $this->_identifier);
+        }
+        else if ($this->_backing == self::BACKING_REDIS) {
+            $this->_redis->del('bucket:' . $this->_identifier);
+        }
+        
+        $this->_unlock();
+    }
+    
     /**
      * Creates an initial record with the given number of tokens.

wordfence-login-security/tags/1.1.10/languages/wordfence-login-security.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Wordfence Login Security 1.1.9\n"
-"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wordfence-login-security-zip-zYfqhi7Al\n"
+"Project-Id-Version: Wordfence Login Security 1.1.10\n"
+"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wordfence-login-security-zip-Cjy0sfiYR\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
@@ -10 +10 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-02-14T15:58:26+00:00\n"
+"POT-Creation-Date: 2024-03-11T15:20:44+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.7.1\n"
@@ -26 +26 @@
 
 #. Author URI of the plugin
-msgid "http://www.wordfence.com/"
+msgid "https://www.wordfence.com/"
 msgstr ""
 
@@ -265 +265 @@
 msgstr ""
 
-#: classes/controller/users.php:518
+#: classes/controller/users.php:517
 #: classes/controller/wordfencels.php:486
 msgid "2FA Status"
 msgstr ""
 
-#: classes/controller/users.php:522
+#: classes/controller/users.php:521
 msgid "Last Login"
 msgstr ""
 
-#: classes/controller/users.php:524
+#: classes/controller/users.php:523
 msgid "Last CAPTCHA"
 msgstr ""
 
-#: classes/controller/users.php:534
+#: classes/controller/users.php:533
 msgid "Not Allowed"
 msgstr ""
 
-#: classes/controller/users.php:539
+#: classes/controller/users.php:538
 #: classes/controller/wordfencels.php:490
 msgid "Active"
 msgstr ""
 
-#: classes/controller/users.php:542
+#: classes/controller/users.php:541
 msgid "Inactive<small class=\"wfls-sub-status\">(Grace Period)</small>"
 msgstr ""
 
-#: classes/controller/users.php:545
+#: classes/controller/users.php:544
 msgid "Locked Out<small class=\"wfls-sub-status\">(Grace Period Disabled)</small>"
 msgstr ""
 
-#: classes/controller/users.php:545
+#: classes/controller/users.php:544
 msgid "Locked Out<small class=\"wfls-sub-status\">(Grace Period Exceeded)</small>"
 msgstr ""
 
-#: classes/controller/users.php:548
+#: classes/controller/users.php:547
 #: classes/controller/wordfencels.php:490
 msgid "Inactive"
 msgstr ""
 
-#: classes/controller/users.php:561
+#: classes/controller/users.php:560
 msgid "(not required)"
 msgstr ""
 
-#: classes/controller/users.php:655
+#: classes/controller/users.php:654
 msgid "Edit two-factor authentication for %s"
 msgstr ""
 
-#: classes/controller/users.php:655
+#: classes/controller/users.php:654
 #: views/settings/options.php:9
 msgid "2FA"
 msgstr ""
 
-#: classes/controller/users.php:666
+#: classes/controller/users.php:665
 #: views/settings/user-stats.php:25
 msgid "2FA Active"
 msgstr ""
 
-#: classes/controller/users.php:667
+#: classes/controller/users.php:666
 #: views/settings/user-stats.php:26
 msgid "2FA Inactive"
@@ -442 +442 @@
 
 #: classes/controller/wordfencels.php:490
-#: classes/controller/wordfencels.php:852
+#: classes/controller/wordfencels.php:855
 #: views/manage/grace-period.php:22
 msgid "Locked Out"
@@ -500 +500 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:669
+#: classes/controller/wordfencels.php:671
 msgid "Login Verification Required"
 msgstr ""
 
-#: classes/controller/wordfencels.php:671
-msgid "<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. Please check the email address associated with the account for a verification link."
-msgstr ""
-
-#: classes/controller/wordfencels.php:689
+#: classes/controller/wordfencels.php:676
+msgid "<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. If there is a valid account for the provided login credentials, please check the email address associated with it for a verification link to continue logging in."
+msgstr ""
+
+#: classes/controller/wordfencels.php:692
 msgid "<strong>CODE INVALID</strong>: The 2FA code provided is either expired or invalid. Please try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:698
+#: classes/controller/wordfencels.php:701
 msgid "<strong>CODE REQUIRED</strong>: Please enter your 2FA code immediately after your password in the same field."
 msgstr ""
 
-#: classes/controller/wordfencels.php:700
+#: classes/controller/wordfencels.php:703
 msgid "<strong>CODE REQUIRED</strong>: Please provide your 2FA code when prompted."
 msgstr ""
 
-#: classes/controller/wordfencels.php:703
+#: classes/controller/wordfencels.php:706
 msgid "<strong>LOGIN BLOCKED</strong>: 2FA is required to be active on your account. Please contact the site administrator."
 msgstr ""
 
-#: classes/controller/wordfencels.php:706
+#: classes/controller/wordfencels.php:709
 msgid "You do not currently have two-factor authentication active on your account, which will be required beginning %s. <a href=\"%s\">Configure 2FA</a>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:756
+#: classes/controller/wordfencels.php:759
 msgid "Email verification succeeded. Please continue logging in."
 msgstr ""
 
-#: classes/controller/wordfencels.php:759
+#: classes/controller/wordfencels.php:762
 msgid "Email verification invalid or expired. Please try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:813
 #: classes/controller/wordfencels.php:816
+#: classes/controller/wordfencels.php:819
 msgid "Login Security"
 msgstr ""
 
-#: classes/controller/wordfencels.php:844
+#: classes/controller/wordfencels.php:847
 #: views/settings/options.php:23
 #: views/settings/user-stats.php:33
@@ -547 +547 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:848
+#: classes/controller/wordfencels.php:851
 #: views/manage/grace-period.php:22
 #: views/options/option-roles.php:57
@@ -553 +553 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:867
+#: classes/controller/wordfencels.php:870
 msgid "Users without 2FA active (%s)"
 msgstr ""
 
-#: classes/controller/wordfencels.php:885
-#: classes/controller/wordfencels.php:886
+#: classes/controller/wordfencels.php:888
+#: classes/controller/wordfencels.php:889
 msgid "Two-Factor Authentication"
 msgstr ""
 
-#: classes/controller/wordfencels.php:886
+#: classes/controller/wordfencels.php:889
 msgid "Learn more<span class=\"wfls-hidden-xs\"> about Two-Factor Authentication</span>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:895
+#: classes/controller/wordfencels.php:898
 msgid "Settings"
 msgstr ""
 
-#: classes/controller/wordfencels.php:896
+#: classes/controller/wordfencels.php:899
 msgid "Login Security Settings"
 msgstr ""
 
-#: classes/controller/wordfencels.php:896
+#: classes/controller/wordfencels.php:899
 msgid "Learn more<span class=\"wfls-hidden-xs\"> about Login Security</span>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:922
+#: classes/controller/wordfencels.php:925
 msgid "<strong>REGISTRATION ATTEMPT BLOCKED</strong>: This site requires a security token created when the page loads for all registration attempts. Please ensure JavaScript is enabled and try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:929
+#: classes/controller/wordfencels.php:932
 msgid "<strong>REGISTRATION ATTEMPT BLOCKED</strong>: The security token for the login attempt was invalid or expired. Please reload the page and try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:942
+#: classes/controller/wordfencels.php:945
 msgid "<strong>REGISTRATION BLOCKED</strong>: The registration request was blocked because it was flagged as spam. Please try again or <a href=\"#\" class=\"wfls-registration-captcha-contact\" data-token=\"%s\">contact the site owner</a> for help."
 msgstr ""
 
-#: classes/controller/wordfencels.php:945
+#: classes/controller/wordfencels.php:948
 msgid "<strong>REGISTRATION BLOCKED</strong>: The registration request was blocked because it was flagged as spam. Please try again or contact the site owner for help."
 msgstr ""
 
-#: classes/controller/wordfencels.php:1015
+#: classes/controller/wordfencels.php:1018
 msgid "Wordfence 2FA"
 msgstr ""
@@ -647 +647 @@
 msgstr ""
 
-#: views/email/login-verification.php:11
-msgid "Please verify a login attempt for your account on <a href=\"%s\"><strong>%s</strong></a>."
+#: views/email/login-verification.php:10
+msgid "Please verify a login attempt for your account on: %s"
+msgstr ""
+
+#: views/email/login-verification.php:12
+msgid "Request Time:"
 msgstr ""
 
 #: views/email/login-verification.php:13
-msgid "Request Time:"
-msgstr ""
-
-#: views/email/login-verification.php:14
 msgid "IP:"
 msgstr ""
 
-#: views/email/login-verification.php:16
+#: views/email/login-verification.php:15
 msgid "The request was flagged as suspicious, and we need verification that you attempted to log in to allow it to proceed. This verification link <b>will be valid for 15 minutes</b> from the time it was sent. If you did not attempt this login, please change your password immediately."
 msgstr ""
 
-#: views/email/login-verification.php:19
-msgid "You may bypass this verification step permanently by enabling two-factor authentication on your account."
-msgstr ""
-
-#: views/email/login-verification.php:22
-msgid "<a href=\"%s\"><b>Verify and Log In</b></a>"
+#: views/email/login-verification.php:17
+msgid "If you were attempting to log in to this site, <a href=\"%s\"><strong>Verify and Log In</strong></a>"
 msgstr ""
 
@@ -872 +868 @@
 
 #: views/options/option-captcha-threshold.php:16
-msgid "0.1"
-msgstr ""
-
-#: views/options/option-captcha-threshold.php:17
-msgid "0.0 (definitely a bot)"
+msgid "0.1 (probably a bot)"
+msgstr ""
+
+#: views/options/option-captcha-threshold.php:27
+msgid "reCAPTCHA human/bot threshold score"
 msgstr ""
 
 #: views/options/option-captcha-threshold.php:28
-msgid "reCAPTCHA human/bot threshold score"
-msgstr ""
-
-#: views/options/option-captcha-threshold.php:29
 msgid "A reCAPTCHA score equal to or higher than this value will be considered human. Anything lower will be treated as a bot and require additional verification for login and registration."
 msgstr ""
 
-#: views/options/option-captcha-threshold.php:51
+#: views/options/option-captcha-threshold.php:50
 msgid "Reset Score Statistics"
 msgstr ""
 
-#: views/options/option-captcha-threshold.php:88
+#: views/options/option-captcha-threshold.php:87
 msgid "Requests"
 msgstr ""
 
-#: views/options/option-captcha-threshold.php:106
+#: views/options/option-captcha-threshold.php:105
 msgid "reCAPTCHA Score History"
 msgstr ""
 
-#: views/options/option-captcha-threshold.php:113
+#: views/options/option-captcha-threshold.php:112
 msgid "Count"
 msgstr ""

wordfence-login-security/tags/1.1.10/readme.txt

@@ -5 +5 @@
 Requires PHP: 5.5
 Tested up to: 6.4
-Stable tag: 1.1.9
+Stable tag: 1.1.10
 
 Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.
@@ -58 +58 @@
 
 == Changelog ==
+
+= 1.1.10 - March 11, 2024 =
+* Change: Removed the extra site link from the CAPTCHA verification email message to avoid confusion with the verify link
+* Change: CAPTCHA verification when enabled now additionally applies to 2FA logins (may send an email verification on low scores) and no longer reveals whether a user exists for the submitted account credentials (credit: Raxis)
 
 = 1.1.9 - February 14, 2024 =

wordfence-login-security/tags/1.1.10/views/email/login-verification.php

@@ -4 +4 @@
  * @var string $ip The requesting IP. Required.
  * @var string $siteName The site name. Required.
- * @var string $siteURL The site URL. Required.
  * @var string $verificationURL The verification URL. Required.
  * @var bool $canEnable2FA Whether or not the user this is being sent to can enable 2FA. Optional
  */
 ?>
-<strong><?php echo wp_kses(sprintf(__('Please verify a login attempt for your account on <a href="%s"><strong>%s</strong></a>.', 'wordfence-login-security'), esc_url($siteURL), $siteName), array('a'=>array('href'=>array()), 'strong'=>array())); ?></strong>
+<strong><?php echo wp_kses(sprintf(__('Please verify a login attempt for your account on: %s', 'wordfence-login-security'), $siteName), array('strong'=>array())); ?></strong>
 <br><br>
 <?php echo '<strong>' . esc_html__('Request Time:', 'wordfence-login-security') . '</strong> ' . esc_html(\WordfenceLS\Controller_Time::format_local_time('F j, Y h:i:s A')); ?><br>
@@ -16 +15 @@
 <?php echo wp_kses(__('The request was flagged as suspicious, and we need verification that you attempted to log in to allow it to proceed. This verification link <b>will be valid for 15 minutes</b> from the time it was sent. If you did not attempt this login, please change your password immediately.', 'wordfence-login-security'), array('b'=>array())); ?>
 <br><br>
-<?php if (isset($canEnable2FA) && $canEnable2FA): ?>
-<?php esc_html_e('You may bypass this verification step permanently by enabling two-factor authentication on your account.', 'wordfence-login-security'); ?>
-<br><br>
-<?php endif; ?>
-<?php echo wp_kses(sprintf(__('<a href="%s"><b>Verify and Log In</b></a>', 'wordfence-login-security'), esc_url($verificationURL)), array('a'=>array('href'=>array()), 'b'=>array())); ?>
+<?php echo wp_kses(sprintf(__('If you were attempting to log in to this site, <a href="%s"><strong>Verify and Log In</strong></a>', 'wordfence-login-security'), esc_url($verificationURL)), array('a' => array('href' => array()), 'strong' => array())); ?>

wordfence-login-security/tags/1.1.10/views/options/option-captcha-threshold.php

@@ -5 +5 @@
 $currentValue = \WordfenceLS\Controller_Settings::shared()->get_float($optionName, 0.5);
 $selectOptions = array(
-    array('label' => __('1.0 (definitely a human)', 'wordfence-login-security'), 'value' => 1.0),
-    array('label' => __('0.9', 'wordfence-login-security'), 'value' => 0.9),
-    array('label' => __('0.8', 'wordfence-login-security'), 'value' => 0.8),
-    array('label' => __('0.7', 'wordfence-login-security'), 'value' => 0.7),
-    array('label' => __('0.6', 'wordfence-login-security'), 'value' => 0.6),
-    array('label' => __('0.5 (probably a human)', 'wordfence-login-security'), 'value' => 0.5),
-    array('label' => __('0.4', 'wordfence-login-security'), 'value' => 0.4),
-    array('label' => __('0.3', 'wordfence-login-security'), 'value' => 0.3),
-    array('label' => __('0.2', 'wordfence-login-security'), 'value' => 0.2),
-    array('label' => __('0.1', 'wordfence-login-security'), 'value' => 0.1),
-    array('label' => __('0.0 (definitely a bot)', 'wordfence-login-security'), 'value' => 0.0),
+    array('label' => __('1.0 (definitely a human)', 'wordfence-login-security'), 'value' => 1.0, 'selected' => ((int) ($currentValue * 10)) == 10),
+    array('label' => __('0.9', 'wordfence-login-security'), 'value' => 0.9, 'selected' => ((int) ($currentValue * 10)) == 9),
+    array('label' => __('0.8', 'wordfence-login-security'), 'value' => 0.8, 'selected' => ((int) ($currentValue * 10)) == 8),
+    array('label' => __('0.7', 'wordfence-login-security'), 'value' => 0.7, 'selected' => ((int) ($currentValue * 10)) == 7),
+    array('label' => __('0.6', 'wordfence-login-security'), 'value' => 0.6, 'selected' => ((int) ($currentValue * 10)) == 6),
+    array('label' => __('0.5 (probably a human)', 'wordfence-login-security'), 'value' => 0.5, 'selected' => ((int) ($currentValue * 10)) == 5),
+    array('label' => __('0.4', 'wordfence-login-security'), 'value' => 0.4, 'selected' => ((int) ($currentValue * 10)) == 4),
+    array('label' => __('0.3', 'wordfence-login-security'), 'value' => 0.3, 'selected' => ((int) ($currentValue * 10)) == 3),
+    array('label' => __('0.2', 'wordfence-login-security'), 'value' => 0.2, 'selected' => ((int) ($currentValue * 10)) == 2),
+    array('label' => __('0.1 (probably a bot)', 'wordfence-login-security'), 'value' => 0.1, 'selected' => ((int) ($currentValue * 10)) <= 1),
 );
 ?>
@@ -33 +32 @@
                         <select aria-labelledby="wfls-option-recaptcha-threshold-label">
                             <?php foreach ($selectOptions as $o): ?>
-                                <option class="wfls-option-select-option" value="<?php echo esc_attr($o['value']); ?>"<?php if (((int) ($o['value'] * 10)) == ((int) ($currentValue * 10))) { echo ' selected'; } ?>><?php echo esc_html($o['label']); ?></option>
+                                <option class="wfls-option-select-option" value="<?php echo esc_attr($o['value']); ?>"<?php if ($o['selected']) { echo ' selected'; } ?>><?php echo esc_html($o['label']); ?></option>
                             <?php endforeach; ?>
                         </select>

wordfence-login-security/tags/1.1.10/wordfence-login-security.php

@@ -4 +4 @@
 Description: Wordfence Login Security
 Author: Wordfence
-Author URI: http://www.wordfence.com/
-Version: 1.1.9
+Author URI: https://www.wordfence.com/
+Version: 1.1.10
 Network: true
 Requires at least: 4.5
@@ -39 +39 @@
     define('WORDFENCE_LS_FROM_CORE', ($wfCoreActive && isset($wfCoreLoading) && $wfCoreLoading));
     
-    define('WORDFENCE_LS_VERSION', '1.1.9');
-    define('WORDFENCE_LS_BUILD_NUMBER', '1707926306');
+    define('WORDFENCE_LS_VERSION', '1.1.10');
+    define('WORDFENCE_LS_BUILD_NUMBER', '1710170444');
 
     define('WORDFENCE_LS_PLUGIN_BASENAME', plugin_basename(__FILE__));

wordfence-login-security/trunk/classes/controller/captcha.php

@@ -57 +57 @@
      */
     public function threshold() {
-        return Controller_Settings::shared()->get_float(Controller_Settings::OPTION_RECAPTCHA_THRESHOLD, 0.5);
+        return max(0.1, Controller_Settings::shared()->get_float(Controller_Settings::OPTION_RECAPTCHA_THRESHOLD, 0.5));
     }
 

wordfence-login-security/trunk/classes/controller/settings.php

@@ -218 +218 @@
                 return is_numeric($value) && $value > 0;
             case self::OPTION_RECAPTCHA_THRESHOLD:
-                return is_numeric($value) && $value >= 0 && $value <= 1;
+                return is_numeric($value) && $value > 0 && $value <= 1;
             case self::OPTION_RECAPTCHA_SITE_KEY:
                 if (empty($value)) {

wordfence-login-security/trunk/classes/controller/users.php

@@ -318 +318 @@
     public function record_captcha_score($user, $score) {
         if (!Controller_CAPTCHA::shared()->enabled()) { return; }
-        if ($this->has_2fa_active($user)) { return; } //2FA activated users do not retrieve a score
         
         if ($user) { update_user_meta($user->ID, 'wfls-last-captcha-score', $score); }

wordfence-login-security/trunk/classes/controller/wordfencels.php

@@ -559 +559 @@
 
         $isLogin = !(defined('WORDFENCE_LS_AUTHENTICATION_CHECK') && WORDFENCE_LS_AUTHENTICATION_CHECK); //Checking for the purpose of prompting for 2FA, don't enforce it here
+        $isCombinedCheck = (defined('WORDFENCE_LS_CHECKING_COMBINED') && WORDFENCE_LS_CHECKING_COMBINED);
         $combinedTwoFactor = false;
 
@@ -610 +611 @@
          * 3. A filter does not override it. This is to allow plugins with REST endpoints that handle authentication
          *    themselves to opt out of the requirement.
-         * 4. The user does not have 2FA enabled. 2FA exempts the user from requiring email verification if the score is 
-         *    below the threshold.
+         * 4. The user is not providing a combined credentials + 2FA authentication login request.
          * 5. The request is not a WooCommerce login while WC integration is disabled
          */
-        if ($isLogin && !empty($username) && (!$this->_is_woocommerce_login() || Controller_Settings::shared()->get_bool(Controller_Settings::OPTION_ENABLE_WOOCOMMERCE_INTEGRATION))) { //Login attempt, not just a wp-login.php page load
+        if (!$combinedTwoFactor && !$isCombinedCheck && !empty($username) && (!$this->_is_woocommerce_login() || Controller_Settings::shared()->get_bool(Controller_Settings::OPTION_ENABLE_WOOCOMMERCE_INTEGRATION))) { //Login attempt, not just a wp-login.php page load
 
             $requireCAPTCHA = Controller_CAPTCHA::shared()->is_captcha_required();
+            $performVerification = false;
             
-            $performVerification = false;
             $token = Controller_CAPTCHA::shared()->get_token();
             if ($requireCAPTCHA && empty($token) && !Controller_CAPTCHA::shared()->test_mode()) { //No CAPTCHA token means forced additional verification (if neither 2FA nor test mode are active)
@@ -624 +624 @@
             }
             
+            if (is_object($user) && $user instanceof \WP_User && $this->validate_email_verification_token($user)) { //Skip the CAPTCHA check if the email address was verified
+                $requireCAPTCHA = false;
+                $performVerification = false;
+                
+                //Reset token rate limit
+                $identifier = sprintf('wfls-captcha-%d', $user->ID);
+                $tokenBucket = new Model_TokenBucket('rate:' . $identifier, 3, 1 / (WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES * Model_TokenBucket::MINUTE)); //Maximum of three requests, refilling at a rate of one per token expiration period
+                $tokenBucket->reset();
+            }
+            
+            $score = false;
             if ($requireCAPTCHA && !$performVerification) {
                 $score = Controller_CAPTCHA::shared()->score($token);
-                if ($score === false && !Controller_CAPTCHA::shared()->test_mode()) { //An invalid token will require additional verification (if neither 2FA nor test mode are active)
+                if ($score === false && !Controller_CAPTCHA::shared()->test_mode()) { //An invalid token will require additional verification (if test mode is not active)
                     $performVerification = true;
                 }
-            }
-
-            if (!isset($score)) { $score = false; }
+                else if (is_object($user) && $user instanceof \WP_User) {
+                    Controller_Users::shared()->record_captcha_score($user, $score);
+                }
+            }
             
-            if (is_object($user) && $user instanceof \WP_User) {
-                if (Controller_Users::shared()->has_2fa_active($user)) { //CAPTCHA enforcement skipped for users with 2FA active
-                    $requireCAPTCHA = false;
-                    $performVerification = false;
-                }
-                
-                Controller_Users::shared()->record_captcha_score($user, $score);
-
-                //Skip the CAPTCHA check if the email address was verified
-                if ($this->validate_email_verification_token($user)) {
-                    $requireCAPTCHA = false;
-                    $performVerification = false;
-                }
-                
-                if ($requireCAPTCHA && ($performVerification || !Controller_CAPTCHA::shared()->is_human($score))) {
-                    if ($this->has_woocommerce() && array_key_exists('woocommerce-login-nonce', $_POST)) {
-                        $loginUrl = get_permalink(get_option('woocommerce_myaccount_page_id'));
+            if ($requireCAPTCHA) {
+                if ($performVerification || !Controller_CAPTCHA::shared()->is_human($score)) {
+                    if (is_object($user) && $user instanceof \WP_User) {
+                        $identifier = sprintf('wfls-captcha-%d', $user->ID);
+                        $tokenBucket = new Model_TokenBucket('rate:' . $identifier, 3, 1 / (WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES * Model_TokenBucket::MINUTE)); //Maximum of three requests, refilling at a rate of one per token expiration period
+                        if ($tokenBucket->consume(1)) {
+                            if ($this->has_woocommerce() && array_key_exists('woocommerce-login-nonce', $_POST)) {
+                                $loginUrl = get_permalink(get_option('woocommerce_myaccount_page_id'));
+                            }
+                            else {
+                                $loginUrl = wp_login_url();
+                            }
+                            $verificationUrl = add_query_arg(
+                                array(
+                                    'wfls-email-verification' => rawurlencode(Controller_Users::shared()->generate_verification_token($user))
+                                ),
+                                $loginUrl
+                            );
+                            $view = new Model_View('email/login-verification', array(
+                                'siteName' => get_bloginfo('name', 'raw'),
+                                'verificationURL' => $verificationUrl,
+                                'ip' => Model_Request::current()->ip(),
+                                'canEnable2FA' => Controller_Users::shared()->can_activate_2fa($user),
+                            ));
+                            wp_mail($user->user_email, __('Login Verification Required', 'wordfence-login-security'), $view->render(), "Content-Type: text/html");
+                        }
                     }
-                    else {
-                        $loginUrl = wp_login_url();
-                    }
-                    $verificationUrl = add_query_arg(
-                        array(
-                            'wfls-email-verification' => rawurlencode(Controller_Users::shared()->generate_verification_token($user))
-                        ),
-                        $loginUrl
-                    );
-                    $view = new Model_View('email/login-verification', array(
-                        'siteName' => get_bloginfo('name', 'raw'),
-                        'siteURL' => rtrim(site_url(), '/') . '/',
-                        'verificationURL' => $verificationUrl,
-                        'ip' => Model_Request::current()->ip(),
-                        'canEnable2FA' => Controller_Users::shared()->can_activate_2fa($user),
-                    ));
-                    wp_mail($user->user_email, __('Login Verification Required', 'wordfence-login-security'), $view->render(), "Content-Type: text/html");
-
-                    return new \WP_Error('wfls_captcha_verify', wp_kses(__('<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. Please check the email address associated with the account for a verification link.', 'wordfence-login-security'), array('strong'=>array())));
-                }
-
+
+                    Utility_Sleep::sleep(Model_Crypto::random_int(0, 2000) / 1000);
+                    return new \WP_Error('wfls_captcha_verify', wp_kses(__('<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. If there is a valid account for the provided login credentials, please check the email address associated with it for a verification link to continue logging in.', 'wordfence-login-security'), array('strong' => array())));
+                }
             }
         }
 
         if (!$combinedTwoFactor) {
-
             if ($isLogin && $user instanceof \WP_User) {
                 if (Controller_Users::shared()->has_2fa_active($user)) {

wordfence-login-security/trunk/classes/model/tokenbucket.php

@@ -140 +140 @@
         }
         else {
+            $this->_unlock();
             return false;
         }
@@ -171 +172 @@
     }
     
+    public function reset() {
+        if (!$this->_lock()) { return false; }
+        
+        if ($this->_backing == self::BACKING_WP_OPTIONS) {
+            delete_transient('wflsbucket:' . $this->_identifier);
+        }
+        else if ($this->_backing == self::BACKING_REDIS) {
+            $this->_redis->del('bucket:' . $this->_identifier);
+        }
+        
+        $this->_unlock();
+    }
+    
     /**
      * Creates an initial record with the given number of tokens.

wordfence-login-security/trunk/languages/wordfence-login-security.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Wordfence Login Security 1.1.9\n"
-"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wordfence-login-security-zip-zYfqhi7Al\n"
+"Project-Id-Version: Wordfence Login Security 1.1.10\n"
+"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wordfence-login-security-zip-Cjy0sfiYR\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
@@ -10 +10 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-02-14T15:58:26+00:00\n"
+"POT-Creation-Date: 2024-03-11T15:20:44+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.7.1\n"
@@ -26 +26 @@
 
 #. Author URI of the plugin
-msgid "http://www.wordfence.com/"
+msgid "https://www.wordfence.com/"
 msgstr ""
 
@@ -265 +265 @@
 msgstr ""
 
-#: classes/controller/users.php:518
+#: classes/controller/users.php:517
 #: classes/controller/wordfencels.php:486
 msgid "2FA Status"
 msgstr ""
 
-#: classes/controller/users.php:522
+#: classes/controller/users.php:521
 msgid "Last Login"
 msgstr ""
 
-#: classes/controller/users.php:524
+#: classes/controller/users.php:523
 msgid "Last CAPTCHA"
 msgstr ""
 
-#: classes/controller/users.php:534
+#: classes/controller/users.php:533
 msgid "Not Allowed"
 msgstr ""
 
-#: classes/controller/users.php:539
+#: classes/controller/users.php:538
 #: classes/controller/wordfencels.php:490
 msgid "Active"
 msgstr ""
 
-#: classes/controller/users.php:542
+#: classes/controller/users.php:541
 msgid "Inactive<small class=\"wfls-sub-status\">(Grace Period)</small>"
 msgstr ""
 
-#: classes/controller/users.php:545
+#: classes/controller/users.php:544
 msgid "Locked Out<small class=\"wfls-sub-status\">(Grace Period Disabled)</small>"
 msgstr ""
 
-#: classes/controller/users.php:545
+#: classes/controller/users.php:544
 msgid "Locked Out<small class=\"wfls-sub-status\">(Grace Period Exceeded)</small>"
 msgstr ""
 
-#: classes/controller/users.php:548
+#: classes/controller/users.php:547
 #: classes/controller/wordfencels.php:490
 msgid "Inactive"
 msgstr ""
 
-#: classes/controller/users.php:561
+#: classes/controller/users.php:560
 msgid "(not required)"
 msgstr ""
 
-#: classes/controller/users.php:655
+#: classes/controller/users.php:654
 msgid "Edit two-factor authentication for %s"
 msgstr ""
 
-#: classes/controller/users.php:655
+#: classes/controller/users.php:654
 #: views/settings/options.php:9
 msgid "2FA"
 msgstr ""
 
-#: classes/controller/users.php:666
+#: classes/controller/users.php:665
 #: views/settings/user-stats.php:25
 msgid "2FA Active"
 msgstr ""
 
-#: classes/controller/users.php:667
+#: classes/controller/users.php:666
 #: views/settings/user-stats.php:26
 msgid "2FA Inactive"
@@ -442 +442 @@
 
 #: classes/controller/wordfencels.php:490
-#: classes/controller/wordfencels.php:852
+#: classes/controller/wordfencels.php:855
 #: views/manage/grace-period.php:22
 msgid "Locked Out"
@@ -500 +500 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:669
+#: classes/controller/wordfencels.php:671
 msgid "Login Verification Required"
 msgstr ""
 
-#: classes/controller/wordfencels.php:671
-msgid "<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. Please check the email address associated with the account for a verification link."
-msgstr ""
-
-#: classes/controller/wordfencels.php:689
+#: classes/controller/wordfencels.php:676
+msgid "<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. If there is a valid account for the provided login credentials, please check the email address associated with it for a verification link to continue logging in."
+msgstr ""
+
+#: classes/controller/wordfencels.php:692
 msgid "<strong>CODE INVALID</strong>: The 2FA code provided is either expired or invalid. Please try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:698
+#: classes/controller/wordfencels.php:701
 msgid "<strong>CODE REQUIRED</strong>: Please enter your 2FA code immediately after your password in the same field."
 msgstr ""
 
-#: classes/controller/wordfencels.php:700
+#: classes/controller/wordfencels.php:703
 msgid "<strong>CODE REQUIRED</strong>: Please provide your 2FA code when prompted."
 msgstr ""
 
-#: classes/controller/wordfencels.php:703
+#: classes/controller/wordfencels.php:706
 msgid "<strong>LOGIN BLOCKED</strong>: 2FA is required to be active on your account. Please contact the site administrator."
 msgstr ""
 
-#: classes/controller/wordfencels.php:706
+#: classes/controller/wordfencels.php:709
 msgid "You do not currently have two-factor authentication active on your account, which will be required beginning %s. <a href=\"%s\">Configure 2FA</a>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:756
+#: classes/controller/wordfencels.php:759
 msgid "Email verification succeeded. Please continue logging in."
 msgstr ""
 
-#: classes/controller/wordfencels.php:759
+#: classes/controller/wordfencels.php:762
 msgid "Email verification invalid or expired. Please try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:813
 #: classes/controller/wordfencels.php:816
+#: classes/controller/wordfencels.php:819
 msgid "Login Security"
 msgstr ""
 
-#: classes/controller/wordfencels.php:844
+#: classes/controller/wordfencels.php:847
 #: views/settings/options.php:23
 #: views/settings/user-stats.php:33
@@ -547 +547 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:848
+#: classes/controller/wordfencels.php:851
 #: views/manage/grace-period.php:22
 #: views/options/option-roles.php:57
@@ -553 +553 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:867
+#: classes/controller/wordfencels.php:870
 msgid "Users without 2FA active (%s)"
 msgstr ""
 
-#: classes/controller/wordfencels.php:885
-#: classes/controller/wordfencels.php:886
+#: classes/controller/wordfencels.php:888
+#: classes/controller/wordfencels.php:889
 msgid "Two-Factor Authentication"
 msgstr ""
 
-#: classes/controller/wordfencels.php:886
+#: classes/controller/wordfencels.php:889
 msgid "Learn more<span class=\"wfls-hidden-xs\"> about Two-Factor Authentication</span>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:895
+#: classes/controller/wordfencels.php:898
 msgid "Settings"
 msgstr ""
 
-#: classes/controller/wordfencels.php:896
+#: classes/controller/wordfencels.php:899
 msgid "Login Security Settings"
 msgstr ""
 
-#: classes/controller/wordfencels.php:896
+#: classes/controller/wordfencels.php:899
 msgid "Learn more<span class=\"wfls-hidden-xs\"> about Login Security</span>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:922
+#: classes/controller/wordfencels.php:925
 msgid "<strong>REGISTRATION ATTEMPT BLOCKED</strong>: This site requires a security token created when the page loads for all registration attempts. Please ensure JavaScript is enabled and try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:929
+#: classes/controller/wordfencels.php:932
 msgid "<strong>REGISTRATION ATTEMPT BLOCKED</strong>: The security token for the login attempt was invalid or expired. Please reload the page and try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:942
+#: classes/controller/wordfencels.php:945
 msgid "<strong>REGISTRATION BLOCKED</strong>: The registration request was blocked because it was flagged as spam. Please try again or <a href=\"#\" class=\"wfls-registration-captcha-contact\" data-token=\"%s\">contact the site owner</a> for help."
 msgstr ""
 
-#: classes/controller/wordfencels.php:945
+#: classes/controller/wordfencels.php:948
 msgid "<strong>REGISTRATION BLOCKED</strong>: The registration request was blocked because it was flagged as spam. Please try again or contact the site owner for help."
 msgstr ""
 
-#: classes/controller/wordfencels.php:1015
+#: classes/controller/wordfencels.php:1018
 msgid "Wordfence 2FA"
 msgstr ""
@@ -647 +647 @@
 msgstr ""
 
-#: views/email/login-verification.php:11
-msgid "Please verify a login attempt for your account on <a href=\"%s\"><strong>%s</strong></a>."
+#: views/email/login-verification.php:10
+msgid "Please verify a login attempt for your account on: %s"
+msgstr ""
+
+#: views/email/login-verification.php:12
+msgid "Request Time:"
 msgstr ""
 
 #: views/email/login-verification.php:13
-msgid "Request Time:"
-msgstr ""
-
-#: views/email/login-verification.php:14
 msgid "IP:"
 msgstr ""
 
-#: views/email/login-verification.php:16
+#: views/email/login-verification.php:15
 msgid "The request was flagged as suspicious, and we need verification that you attempted to log in to allow it to proceed. This verification link <b>will be valid for 15 minutes</b> from the time it was sent. If you did not attempt this login, please change your password immediately."
 msgstr ""
 
-#: views/email/login-verification.php:19
-msgid "You may bypass this verification step permanently by enabling two-factor authentication on your account."
-msgstr ""
-
-#: views/email/login-verification.php:22
-msgid "<a href=\"%s\"><b>Verify and Log In</b></a>"
+#: views/email/login-verification.php:17
+msgid "If you were attempting to log in to this site, <a href=\"%s\"><strong>Verify and Log In</strong></a>"
 msgstr ""
 
@@ -872 +868 @@
 
 #: views/options/option-captcha-threshold.php:16
-msgid "0.1"
-msgstr ""
-
-#: views/options/option-captcha-threshold.php:17
-msgid "0.0 (definitely a bot)"
+msgid "0.1 (probably a bot)"
+msgstr ""
+
+#: views/options/option-captcha-threshold.php:27
+msgid "reCAPTCHA human/bot threshold score"
 msgstr ""
 
 #: views/options/option-captcha-threshold.php:28
-msgid "reCAPTCHA human/bot threshold score"
-msgstr ""
-
-#: views/options/option-captcha-threshold.php:29
 msgid "A reCAPTCHA score equal to or higher than this value will be considered human. Anything lower will be treated as a bot and require additional verification for login and registration."
 msgstr ""
 
-#: views/options/option-captcha-threshold.php:51
+#: views/options/option-captcha-threshold.php:50
 msgid "Reset Score Statistics"
 msgstr ""
 
-#: views/options/option-captcha-threshold.php:88
+#: views/options/option-captcha-threshold.php:87
 msgid "Requests"
 msgstr ""
 
-#: views/options/option-captcha-threshold.php:106
+#: views/options/option-captcha-threshold.php:105
 msgid "reCAPTCHA Score History"
 msgstr ""
 
-#: views/options/option-captcha-threshold.php:113
+#: views/options/option-captcha-threshold.php:112
 msgid "Count"
 msgstr ""

wordfence-login-security/trunk/readme.txt

@@ -58 +58 @@
 
 == Changelog ==
+
+= 1.1.10 - March 11, 2024 =
+* Change: Removed the extra site link from the CAPTCHA verification email message to avoid confusion with the verify link
+* Change: CAPTCHA verification when enabled now additionally applies to 2FA logins (may send an email verification on low scores) and no longer reveals whether a user exists for the submitted account credentials (credit: Raxis)
 
 = 1.1.9 - February 14, 2024 =

wordfence-login-security/trunk/views/email/login-verification.php

@@ -4 +4 @@
  * @var string $ip The requesting IP. Required.
  * @var string $siteName The site name. Required.
- * @var string $siteURL The site URL. Required.
  * @var string $verificationURL The verification URL. Required.
  * @var bool $canEnable2FA Whether or not the user this is being sent to can enable 2FA. Optional
  */
 ?>
-<strong><?php echo wp_kses(sprintf(__('Please verify a login attempt for your account on <a href="%s"><strong>%s</strong></a>.', 'wordfence-login-security'), esc_url($siteURL), $siteName), array('a'=>array('href'=>array()), 'strong'=>array())); ?></strong>
+<strong><?php echo wp_kses(sprintf(__('Please verify a login attempt for your account on: %s', 'wordfence-login-security'), $siteName), array('strong'=>array())); ?></strong>
 <br><br>
 <?php echo '<strong>' . esc_html__('Request Time:', 'wordfence-login-security') . '</strong> ' . esc_html(\WordfenceLS\Controller_Time::format_local_time('F j, Y h:i:s A')); ?><br>
@@ -16 +15 @@
 <?php echo wp_kses(__('The request was flagged as suspicious, and we need verification that you attempted to log in to allow it to proceed. This verification link <b>will be valid for 15 minutes</b> from the time it was sent. If you did not attempt this login, please change your password immediately.', 'wordfence-login-security'), array('b'=>array())); ?>
 <br><br>
-<?php if (isset($canEnable2FA) && $canEnable2FA): ?>
-<?php esc_html_e('You may bypass this verification step permanently by enabling two-factor authentication on your account.', 'wordfence-login-security'); ?>
-<br><br>
-<?php endif; ?>
-<?php echo wp_kses(sprintf(__('<a href="%s"><b>Verify and Log In</b></a>', 'wordfence-login-security'), esc_url($verificationURL)), array('a'=>array('href'=>array()), 'b'=>array())); ?>
+<?php echo wp_kses(sprintf(__('If you were attempting to log in to this site, <a href="%s"><strong>Verify and Log In</strong></a>', 'wordfence-login-security'), esc_url($verificationURL)), array('a' => array('href' => array()), 'strong' => array())); ?>

wordfence-login-security/trunk/views/options/option-captcha-threshold.php

@@ -5 +5 @@
 $currentValue = \WordfenceLS\Controller_Settings::shared()->get_float($optionName, 0.5);
 $selectOptions = array(
-    array('label' => __('1.0 (definitely a human)', 'wordfence-login-security'), 'value' => 1.0),
-    array('label' => __('0.9', 'wordfence-login-security'), 'value' => 0.9),
-    array('label' => __('0.8', 'wordfence-login-security'), 'value' => 0.8),
-    array('label' => __('0.7', 'wordfence-login-security'), 'value' => 0.7),
-    array('label' => __('0.6', 'wordfence-login-security'), 'value' => 0.6),
-    array('label' => __('0.5 (probably a human)', 'wordfence-login-security'), 'value' => 0.5),
-    array('label' => __('0.4', 'wordfence-login-security'), 'value' => 0.4),
-    array('label' => __('0.3', 'wordfence-login-security'), 'value' => 0.3),
-    array('label' => __('0.2', 'wordfence-login-security'), 'value' => 0.2),
-    array('label' => __('0.1', 'wordfence-login-security'), 'value' => 0.1),
-    array('label' => __('0.0 (definitely a bot)', 'wordfence-login-security'), 'value' => 0.0),
+    array('label' => __('1.0 (definitely a human)', 'wordfence-login-security'), 'value' => 1.0, 'selected' => ((int) ($currentValue * 10)) == 10),
+    array('label' => __('0.9', 'wordfence-login-security'), 'value' => 0.9, 'selected' => ((int) ($currentValue * 10)) == 9),
+    array('label' => __('0.8', 'wordfence-login-security'), 'value' => 0.8, 'selected' => ((int) ($currentValue * 10)) == 8),
+    array('label' => __('0.7', 'wordfence-login-security'), 'value' => 0.7, 'selected' => ((int) ($currentValue * 10)) == 7),
+    array('label' => __('0.6', 'wordfence-login-security'), 'value' => 0.6, 'selected' => ((int) ($currentValue * 10)) == 6),
+    array('label' => __('0.5 (probably a human)', 'wordfence-login-security'), 'value' => 0.5, 'selected' => ((int) ($currentValue * 10)) == 5),
+    array('label' => __('0.4', 'wordfence-login-security'), 'value' => 0.4, 'selected' => ((int) ($currentValue * 10)) == 4),
+    array('label' => __('0.3', 'wordfence-login-security'), 'value' => 0.3, 'selected' => ((int) ($currentValue * 10)) == 3),
+    array('label' => __('0.2', 'wordfence-login-security'), 'value' => 0.2, 'selected' => ((int) ($currentValue * 10)) == 2),
+    array('label' => __('0.1 (probably a bot)', 'wordfence-login-security'), 'value' => 0.1, 'selected' => ((int) ($currentValue * 10)) <= 1),
 );
 ?>
@@ -33 +32 @@
                         <select aria-labelledby="wfls-option-recaptcha-threshold-label">
                             <?php foreach ($selectOptions as $o): ?>
-                                <option class="wfls-option-select-option" value="<?php echo esc_attr($o['value']); ?>"<?php if (((int) ($o['value'] * 10)) == ((int) ($currentValue * 10))) { echo ' selected'; } ?>><?php echo esc_html($o['label']); ?></option>
+                                <option class="wfls-option-select-option" value="<?php echo esc_attr($o['value']); ?>"<?php if ($o['selected']) { echo ' selected'; } ?>><?php echo esc_html($o['label']); ?></option>
                             <?php endforeach; ?>
                         </select>

wordfence-login-security/trunk/wordfence-login-security.php

@@ -4 +4 @@
 Description: Wordfence Login Security
 Author: Wordfence
-Author URI: http://www.wordfence.com/
-Version: 1.1.9
+Author URI: https://www.wordfence.com/
+Version: 1.1.10
 Network: true
 Requires at least: 4.5
@@ -39 +39 @@
     define('WORDFENCE_LS_FROM_CORE', ($wfCoreActive && isset($wfCoreLoading) && $wfCoreLoading));
     
-    define('WORDFENCE_LS_VERSION', '1.1.9');
-    define('WORDFENCE_LS_BUILD_NUMBER', '1707926306');
+    define('WORDFENCE_LS_VERSION', '1.1.10');
+    define('WORDFENCE_LS_BUILD_NUMBER', '1710170444');
 
     define('WORDFENCE_LS_PLUGIN_BASENAME', plugin_basename(__FILE__));