Changeset 3289923

Timestamp:

05/08/2025 02:09:01 PM (8 months ago)

Author:

hamdisaidani

Message:

v1.1.2 – Security fix: block access to wp-login.php when Fortress is active

Location:

fortress-login-pro/trunk

Files:

• fortress-login-pro.php (modified) (2 diffs)
• includes/filters-hooks.php (modified) (11 diffs)
• readme.txt (modified) (6 diffs)
• templates/access-denied-page.php (modified) (1 diff)
• templates/email-template.php (modified) (1 diff)
• templates/test-email-template.php (modified) (1 diff)

fortress-login-pro/trunk/fortress-login-pro.php

@@ -3 +3 @@
  * Plugin Name: Fortress Login Pro – Secure, Hide & Rename Login URL
  * Description: Secure and rotate your WordPress login slug. Block brute force attacks, track attempts, and auto-rotate slugs via email.
- * Version: 1.1.1
+ * Version: 1.1.2
  * Author: hamdisaidani
  * License: GPL2+
@@ -12 +12 @@
 
 // Define plugin constants
-define('FORTLOPR_VERSION', '1.1.1');
+define('FORTLOPR_VERSION', '1.1.2');
 define('FORTLOPR_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('FORTLOPR_PLUGIN_URL', plugin_dir_url(__FILE__));

fortress-login-pro/trunk/includes/filters-hooks.php

@@ -9 +9 @@
 // Include the logger to track unauthorized access attempts
 require_once plugin_dir_path(__FILE__) . '/../core/logger.php';
+
+// Start session for tracking state if not already started
+if (!isset($_SESSION) && !headers_sent()) {
+    session_start();
+}
+
+// Emergency flush of rewrite rules to fix password reset URL issues
+function fortlopr_emergency_flush_rules() {
+    // Only do this once per session to avoid performance issues
+    if (!isset($_SESSION['fortress_emergency_flush_done'])) {
+        // Force flush rewrite rules when we have active custom login slug
+        $active_slug = get_option('fortress_active_slug', 'wp-login.php');
+        if ($active_slug !== 'wp-login.php') {
+            flush_rewrite_rules(true);
+            // Mark as done for this session
+            $_SESSION['fortress_emergency_flush_done'] = true;
+        }
+    }
+}
+// Run emergency flush
+fortlopr_emergency_flush_rules();
 
 /**
@@ -462 +483 @@
         add_action('template_redirect', 'fortlopr_handle_login_template', 5);
         
-        // Optional: Redirect wp-login.php to custom slug
-        add_action('login_init', 'fortlopr_redirect_wp_login', 5);
-        
         // Block access to login-like paths
         add_action('template_redirect', 'fortlopr_block_login_like_paths', 4);
@@ -470 +488 @@
 }
 add_action('wp', 'fortlopr_init_login_handlers');
+
+/**
+ * Add direct hook for wp-login.php redirection
+ * This needs to be outside the normal handlers to catch direct access to wp-login.php
+ */
+function fortlopr_setup_login_redirect() {
+    $active_slug = get_option('fortress_active_slug', 'wp-login.php');
+    
+    // Only add redirect if using a custom slug
+    if ($active_slug !== 'wp-login.php') {
+        add_action('login_init', 'fortlopr_redirect_wp_login', 5);
+    }
+}
+add_action('init', 'fortlopr_setup_login_redirect', 5);
 
 /**
@@ -497 +529 @@
         add_rewrite_rule(
             '^' . $slug . '/?$',
+            'index.php?fortress_login=1&fortress_slug_type=active',
+            'top'
+        );
+        
+        // Add rewrite rule for active slug with wp-login.php
+        add_rewrite_rule(
+            '^' . $slug . '/wp-login\.php',
             'index.php?fortress_login=1&fortress_slug_type=active',
             'top'
@@ -512 +551 @@
                 add_rewrite_rule(
                     '^' . $pending_slug . '/?$',
+                    'index.php?fortress_login=1&fortress_slug_type=pending',
+                    'top'
+                );
+                
+                // Add rewrite rule for pending slug with wp-login.php
+                add_rewrite_rule(
+                    '^' . $pending_slug . '/wp-login\.php',
                     'index.php?fortress_login=1&fortress_slug_type=pending',
                     'top'
@@ -604 +650 @@
     // Exit early if not a login request
     if (!get_query_var('fortress_login')) {
+        // Special handling for combined URLs (slug/wp-login.php?checkemail=confirm)
+        $request_uri = isset($_SERVER['REQUEST_URI']) ? sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI'])) : '';
+        $active_slug = get_option('fortress_active_slug', 'wp-login.php');
+        
+        // If this is a checkemail=confirm on a combined path, process it 
+        if (strpos($request_uri, trim($active_slug, '/') . '/wp-login.php') === 1 && 
+            isset($_GET['checkemail']) && 
+            sanitize_text_field(wp_unslash($_GET['checkemail'])) === 'confirm') {
+            
+            // Include the login form to handle the reset confirmation
+            include_once(ABSPATH . 'wp-login.php');
+            exit;
+        }
+        
         return;
     }
-    
-    global $pagenow, $user_login, $error;
     
     // Store which slug was used (active or pending)
@@ -852 +910 @@
     }
     
+    // Allow any wp-login.php path with password reset functionality
+    if (strpos($request_path, 'wp-login.php') !== false) {
+        // Allow password reset confirmation on all paths
+        if (isset($_GET['checkemail']) && sanitize_text_field(wp_unslash($_GET['checkemail'])) === 'confirm') {
+            return;
+        }
+        
+        // Allow password reset related actions too
+        if (isset($_GET['action']) && in_array(sanitize_text_field(wp_unslash($_GET['action'])), array('lostpassword', 'rp', 'resetpass'), true)) {
+            return;
+        }
+    }
+    
+    // Also skip if this is a combination of custom slug and wp-login.php with allowed params
+    if (strpos($request_path, trim($active_slug, '/') . '/wp-login.php') === 0) {
+        // These checks are redundant with the one above, but kept for compatibility
+        if (isset($_GET['checkemail']) && sanitize_text_field(wp_unslash($_GET['checkemail'])) === 'confirm') {
+            return;
+        }
+        
+        if (isset($_GET['action']) && in_array(sanitize_text_field(wp_unslash($_GET['action'])), array('lostpassword', 'rp', 'resetpass'), true)) {
+            return;
+        }
+    }
+    
     // Also skip if this is the pending slug path (only if pending status is valid)
     $pending_is_valid = !empty($pending_slug) && ($pending_status === 'pending' || $pending_status === 'confirmed');
@@ -912 +995 @@
             return;
         }
+        
+        // Allow password reset related actions
+        if (isset($_GET['action']) && in_array(sanitize_text_field(wp_unslash($_GET['action'])), array('lostpassword', 'rp', 'resetpass'), true)) {
+            return;
+        }
+        
+        // Allow password reset confirmation screen
+        if (isset($_GET['checkemail']) && sanitize_text_field(wp_unslash($_GET['checkemail'])) === 'confirm') {
+            return;
+        }
     }
     
@@ -965 +1058 @@
     }
     
+    // Also allow password reset confirmation
+    if (isset($_GET['checkemail']) && sanitize_text_field(wp_unslash($_GET['checkemail'])) === 'confirm') {
+        return;
+    }
+    
     // Skip if $_SERVER['REQUEST_URI'] contains AJAX or admin actions
     if (isset($_SERVER['REQUEST_URI'])) {
@@ -976 +1074 @@
     $active_slug = get_option('fortress_active_slug', 'wp-login.php');
     
-    // Only redirect if using custom slug
+    // Only block if using custom slug
     if ($active_slug !== 'wp-login.php') {
-        // Redirect to custom login URL
-        wp_safe_redirect(home_url($active_slug));
+        // Log the unauthorized access attempt
+        if (!function_exists('fortlopr_log_access_attempt')) {
+            require_once plugin_dir_path(__FILE__) . '/../core/logger.php';
+        }
+        
+        // Prepare URL for logging
+        $host = isset($_SERVER['HTTP_HOST']) ? sanitize_text_field(wp_unslash($_SERVER['HTTP_HOST'])) : '';
+        $request_uri = isset($_SERVER['REQUEST_URI']) ? sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI'])) : '';
+        $url_attempted = esc_url_raw('http://' . $host . $request_uri);
+        
+        // Log the access attempt if it passes our filters
+        if (fortlopr_should_log_access($url_attempted)) {
+            fortlopr_log_access_attempt([
+                'ip_address'     => isset($_SERVER['REMOTE_ADDR']) ? sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'])) : 'Unknown',
+                'user_agent'     => isset($_SERVER['HTTP_USER_AGENT']) ? sanitize_text_field(wp_unslash($_SERVER['HTTP_USER_AGENT'])) : 'Unknown',
+                'referrer'       => isset($_SERVER['HTTP_REFERER']) ? esc_url_raw(wp_unslash($_SERVER['HTTP_REFERER'])) : 'Direct',
+                'url_attempted'  => $url_attempted,
+                'timestamp'      => current_time('mysql'),
+            ]);
+        }
+        
+        // Show access denied page instead of redirecting
+        status_header(403);
+        include plugin_dir_path(__FILE__) . '/../templates/access-denied-page.php';
         exit;
     }
@@ -1032 +1152 @@
         if (strpos($path, 'action=confirm_admin_email') !== false) {
             return $url;
+        }
+        
+        // Special handling for password reset confirmation
+        if (strpos($path, 'checkemail=confirm') !== false) {
+            // Keep the original URL with the custom slug added
+            return home_url('/' . trim($active_slug, '/') . $path);
         }
         

fortress-login-pro/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.8  
 Requires PHP: 7.2  
-Stable tag: 1.1.1  
+Stable tag: 1.1.2  
 License: GPLv2 or later  
 License URI: https://www.gnu.org/licenses/gpl-2.0.html  
@@ -21 +21 @@
 ### 🔐 Key Features
 
-- **Custom Login URL:** Hide `wp-login.php` and set your own private login path
-- **Auto-Rotate Slugs:** Automatically change your login URL on a custom schedule
-- **Dual-Slug Rotation Safety:** Keep the old URL live until the new one is used (fail-safe)
-- **Slug Generator:** Choose readable word combos or full-random slugs (with number support)
-- **Access Logs & Charts:** See IPs, timestamps, referrers, and user-agents by login attempt
-- **Export Logs:** Download access history or slug changes in CSV or JSON
-- **Slug History Panel:** Restore, archive, or delete old slugs anytime
-- **SMTP Configuration:** Set up outgoing email for login slug alerts and rotation notices
-- **Test Email & Rotation:** Built-in checks before activating rotation so you don’t get locked out
-- **Clean UI:** Fast, modern dashboard with zero bloat or upsell traps
+- **Custom Login URL:** Hide `wp-login.php` and set your own private login path  
+- **Auto-Rotate Slugs:** Automatically change your login URL on a custom schedule  
+- **Dual-Slug Rotation Safety:** Keep the old URL live until the new one is used (fail-safe)  
+- **Slug Generator:** Choose readable word combos or full-random slugs (with number support)  
+- **Access Logs & Charts:** See IPs, timestamps, referrers, and user-agents by login attempt  
+- **Export Logs:** Download access history or slug changes in CSV or JSON  
+- **Slug History Panel:** Restore, archive, or delete old slugs anytime  
+- **SMTP Configuration:** Set up outgoing email for login slug alerts and rotation notices  
+- **Test Email & Rotation:** Built-in checks before activating rotation so you don’t get locked out  
+- **Clean UI:** Fast, modern dashboard with zero bloat or upsell traps  
 
 ### ✅ Works With
@@ -52 +52 @@
 == Installation ==
 
-1. Upload the plugin to `/wp-content/plugins/`
-2. Activate via **Plugins → Installed Plugins**
-3. Go to **Fortress Login Pro** in your dashboard
-4. Choose a login slug (manual or generated), then click **Save**
-5. Bookmark or email yourself the new URL — your old login path is now hidden
+1. Upload the plugin to `/wp-content/plugins/`  
+2. Activate via **Plugins → Installed Plugins**  
+3. Go to **Fortress Login Pro** in your dashboard  
+4. Choose a login slug (manual or generated), then click **Save**  
+5. Bookmark or email yourself the new URL — your old login path is now hidden  
 
 ---
@@ -98 +98 @@
 3. Slug history view with restore/delete options  
 4. SMTP configuration and test email panel  
-5. Access Denied page template
+5. Access Denied page template  
 
 ---
@@ -104 +104 @@
 == Changelog ==
 
+= 1.1.2 =
+* Security Fix: Blocked direct access to wp-login.php when custom slug is active
+
 = 1.1.1 =
-* Fixed bug where Copy and Generate buttons were incorrectly disabled by SMTP status
-* Improved empty-state UI for Analytics Overview chart
+* Fixed bug where Copy and Generate buttons were incorrectly disabled by SMTP status  
+* Improved empty-state UI for Analytics Overview chart  
 
 = 1.1.0 =
-* Added dual-slug auto-rotation (fail-safe)
-* Added slug generator: readable vs random + number toggle
-* Enhanced UI with slug strength meter, rotation timers, and status badges
-* Improved SMTP configuration with test email verification
-* Added slug history metadata (source, usage, status)
+* Added dual-slug auto-rotation (fail-safe)  
+* Added slug generator: readable vs random + number toggle  
+* Enhanced UI with slug strength meter, rotation timers, and status badges  
+* Improved SMTP configuration with test email verification  
+* Added slug history metadata (source, usage, status)  
 
 = 1.0.0 =
-* Initial release
+* Initial release  
 
 ---
@@ -122 +125 @@
 == Upgrade Notice ==
 
-1.1.1 includes a UI bug fix and a visual enhancement. Recommended for all users.
+1.1.2 includes a critical security fix. It is highly recommended for all users.
 
 ---

fortress-login-pro/trunk/templates/access-denied-page.php

@@ -5 +5 @@
  *
  * @package FortressLoginPro
- * @version 1.1.1
+ * @version 1.1.2
  */
 

fortress-login-pro/trunk/templates/email-template.php

@@ -5 +5 @@
  * 
  * @package FortressLoginPro
- * @version 1.1.1
+ * @version 1.1.2
  */
 

fortress-login-pro/trunk/templates/test-email-template.php

@@ -5 +5 @@
  * 
  * @package FortressLoginPro
- * @version 1.1.1
+ * @version 1.1.2
  */