2020-01-26 15:14:37 +01:00
|
|
|
|
<?php
|
|
|
|
|
|
2020-01-29 07:46:05 +01:00
|
|
|
|
//define('DISALLOW_FILE_MODS',true);
|
2020-01-26 15:14:37 +01:00
|
|
|
|
|
2020-02-02 11:19:41 +01:00
|
|
|
|
//阻止异常请求
|
|
|
|
|
function gdk_prevent_requst() {
|
|
|
|
|
global $user_ID;
|
|
|
|
|
if( ! current_user_can( 'level_10' )) {
|
|
|
|
|
if ( strlen( $_SERVER['REQUEST_URI'] ) > 255 ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], 'eval(' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], 'CONCAT' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], 'UNION+SELECT' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], 'GLOBALS(' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], '_REQUEST' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], '/localhost' ) ||
|
|
|
|
|
stripos( $_SERVER['QUERY_STRING'], '127.0.0.1' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], '/config.' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], 'wp-config.' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], 'etc/passwd' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], '<' ) ||
|
|
|
|
|
stripos( $_SERVER['REQUEST_URI'], 'base64' ) ) {
|
|
|
|
|
@header( 'HTTP/1.1 403 Forbidden' );
|
|
|
|
|
@header( 'Status: 403 Forbidden') ;
|
|
|
|
|
@header( 'Connection: Close' );
|
|
|
|
|
@exit;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-02-02 19:46:18 +01:00
|
|
|
|
if(gdk_option('gdk_block_requst')) {
|
|
|
|
|
add_action( 'wp', 'gdk_prevent_requst' );//阻止乱七八糟的请求
|
|
|
|
|
}
|
2020-01-29 04:41:36 +01:00
|
|
|
|
|
2020-02-02 11:19:41 +01:00
|
|
|
|
//登陆错误锁定
|
|
|
|
|
if ( ! class_exists( 'GDK_Limit_Login_Attempts' ) ) {
|
|
|
|
|
class GDK_Limit_Login_Attempts {
|
2020-02-02 19:46:18 +01:00
|
|
|
|
private $failed_login_limit;//登录失败的次数限制
|
|
|
|
|
private $lockout_duration;//暂停登陆时间
|
|
|
|
|
var $transient_name = 'attempted_login';//Transient used
|
2020-02-02 11:19:41 +01:00
|
|
|
|
public function __construct($config = null) {
|
|
|
|
|
$this->failed_login_limit = $config['failed_login_limit'];
|
|
|
|
|
$this->lockout_duration = $config['lockout_duration'];
|
|
|
|
|
add_filter( 'authenticate', array( $this, 'check_attempted_login' ), 30, 3 );
|
|
|
|
|
add_action( 'wp_login_failed', array( $this, 'login_failed' ), 10, 1 );
|
|
|
|
|
}
|
2020-02-02 19:46:18 +01:00
|
|
|
|
|
2020-02-02 11:19:41 +01:00
|
|
|
|
public function check_attempted_login( $user, $username, $password ) {
|
|
|
|
|
if ( get_transient( $this->transient_name ) ) {
|
|
|
|
|
$datas = get_transient( $this->transient_name );
|
|
|
|
|
if ( $datas['tried'] >= $this->failed_login_limit ) {
|
|
|
|
|
$until = get_option( '_transient_timeout_' . $this->transient_name );
|
|
|
|
|
$time = $this->when( $until );
|
|
|
|
|
//Display error message to the user when limit is reached
|
|
|
|
|
return new WP_Error( 'too_many_tried', sprintf( esc_attr( 'ERROR:您已触发登陆安全保护,请在 %1$s 后再次尝试.' ) , $time ) );
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return $user;
|
|
|
|
|
}
|
2020-02-02 19:46:18 +01:00
|
|
|
|
|
2020-02-02 11:19:41 +01:00
|
|
|
|
public function login_failed( $username ) {
|
|
|
|
|
if ( get_transient( $this->transient_name ) ) {
|
|
|
|
|
$datas = get_transient( $this->transient_name );
|
|
|
|
|
$datas['tried']++;
|
|
|
|
|
if ( $datas['tried'] <= $this->failed_login_limit )
|
2020-02-02 19:46:18 +01:00
|
|
|
|
set_transient( $this->transient_name, $datas , $this->lockout_duration );
|
2020-02-02 11:19:41 +01:00
|
|
|
|
} else {
|
|
|
|
|
$datas = array('tried' => 1 );
|
|
|
|
|
set_transient( $this->transient_name, $datas , $this->lockout_duration );
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-02-02 19:46:18 +01:00
|
|
|
|
|
2020-02-02 11:19:41 +01:00
|
|
|
|
private function when( $time ) {
|
2020-02-02 19:46:18 +01:00
|
|
|
|
if ( ! $time ) return;
|
2020-02-02 11:19:41 +01:00
|
|
|
|
$right_now = time();
|
|
|
|
|
$diff = abs( $right_now - $time );
|
|
|
|
|
$second = 1;
|
|
|
|
|
$minute = $second * 60;
|
|
|
|
|
$hour = $minute * 60;
|
|
|
|
|
$day = $hour * 24;
|
|
|
|
|
if ( $diff < $minute )
|
2020-02-02 19:46:18 +01:00
|
|
|
|
return floor( $diff / $second ) . ' ' . esc_attr( '秒' );
|
2020-02-02 11:19:41 +01:00
|
|
|
|
if ( $diff < $minute * 2 )
|
2020-02-02 19:46:18 +01:00
|
|
|
|
return esc_attr( 'about 1 minute ago' );
|
2020-02-02 11:19:41 +01:00
|
|
|
|
if ( $diff < $hour )
|
2020-02-02 19:46:18 +01:00
|
|
|
|
return floor( $diff / $minute ) . ' ' . esc_attr( '分钟' );
|
2020-02-02 11:19:41 +01:00
|
|
|
|
if ( $diff < $hour * 2 )
|
2020-02-02 19:46:18 +01:00
|
|
|
|
return esc_attr( 'about 1 hour');
|
2020-02-02 11:19:41 +01:00
|
|
|
|
return floor( $diff / $hour ) . ' ' . esc_attr( '小时' );
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
//Enable it:
|
2020-02-02 19:46:18 +01:00
|
|
|
|
$LLA_config = [
|
2020-02-02 11:19:41 +01:00
|
|
|
|
'failed_login_limit' => gdk_option('gdk_failed_login_limit'), // 登录失败的次数限制
|
2020-02-02 19:46:18 +01:00
|
|
|
|
'lockout_duration' => gdk_option('gdk_lockout_duration'), // 暂停登陆时间
|
2020-02-02 11:19:41 +01:00
|
|
|
|
];
|
|
|
|
|
if(gdk_option('gdk_lock_login')) {
|
2020-02-02 19:46:18 +01:00
|
|
|
|
new GDK_Limit_Login_Attempts($LLA_config);
|
2020-01-26 18:57:04 +01:00
|
|
|
|
}
|
2020-01-26 15:14:37 +01:00
|
|
|
|
|
|
|
|
|
//禁用登陆错误信息
|
|
|
|
|
function gdk_disable_login_errors( $error ) {
|
|
|
|
|
global $errors;
|
|
|
|
|
$err_codes = $errors->get_error_codes();
|
|
|
|
|
if ( ! in_array( 'too_many_tried', $err_codes ) ) {
|
|
|
|
|
// For security reason
|
2020-01-27 15:28:34 +01:00
|
|
|
|
return esc_attr('Access Denied!');
|
2020-01-26 15:14:37 +01:00
|
|
|
|
}
|
|
|
|
|
return $error;
|
|
|
|
|
}
|
|
|
|
|
add_filter( 'login_errors', 'gdk_disable_login_errors' );
|
|
|
|
|
|
2020-02-02 09:12:28 +01:00
|
|
|
|
//网站维护代码
|
|
|
|
|
function gdk_maintenance_mode() {
|
|
|
|
|
if (!current_user_can('edit_themes') || !is_user_logged_in()) {
|
|
|
|
|
wp_die('网站维护中ing, 没事儿您就别来啦……', 'Maintenance - Could you please not disturb me ', array('response' => '503'));
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-02-02 19:46:18 +01:00
|
|
|
|
if(gdk_option('gdk_maintenance_mode')){
|
|
|
|
|
add_action('get_header', 'gdk_maintenance_mode');
|
|
|
|
|
}
|
2020-02-02 09:12:28 +01:00
|
|
|
|
|
2020-02-02 19:46:18 +01:00
|
|
|
|
//各种措施拦截垃圾评论
|
|
|
|
|
if(gdk_option('gdk_fuck_spam')) {
|
|
|
|
|
//拦截无来路的评论
|
|
|
|
|
function gdk_comment_check_referrer() {
|
|
|
|
|
if ( ! isset( $_SERVER['HTTP_REFERER'] ) || $_SERVER['HTTP_REFERER'] == '' ) {
|
|
|
|
|
wp_die( esc_attr( 'Please enable referrers in your browser!' ) );
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
add_action('check_comment_flood', 'gdk_comment_check_referrer');
|
|
|
|
|
//拦截超长链接垃圾评论
|
|
|
|
|
function gdk_url_spamcheck($approved, $commentdata) {
|
|
|
|
|
return (strlen($commentdata['comment_author_url']) > 50) ? 'spam' : $approved;
|
2020-01-26 18:57:04 +01:00
|
|
|
|
}
|
2020-02-02 19:46:18 +01:00
|
|
|
|
add_filter('pre_comment_approved', 'gdk_url_spamcheck', 99, 2);
|
|
|
|
|
function gdk_comment_lang($commentdata) {
|
|
|
|
|
if (is_user_logged_in()) return $commentdata;
|
|
|
|
|
$pattern = '/[一-龥]/u';
|
|
|
|
|
// 禁止全英文评论
|
|
|
|
|
if (!preg_match($pattern, $commentdata['comment_content'])) {
|
|
|
|
|
gdk_die("您的评论中必须包含汉字!");
|
|
|
|
|
}
|
|
|
|
|
$pattern = '/[あ-んア-ン]/u';
|
|
|
|
|
// 禁止日文评论
|
|
|
|
|
if (preg_match($pattern, $commentdata['comment_content'])) {
|
|
|
|
|
gdk_die("评论禁止包含日文!");
|
|
|
|
|
}
|
|
|
|
|
//屏蔽评论里面黑名单内容
|
|
|
|
|
if (wp_blacklist_check($commentdata['comment_author'], $commentdata['comment_author_email'], $commentdata['comment_author_url'], $commentdata['comment_content'], $commentdata['comment_author_IP'], $commentdata['comment_agent'])) {
|
|
|
|
|
gdk_die('不好意思,您的评论违反本站评论规则');
|
|
|
|
|
}
|
|
|
|
|
return $commentdata;
|
2020-01-26 18:57:04 +01:00
|
|
|
|
}
|
2020-02-02 19:46:18 +01:00
|
|
|
|
add_filter('preprocess_comment', 'gdk_comment_lang');
|
2020-01-26 18:57:04 +01:00
|
|
|
|
}
|
2020-01-27 19:03:14 +01:00
|
|
|
|
|
|
|
|
|
//隐藏用户名字
|
|
|
|
|
if( gdk_option('gdk_hide_user_name') ){
|
|
|
|
|
function gdk_text_encrypt($string, $operation, $key = '') {
|
|
|
|
|
$string = $operation == 'D' ? str_replace( array('!','-','_'), array('=','+','/'), $string ) : $string;
|
|
|
|
|
$key = md5($key);
|
|
|
|
|
$key_length = strlen($key);
|
|
|
|
|
$string = $operation == 'D' ? base64_decode($string) : substr(md5($string . $key) , 0, 8) . $string;
|
|
|
|
|
$string_length = strlen($string);
|
|
|
|
|
$rndkey = $box = array();
|
|
|
|
|
$result = '';
|
|
|
|
|
for ($i = 0; $i <= 255; $i++) {
|
|
|
|
|
$rndkey[$i] = ord($key[$i % $key_length]);
|
|
|
|
|
$box[$i] = $i;
|
|
|
|
|
}
|
|
|
|
|
for ($j = $i = 0; $i < 256; $i++) {
|
|
|
|
|
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
|
|
|
|
|
$tmp = $box[$i];
|
|
|
|
|
$box[$i] = $box[$j];
|
|
|
|
|
$box[$j] = $tmp;
|
|
|
|
|
}
|
|
|
|
|
for ($a = $j = $i = 0; $i < $string_length; $i++) {
|
|
|
|
|
$a = ($a + 1) % 256;
|
|
|
|
|
$j = ($j + $box[$a]) % 256;
|
|
|
|
|
$tmp = $box[$a];
|
|
|
|
|
$box[$a] = $box[$j];
|
|
|
|
|
$box[$j] = $tmp;
|
|
|
|
|
$result.= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
|
|
|
|
|
}
|
|
|
|
|
if ($operation == 'D') {
|
|
|
|
|
if (substr($result, 0, 8) == substr(md5(substr($result, 8) . $key) , 0, 8)) {
|
|
|
|
|
return substr($result, 8);
|
|
|
|
|
} else {
|
|
|
|
|
return '';
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
return str_replace(array('=','+','/'), array('!','-','_'), base64_encode($result));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function gdk_custom_author_link_request( $query_vars ) {
|
|
|
|
|
if ( array_key_exists( 'author_name', $query_vars ) ) {
|
|
|
|
|
global $wpdb;
|
|
|
|
|
$author_id = gdk_text_encrypt( $query_vars['author_name'], 'D', AUTH_KEY );
|
|
|
|
|
if ( $author_id ) {
|
|
|
|
|
$query_vars['author'] = $author_id;
|
|
|
|
|
unset( $query_vars['author_name'] );
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return $query_vars;
|
|
|
|
|
}
|
|
|
|
|
add_filter( 'request', 'gdk_custom_author_link_request' );
|
|
|
|
|
|
|
|
|
|
function gdk_custom_author_link( $link, $author_id) {
|
|
|
|
|
global $wp_rewrite;
|
|
|
|
|
$author_id = (int) $author_id;
|
|
|
|
|
$link = $wp_rewrite->get_author_permastruct();
|
|
|
|
|
if ( empty($link) ) {
|
|
|
|
|
$file = home_url( '/' );
|
|
|
|
|
$link = $file . '?author=' . gdk_text_encrypt($author_id, 'E',AUTH_KEY);
|
|
|
|
|
} else {
|
|
|
|
|
$link = str_replace('%author%', gdk_text_encrypt($author_id, 'E',AUTH_KEY), $link);
|
|
|
|
|
$link = home_url() . user_trailingslashit( $link );
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $link;
|
|
|
|
|
}
|
|
|
|
|
add_filter( 'author_link', 'gdk_custom_author_link', 10, 2 );
|
|
|
|
|
|
|
|
|
|
// wp-rest 可能暴露用户名
|
|
|
|
|
function gdk_custom_rest_prepare_user( $response, $user, $request ){
|
|
|
|
|
$response->data['slug'] = gdk_text_encrypt( $user->ID, 'E', AUTH_KEY );
|
|
|
|
|
return $response;
|
|
|
|
|
}
|
|
|
|
|
add_filter( 'rest_prepare_user', 'gdk_custom_rest_prepare_user', 10, 3 );
|
2020-02-02 19:46:18 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//后台登陆数学验证码
|
|
|
|
|
if (gdk_option('gdk_login_verify')) {
|
|
|
|
|
function gdk_login_verify(){
|
|
|
|
|
$num1 = mt_rand(0, 20);
|
|
|
|
|
$num2 = mt_rand(0, 20);
|
|
|
|
|
echo "<p><label for='sum'> {$num1} + {$num2} = ?<br /><input type='text' name='sum' class='input' value='' size='25' tabindex='4'>" . "<input type='hidden' name='num1' value='{$num1}'>" . "<input type='hidden' name='num2' value='{$num2}'></label></p>";
|
|
|
|
|
}
|
|
|
|
|
add_action('login_form', 'gdk_login_verify');
|
|
|
|
|
add_action('register_form', 'gdk_login_verify');
|
|
|
|
|
|
|
|
|
|
function gdk_login_verify_val(){
|
|
|
|
|
$sum = $_POST['sum'];
|
|
|
|
|
switch ($sum) {
|
|
|
|
|
case $_POST['num1'] + $_POST['num2']:
|
|
|
|
|
break;
|
|
|
|
|
case null:
|
|
|
|
|
wp_die('错误: 请输入验证码 <a href="javascript:;" onclick="javascript:history.back();">返回上页</a>');
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
wp_die('错误: 验证码错误,请重试 <a href="javascript:;" onclick="javascript:history.back();">返回上页</a>');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
add_action('login_form_login', 'gdk_login_verify_val');
|
|
|
|
|
add_action('register_post', 'gdk_login_verify_val');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//仅显示作者自己的文章
|
|
|
|
|
function gdk_show_mypost($wp_query) {
|
|
|
|
|
if (strpos($_SERVER['REQUEST_URI'], '/wp-admin/edit.php') !== false) {
|
|
|
|
|
if (!current_user_can('manage_options')) {
|
|
|
|
|
$wp_query->set('author', get_current_user_id());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
add_filter('parse_query', 'gdk_show_mypost');
|
|
|
|
|
|
|
|
|
|
//在文章编辑页面的[添加媒体]只显示用户自己上传的文件
|
|
|
|
|
function gdk_show_myupload($wp_query_obj) {
|
|
|
|
|
global $pagenow;
|
|
|
|
|
if (!is_a(wp_get_current_user(), 'WP_User')) return;
|
|
|
|
|
if ('admin-ajax.php' != $pagenow || $_REQUEST['action'] != 'query-attachments') return;
|
|
|
|
|
if (!current_user_can('manage_options') && !current_user_can('manage_media_library')) $wp_query_obj->set('author', get_current_user_id());
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
add_action('pre_get_posts', 'gdk_show_myupload');
|
|
|
|
|
|
|
|
|
|
//在[媒体库]只显示用户上传的文件
|
|
|
|
|
function gdk_show_myupload_library($wp_query) {
|
|
|
|
|
if (strpos($_SERVER['REQUEST_URI'], '/wp-admin/upload.php') !== false) {
|
|
|
|
|
if (!current_user_can('manage_options') && !current_user_can('manage_media_library')) {
|
|
|
|
|
$wp_query->set('author', get_current_user_id());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
add_filter('parse_query', 'gdk_show_myupload_library');
|