Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/account security #2677

Draft
wants to merge 6 commits into
base: dev
Choose a base branch
from
Draft

Feature/account security #2677

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1bd5220
adding spam settings and functions
ideadude Jun 5, 2024
5cea8ac
Wired up the spam checker.
ideadude Jun 14, 2024
d746c27
Checkout controller is always constructed, so fixed.
ideadude Jun 14, 2024
bda2763
undoing changes here
ideadude Jun 14, 2024
6eff6d1
adding captcha settings, needs js and code
ideadude Jun 19, 2024
2def872
Merge branch 'dev' into feature/account-security
ideadude Aug 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 87 additions & 0 deletions includes/admin/settings/class.llms.settings.accounts.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,93 @@ public function get_settings() {
'type' => 'sectionend',
),

// Start Website Security & Spam Prevention options.
array(
'id' => 'security_and_spam_options',
'type' => 'sectionstart',
),
array(
'title' => __( 'Website Security & Spam Prevention', 'lifterlms' ),
'type' => 'title',
'id' => 'security_and_spam_options_title',
),
array(
'autoload' => false,
'default' => '',
'id' => 'lifterlms_captcha',
'desc' => __( 'Choose a captcha service to require at checkout.', 'lifterlms' ),
'title' => __( 'Captcha', 'lifterlms' ),
'type' => 'select',
'options' => array(
'' => __( 'None', 'lifterlms' ),
'recaptcha' => __( 'reCAPTCHA', 'lifterlms' ),
'turnstile' => __( 'Turnstile', 'lifterlms' )
),
'custom_attributes' => array(
'data-controller-id' => 'captcha',
),
),
array(
'autoload' => false,
'default' => '',
'id' => 'lifterlms_recaptcha_site_key',
'desc' => '',
'title' => __( 'reCAPTCHA Site Key', 'lifterlms' ),
'type' => 'text',
'custom_attributes' => array(
'data-controller' => 'captcha',
'data-value-is' => 'recaptcha',
),
),
array(
'autoload' => false,
'default' => '',
'id' => 'lifterlms_recaptcha_private_key',
'desc' => '',
'title' => __( 'reCAPTCHA Private Key', 'lifterlms' ),
'type' => 'text',
'custom_attributes' => array(
'data-controller' => 'captcha',
'data-value-is' => 'recaptcha',
),
),
array(
'autoload' => false,
'default' => '',
'id' => 'lifterlms_turnstile_site_key',
'desc' => '',
'title' => __( 'Turnstile Site Key', 'lifterlms' ),
'type' => 'text',
'custom_attributes' => array(
'data-controller' => 'captcha',
'data-value-is' => 'turnstile',
),
),
array(
'autoload' => false,
'default' => '',
'id' => 'lifterlms_turnstile_private_key',
'desc' => '',
'title' => __( 'Turnstile Private Key', 'lifterlms' ),
'type' => 'text',
'custom_attributes' => array(
'data-controller' => 'captcha',
'data-value-is' => 'turnstile',
),
),
array(
'autoload' => false,
'default' => 'no',
'id' => 'lifterlms_spam_protection',
'desc' => __( 'Block IPs from checkout if there are more than 10 failures within 15 minutes.', 'lifterlms' ),
'title' => __( 'Spam Protection', 'lifterlms' ),
'type' => 'checkbox',
),
array(
'id' => 'security_and_spam_options_end',
'type' => 'sectionend',
),

// Start user info fields options.
array(
'id' => 'user_info_field_options',
Expand Down
3 changes: 3 additions & 0 deletions includes/class-llms-loader.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,9 @@ public function includes() {
// Privacy components.
require_once LLMS_PLUGIN_DIR . 'includes/privacy/class-llms-privacy.php';

// Spam stuff.
require_once LLMS_PLUGIN_DIR . 'includes/llms.spam.functions.php';

// Theme support.
require_once LLMS_PLUGIN_DIR . 'includes/theme-support/class-llms-theme-support.php';

Expand Down
201 changes: 201 additions & 0 deletions includes/llms.spam.functions.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
<?php
/**
* Code related to spam detection and prevention.
*/
// Constants. Define these in wp-config.php to override.
if ( ! defined( 'LLMS_SPAM_ACTION_NUM_LIMIT' ) ) {
define( 'LLMS_SPAM_ACTION_NUM_LIMIT', 10 );
}
if ( ! defined( 'LLMS_SPAM_ACTION_TIME_LIMIT' ) ) {
define( 'LLMS_SPAM_ACTION_TIME_LIMIT', 900 ); // in seconds
}

/**
* Determine whether the current visitor a spammer.
*
* @since [version]
*
* @return bool Whether the current visitor a spammer.
*/
function llms_is_spammer() {
$is_spammer = false;

$activity = llms_get_spam_activity();
if ( false !== $activity && count( $activity ) >= LLMS_SPAM_ACTION_NUM_LIMIT ) {
$is_spammer = true;
}

/**
* Allow filtering whether the current visitor is a spammer.
*
* @since [version]
*
* @param bool $is_spammer Whether the current visitor is a spammer.
* @param array $activity The list of potential spam activity.
*/
return apply_filters( 'llms_is_spammer', $is_spammer, $activity );
}

/**
* Get the list of potential spam activity.
*
* @since [version]
*
* @param string|null $ip The IP address to get activity for, or leave as null to attempt to determine current IP address.
*
* @return array|false The list of potential spam activity if successful, or false if IP could not be determined.
*/
function llms_get_spam_activity( $ip = null ) {
if ( empty( $ip ) ) {
$ip = llms_get_ip_address();
}

// If we can't determine the IP, let's bail.
if ( empty( $ip ) ) {
return false;
}

$ip = preg_replace( '/[^0-9a-fA-F:., ]/', '', $ip );
$transient_key = 'llms_spam_activity_' . $ip;
$activity = get_transient( $transient_key );
if ( empty( $activity ) || ! is_array( $activity ) ) {
$activity = [];
}

// Remove old items.
$new_activity = [];
$now = current_time( 'timestamp', true ); // UTC
foreach( $activity as $item ) {
// Determine whether this item is recent enough to include.
if ( $item > $now-( LLMS_SPAM_ACTION_TIME_LIMIT ) ) {
$new_activity[] = $item;
}
}

return $new_activity;
}

/**
* Track spam activity.
* When we hit a certain number, the spam flag will trigger.
* For now we are only tracking credit card declines their timestamps.
* IP address isn't a perfect way to track this, but it's the best we have.
*
* @since [version]
*
* @param string|null $ip The IP address to track activity for, or leave as null to attempt to determine current IP address.
*
* @return bool True if the tracking of activity was successful, or false if IP could not be determined.
*/
function llms_track_spam_activity( $ip = null ) {
if ( empty( $ip ) ) {
$ip = llms_get_ip_address();
}

// If we can't determine the IP, let's bail.
if ( empty( $ip ) ) {
return false;
}

$activity = llms_get_spam_activity( $ip );
$now = current_time( 'timestamp', true ); // UTC
array_unshift( $activity, $now );

// If we have more than the limit, don't bother storing them.
if ( count( $activity ) > LLMS_SPAM_ACTION_NUM_LIMIT ) {
rsort( $activity );
$activity = array_slice( $activity, 0, LLMS_SPAM_ACTION_NUM_LIMIT );
}

// Save to transient.
$ip = preg_replace( '/[^0-9a-fA-F:., ]/', '', $ip );
$transient_key = 'llms_spam_activity_' . $ip;
set_transient( $transient_key, $activity, (int) LLMS_SPAM_ACTION_TIME_LIMIT );

return true;
}

/**
* Clears all stored spam activity for an IP address.
* Note that the llms_get_spam_activity function clears out old values
* automatically, and this should only be used to completely clear the activity.
*
* @since [version]
*
* @param string|null $ip The IP address to clear activity for, or leave as null to attempt to determine current IP address.
*
* @return bool True if the clearing of activity was successful, or false if IP could not be determined.
*/
function llms_clear_spam_activity( $ip = null ) {
if ( empty( $ip ) ) {
$ip = llms_get_ip_address();
}

// If we can't determine the IP, let's bail.
if ( empty( $ip ) ) {
return false;
}

$transient_key = 'llms_spam_activity_' . $ip;

delete_transient( $transient_key );

return true;
}

/**
* Track spam activity when checkouts or billing updates fail.
* Hooked on wp so the $post global is set up.
*
* @since [version]
* @param MemberOrder $morder The order object used at checkout. We ignore it.
*/
function llms_track_failed_checkouts_for_spam() {
// Bail if Spam Protection is disabled.
$spam_protection = get_option("lifterlms_spam_protection");
if ( empty( $spam_protection ) ) {
return;
}

// Bail if we're not on the LifterLMS checkout page.
if ( is_admin() || ! is_llms_checkout() ) {
return;
}

// Bail if there are no notices with type error.
$notices = llms()->session->get( 'llms_notices', array() );
$types = array_keys( $notices );
if ( ! in_array( 'error', $types ) ) {
return;
}

llms_track_spam_activity();
}
add_action( 'wp', 'llms_track_failed_checkouts_for_spam' );

/**
* Disable checkout and billing update forms for spammers.
*
* @since [version]
*
* @return mixed Truthy means stop checkout.
*/
function llms_disable_checkout_for_spammers() {
// Bail if Spam Protection is disabled.
$spam_protection = get_option("lifterlms_spam_protection");
if ( empty( $spam_protection ) ) {
return false;
}

// Bail if the current visitor is not a spammer.
if ( ! llms_is_spammer() ) {
return false;
}

// Show a notice at LifterLMS checkout RE spam.
$notice = __( 'Suspicious activity detected. Try again in a few minutes.', 'lifterlms' );
llms_add_notice( $notice, 'error' );

return true;
}
add_filter( 'llms_before_checkout_validation', 'llms_disable_checkout_for_spammers' );
Loading