Last active
December 17, 2015 16:00
-
-
Save Coopeh/5636006 to your computer and use it in GitHub Desktop.
wp-login.php hack at the top of the file to block POST requests that have not initially requested our login form to fill it in
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Updated 24/05/13 00:04am GMT with support for WordPress mobile apps */ | |
| /* if POST request check for WP custom field and its value set in wp-config. If it is not present die with error 403 */ | |
| if ( isset( $_SERVER['REQUEST_METHOD'] ) && ( $_SERVER['REQUEST_METHOD'] === 'POST' ) ) { | |
| include_once( 'wp-config.php' ); | |
| if ( ! defined( 'LOGINFORMKEY' ) ) | |
| error_log( "Cannot test login form for key, LOGINFORMKEY missing from wp-config.php" ); | |
| else | |
| if ( ( strlen ( strstr ( strtolower ( $_SERVER['HTTP_USER_AGENT'] ), "mobile" ) ) === 0 ) && ( strlen ( strstr ( strtolower ( $_SERVER['HTTP_USER_AGENT'] ), "android" ) ) === 0 ) ) { | |
| if ( !isset( $_POST['fromWPForm'] ) || ( $_POST['fromWPForm'] !== constant( 'LOGINFORMKEY' ) ) ){ | |
| error_log( 'Bad attempt on wp-login from '. ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'] ) ); | |
| header( 'HTTP/1.1 403 Forbidden' ); | |
| include('errors/pb/403.html'); | |
| die(); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment