ideadude · April 5, 2025 18:06
diff --git a/my_pmproll_track_login_spam.php b/my_pmproll_track_login_spam.php
 <?php
 /**
 * We will consider failed login attempts as spam.
 * If a user is consider a spammer, block them from logging in.
 * 
 * Some ideas if we merge this into PMPro core:
 * - Need documentation RE bypassing the login block.
 * - Consider adding settings RE what spammers are blocked from.
 * - Consider a way to view/clear the spam activity queue.
 * - We know the username they tried to login with,
 * -- we can detect they were flagged as spam,
 * -- and put the IP into  a usermeta field.
 * -- If we see that, highlight it on the user,
 * -- and show a button to clear the spam activity for that IP only.
 * - Consider if we want to block access to the wp-login.php page.
 * - Consider having different limits for checkout spam vs login spam/etc.
 */

 /**
 * Track failed login attempts as spam.
 * @param string $username The username that failed to login.
 */
 function my_pmproll_track_login_spam( $username ) {
    // Bail if we can't find the PMPro spam functions.
    if ( ! function_exists( 'pmpro_track_spam_activity' ) ) {
        return;
    }

    // Bail if Spam Protection is disabled.
 	$spamprotection = get_option( 'pmpro_spamprotection' );
    if ( empty( $spamprotection ) ) {
 		return;
 	}

    // Okay, track the spam.
    pmpro_track_spam_activity();
 }
 add_action( 'wp_login_failed', 'my_pmproll_track_login_spam' );

 /**
 * Block spammers from logging in.
 * @param string $user_login The username that is trying to login.
 * @param string $user The WP_User object for the user.
 */
 function my_pmproll_track_login_spam( $user_login, $user_password ) {
    ///// Bail if there is no user_login or user_password.
    ///if ( empty( $user_login ) || empty( $user_password ) ) {
    ///    return;
    ///}

    // Bail if we can't find the PMPro spam functions.
    if ( ! function_exists( 'pmpro_is_spammer' ) ) {
        return;
    }

    // Bail if Spam Protection is disabled.
    $spamprotection = get_option( 'pmpro_spamprotection' );
    if ( empty( $spamprotection ) ) {
        return;
    }

    // Bail if the bypass constant is set.
    if ( defined( 'PMPRO_BYPASS_LOGIN_BLOCK' ) && PMPRO_BYPASS_LOGIN_BLOCK ) {
        return;
    }

    // Check if the user is a spammer.
    if ( pmpro_is_spammer() ) {
        // Throw a PHP notice.
        $ip = pmpro_get_ip();
        error_log( "paid-memberships-pro: Blocked spammer login attempt from IP: $ip" );
        die( __( 'Suspicious activity detected. Try again in a few minutes.', 'paid-memberships-pro' ) );
    }
 }
 add_action( 'wp_authenticate', 'my_pmproll_block_spammers_from_login', 1, 2 );
	<?php
	/**
	* We will consider failed login attempts as spam.
	* If a user is consider a spammer, block them from logging in.
	*
	* Some ideas if we merge this into PMPro core:
	* - Need documentation RE bypassing the login block.
	* - Consider adding settings RE what spammers are blocked from.
	* - Consider a way to view/clear the spam activity queue.
	* - We know the username they tried to login with,
	* -- we can detect they were flagged as spam,
	* -- and put the IP into a usermeta field.
	* -- If we see that, highlight it on the user,
	* -- and show a button to clear the spam activity for that IP only.
	* - Consider if we want to block access to the wp-login.php page.
	* - Consider having different limits for checkout spam vs login spam/etc.
	*/

	/**
	* Track failed login attempts as spam.
	* @param string $username The username that failed to login.
	*/
	function my_pmproll_track_login_spam( $username ) {
	// Bail if we can't find the PMPro spam functions.
	if ( ! function_exists( 'pmpro_track_spam_activity' ) ) {
	return;
	}

	// Bail if Spam Protection is disabled.
	$spamprotection = get_option( 'pmpro_spamprotection' );
	if ( empty( $spamprotection ) ) {
	return;
	}

	// Okay, track the spam.
	pmpro_track_spam_activity();
	}
	add_action( 'wp_login_failed', 'my_pmproll_track_login_spam' );

	/**
	* Block spammers from logging in.
	* @param string $user_login The username that is trying to login.
	* @param string $user The WP_User object for the user.
	*/
	function my_pmproll_track_login_spam( $user_login, $user_password ) {
	///// Bail if there is no user_login or user_password.
	///if ( empty( $user_login ) \|\| empty( $user_password ) ) {
	/// return;
	///}

	// Bail if we can't find the PMPro spam functions.
	if ( ! function_exists( 'pmpro_is_spammer' ) ) {
	return;
	}

	// Bail if Spam Protection is disabled.
	$spamprotection = get_option( 'pmpro_spamprotection' );
	if ( empty( $spamprotection ) ) {
	return;
	}

	// Bail if the bypass constant is set.
	if ( defined( 'PMPRO_BYPASS_LOGIN_BLOCK' ) && PMPRO_BYPASS_LOGIN_BLOCK ) {
	return;
	}

	// Check if the user is a spammer.
	if ( pmpro_is_spammer() ) {
	// Throw a PHP notice.
	$ip = pmpro_get_ip();
	error_log( "paid-memberships-pro: Blocked spammer login attempt from IP: $ip" );
	die( __( 'Suspicious activity detected. Try again in a few minutes.', 'paid-memberships-pro' ) );
	}
	}
	add_action( 'wp_authenticate', 'my_pmproll_block_spammers_from_login', 1, 2 );