File Editor
Directories:
.. (Back)
Diff
dashboard
rest-api
Files:
Diff.php
IPTraf.php
IPTrafList.php
WFLSPHP52Compatability.php
compat.php
diffResult.php
email_genericAlert.php
email_newIssues.php
email_unlockRequest.php
email_unsubscribeRequest.php
flags.php
live_activity.php
menu_dashboard.php
menu_dashboard_options.php
menu_firewall.php
menu_firewall_blocking.php
menu_firewall_blocking_options.php
menu_firewall_waf.php
menu_firewall_waf_options.php
menu_install.php
menu_options.php
menu_scanner.php
menu_scanner_credentials.php
menu_scanner_options.php
menu_support.php
menu_tools.php
menu_tools_diagnostic.php
menu_tools_importExport.php
menu_tools_livetraffic.php
menu_tools_twoFactor.php
menu_tools_whois.php
menu_wordfence_central.php
sysinfo.php
viewFullActivityLog.php
wf503.php
wfAPI.php
wfActivityReport.php
wfAdminNoticeQueue.php
wfAlerts.php
wfArray.php
wfBrowscap.php
wfBrowscapCache.php
wfBulkCountries.php
wfCache.php
wfCentralAPI.php
wfConfig.php
wfCrawl.php
wfCredentialsController.php
wfCrypt.php
wfCurlInterceptor.php
wfDB.php
wfDashboard.php
wfDateLocalization.php
wfDeactivationOption.php
wfDiagnostic.php
wfDict.php
wfDirectoryIterator.php
wfFileUtils.php
wfHelperBin.php
wfHelperString.php
wfIPWhitelist.php
wfImportExportController.php
wfInvalidPathException.php
wfIpLocation.php
wfIpLocator.php
wfIssues.php
wfJWT.php
wfLicense.php
wfLockedOut.php
wfLog.php
wfMD5BloomFilter.php
wfModuleController.php
wfNotification.php
wfOnboardingController.php
wfPersistenceController.php
wfRESTAPI.php
wfScan.php
wfScanEngine.php
wfScanEntrypoint.php
wfScanFile.php
wfScanFileLink.php
wfScanMonitor.php
wfScanPath.php
wfSchema.php
wfStyle.php
wfSupportController.php
wfUnlockMsg.php
wfUpdateCheck.php
wfUtils.php
wfVersionCheckController.php
wfView.php
wfViewResult.php
wfWebsite.php
wordfenceClass.php
wordfenceConstants.php
wordfenceHash.php
wordfenceScanner.php
wordfenceURLHoover.php
Create New File
Create
Edit File: wfActivityReport.php
<?php if (defined('WORDFENCE_VERSION')) { class wfActivityReport { const BLOCK_TYPE_COMPLEX = 'complex'; const BLOCK_TYPE_BRUTE_FORCE = 'bruteforce'; const BLOCK_TYPE_BLACKLIST = 'blacklist'; /** * @var int */ private $limit = 10; /** * @var wpdb */ private $db; /** * @param int $limit */ public function __construct($limit = 10) { global $wpdb; $this->db = $wpdb; $this->limit = $limit; } /** * Schedule the activity report cron job. */ public static function scheduleCronJob() { self::clearCronJobs(); if (!wfConfig::get('email_summary_enabled', 1)) { return; } if (is_main_site()) { list(, $end_time) = wfActivityReport::getReportDateRange(); wp_schedule_single_event($end_time, 'wordfence_email_activity_report'); } } /** * Remove the activity report cron job. */ public static function disableCronJob() { self::clearCronJobs(); } public static function clearCronJobs() { wp_clear_scheduled_hook('wordfence_email_activity_report'); } /** * Send out the report and reschedule the next report's cron job. */ public static function executeCronJob() { if (!wfConfig::get('email_summary_enabled', 1)) { return; } $emails = wfConfig::getAlertEmails(); if (count($emails)) { $report = new self(); $report->sendReportViaEmail($emails); } self::scheduleCronJob(); } /** * Output a compact version of the email for the WP dashboard. */ public static function outputDashboardWidget() { $report = new self(5); echo $report->toWidgetView(); } /** * @return array */ public static function getReportDateRange() { $interval = wfConfig::get('email_summary_interval', 'weekly'); $offset = get_option('gmt_offset'); return self::_getReportDateRange($interval, $offset); } /** * Testable code. * * @param string $interval * @param int $offset * @param null $time * @return array */ public static function _getReportDateRange($interval = 'weekly', $offset = 0, $time = null) { if ($time === null) { $time = time(); } $day = (int) gmdate('w', $time); $month = (int) gmdate("n", $time); $day_of_month = (int) gmdate("j", $time); $year = (int) gmdate("Y", $time); $start_time = 0; $end_time = 0; switch ($interval) { // Send a report 4pm every day case 'daily': $start_time = gmmktime(16, 0, 0, $month, $day_of_month, $year) + (-$offset * 60 * 60); $end_time = $start_time + 86400; break; // Send a report 4pm every Monday case 'weekly': $start_time = gmmktime(16, 0, 0, $month, $day_of_month - $day + 1, $year) + (-$offset * 60 * 60); $end_time = $start_time + (86400 * 7); break; // Send a report at 4pm the first of every month case 'monthly': $start_time = gmmktime(16, 0, 0, $month, 1, $year) + (-$offset * 60 * 60); $end_time = gmmktime(16, 0, 0, $month + 1, 1, $year) + (-$offset * 60 * 60); break; } return array($start_time, $end_time); } /** * @return int */ public static function getReportDateFrom() { $interval = wfConfig::get('email_summary_interval', 'weekly'); return self::_getReportDateFrom($interval); } /** * @param string $interval * @param null $time * @return int */ public static function _getReportDateFrom($interval = 'weekly', $time = null) { if ($time === null) { $time = time(); } // weekly $from = $time - (86400 * 7); switch ($interval) { case 'daily': $from = $time - 86400; break; // Send a report at 4pm the first of every month case 'monthly': $from = strtotime('-1 month', $time); break; } return $from; } /** * @return array */ public function getFullReport() { $start_time = microtime(true); $remainder = 0; $recent_firewall_activity = $this->getRecentFirewallActivity($this->limit, $remainder); return array( 'top_ips_blocked' => $this->getTopIPsBlocked($this->limit), 'top_countries_blocked' => $this->getTopCountriesBlocked($this->limit), 'top_failed_logins' => $this->getTopFailedLogins($this->limit), 'recent_firewall_activity' => $recent_firewall_activity, 'omitted_firewall_activity'=> $remainder, 'recently_modified_files' => $this->getRecentFilesModified($this->limit), 'updates_needed' => $this->getUpdatesNeeded(), 'microseconds' => microtime(true) - $start_time, ); } /** * @return array */ public function getWidgetReport() { $start_time = microtime(true); return array( 'top_ips_blocked' => $this->getTopIPsBlocked($this->limit), 'top_countries_blocked' => $this->getTopCountriesBlocked($this->limit), 'top_failed_logins' => $this->getTopFailedLogins($this->limit), 'updates_needed' => $this->getUpdatesNeeded(), 'microseconds' => microtime(true) - $start_time, ); } public function getBlockedCount($maxAgeDays = null, $grouping = null) { $maxAgeDays = (int) $maxAgeDays; if ($maxAgeDays <= 0) { $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 7 day)) / 86400)'; switch (wfConfig::get('email_summary_interval', 'weekly')) { case 'daily': $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 1 day)) / 86400)'; break; case 'monthly': $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 1 month)) / 86400)'; break; } } else { $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval ' . $maxAgeDays . ' day)) / 86400)'; } //Possible values for blockType: throttle, manual, brute, fakegoogle, badpost, country, advanced, blacklist, waf $groupingWHERE = ''; switch ($grouping) { case self::BLOCK_TYPE_COMPLEX: $groupingWHERE = ' AND blockType IN ("fakegoogle", "badpost", "country", "advanced", "waf")'; break; case self::BLOCK_TYPE_BRUTE_FORCE: $groupingWHERE = ' AND blockType IN ("throttle", "brute")'; break; case self::BLOCK_TYPE_BLACKLIST: $groupingWHERE = ' AND blockType IN ("blacklist", "manual")'; break; } $table_wfBlockedIPLog = wfDB::networkTable('wfBlockedIPLog'); $count = $this->db->get_var(<<<SQL SELECT SUM(blockCount) as blockCount FROM {$table_wfBlockedIPLog} WHERE unixday >= {$interval}{$groupingWHERE} SQL ); return $count; } /** * @param int $limit * @return mixed */ public function getTopIPsBlocked($limit = 10, $maxAgeDays = null) { $maxAgeDays = (int) $maxAgeDays; if ($maxAgeDays <= 0) { $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 7 day)) / 86400)'; switch (wfConfig::get('email_summary_interval', 'weekly')) { case 'daily': $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 1 day)) / 86400)'; break; case 'monthly': $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 1 month)) / 86400)'; break; } } else { $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval ' . $maxAgeDays . ' day)) / 86400)'; } $table_wfBlockedIPLog = wfDB::networkTable('wfBlockedIPLog'); $query=<<<SQL SELECT IP, countryCode, unixday, blockType, SUM(blockCount) as blockCount FROM {$table_wfBlockedIPLog} WHERE unixday >= {$interval} GROUP BY IP ORDER BY blockCount DESC LIMIT %d SQL; $results = $this->db->get_results($this->db->prepare($query, $limit)); if ($results) { foreach ($results as &$row) { $row->countryName = $this->getCountryNameByCode($row->countryCode); } } return $results; } /** * @param int $limit * @return array */ public function getTopCountriesBlocked($limit = 10, $maxAgeDays = null) { $maxAgeDays = (int) $maxAgeDays; if ($maxAgeDays <= 0) { $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 7 day)) / 86400)'; switch (wfConfig::get('email_summary_interval', 'weekly')) { case 'daily': $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 1 day)) / 86400)'; break; case 'monthly': $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 1 month)) / 86400)'; break; } } else { $interval = 'FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval ' . $maxAgeDays . ' day)) / 86400)'; } $table_wfBlockedIPLog = wfDB::networkTable('wfBlockedIPLog'); $query=<<<SQL SELECT *, COUNT(IP) as totalIPs, SUM(ipBlockCount) as totalBlockCount FROM (SELECT *, SUM(blockCount) AS ipBlockCount FROM {$table_wfBlockedIPLog} WHERE unixday >= {$interval} GROUP BY IP) t GROUP BY countryCode ORDER BY totalBlockCount DESC LIMIT %d SQL; $results = $this->db->get_results($this->db->prepare($query, $limit)); if ($results) { foreach ($results as &$row) { $row->countryName = $this->getCountryNameByCode($row->countryCode); } } return $results; } /** * @param int $limit * @return mixed */ public function getTopFailedLogins($limit = 10) { $interval = 'UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 7 day))'; switch (wfConfig::get('email_summary_interval', 'weekly')) { case 'daily': $interval = 'UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 1 day))'; break; case 'monthly': $interval = 'UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 1 month))'; break; } $table_wfLogins = wfDB::networkTable('wfLogins'); $failedLogins = $this->db->get_results($this->db->prepare(<<<SQL SELECT wfl.*, sum(wfl.fail) as fail_count FROM {$table_wfLogins} wfl WHERE wfl.fail = 1 AND wfl.ctime > $interval GROUP BY wfl.username ORDER BY fail_count DESC LIMIT %d SQL , $limit)); foreach ($failedLogins as &$login) { $exists = $this->db->get_var($this->db->prepare(<<<SQL SELECT !ISNULL(ID) FROM {$this->db->users} WHERE user_login = '%s' OR user_email = '%s' SQL , $login->username, $login->username)); $login->is_valid_user = $exists; } return $failedLogins; } /** * Returns any updates needs or false if everything is up to date. * * @return array|bool */ public function getUpdatesNeeded($useCachedValued = true) { $update_check = new wfUpdateCheck(); $needs_update = $update_check->checkAllUpdates($useCachedValued) ->needsAnyUpdates(); if ($needs_update) { return array( 'core' => $update_check->getCoreUpdateVersion(), 'plugins' => $update_check->getPluginUpdates(), 'themes' => $update_check->getThemeUpdates(), ); } return false; } /** * Returns list of firewall activity up to $limit number of entries. * * @param int $limit Max events to return in results * @param int $remainder * @return array */ public function getRecentFirewallActivity($limit, &$remainder) { $dateRange = wfActivityReport::getReportDateRange(); $recent_firewall_activity = new wfRecentFirewallActivity(null, max(604800, $dateRange[1] - $dateRange[0])); $recent_firewall_activity->run(); return $recent_firewall_activity->mostRecentActivity($limit, $remainder); } /** * Returns list of files modified within given timeframe. * * @todo Add option to configure the regex used to filter files allowed in this list. * @todo Add option to exclude directories (such as cache directories). * * @param string $directory Search for files within this directory * @param int $time_range One week * @param int $limit Max files to return in results * @param int $directory_limit Hard limit for number of files to search within a directory. * @return array */ public function getRecentFilesModified($limit = 300, $directory = ABSPATH, $time_range = 604800, $directory_limit = 20000) { $recently_modified = new wfRecentlyModifiedFiles($directory); $recently_modified->run(); return $recently_modified->mostRecentFiles($limit); } /** * Remove entries older than a month in the IP log. */ public function rotateIPLog() { $table_wfBlockedIPLog = wfDB::networkTable('wfBlockedIPLog'); $this->db->query(<<<SQL DELETE FROM {$table_wfBlockedIPLog} WHERE unixday < FLOOR(UNIX_TIMESTAMP(DATE_SUB(NOW(), interval 1 month)) / 86400) SQL ); } /** * @param mixed $ip_address * @param int|null $unixday */ public static function logBlockedIP($ip_address, $unixday = null, $type = null) { /** @var wpdb $wpdb */ global $wpdb; //Possible values for $type: throttle, manual, brute, fakegoogle, badpost, country, advanced, blacklist, waf if (wfUtils::isValidIP($ip_address)) { $ip_bin = wfUtils::inet_pton($ip_address); } else { $ip_bin = $ip_address; $ip_address = wfUtils::inet_ntop($ip_bin); } $blocked_table = wfDB::networkTable('wfBlockedIPLog'); $unixday_insert = 'FLOOR(UNIX_TIMESTAMP() / 86400)'; if (is_int($unixday)) { $unixday_insert = absint($unixday); } if ($type === null) { $type = 'generic'; } $country = wfUtils::IP2Country($ip_address); $wpdb->query($wpdb->prepare(<<<SQL INSERT INTO $blocked_table (IP, countryCode, blockCount, unixday, blockType) VALUES (%s, %s, 1, $unixday_insert, %s) ON DUPLICATE KEY UPDATE blockCount = blockCount + 1 SQL , $ip_bin, $country, $type)); } /** * @param $code * @return string */ public function getCountryNameByCode($code) { static $wfBulkCountries; if (!isset($wfBulkCountries)) { include(dirname(__FILE__) . '/wfBulkCountries.php'); } return array_key_exists($code, $wfBulkCountries) ? $wfBulkCountries[$code] : ""; } /** * @return wfActivityReportView */ public function toView() { return new wfActivityReportView('reports/activity-report', $this->getFullReport() + array( 'limit' => $this->getLimit(), )); } /** * @return wfActivityReportView */ public function toWidgetView() { return new wfActivityReportView('reports/activity-report', $this->getWidgetReport() + array( 'limit' => $this->getLimit(), )); } /** * @return wfActivityReportView */ public function toEmailView() { return new wfActivityReportView('reports/activity-report-email-inline', $this->getFullReport()); } /** * @param $email_addresses string|array * @return bool */ public function sendReportViaEmail($email_addresses) { $shortSiteURL = preg_replace('/^https?:\/\//i', '', site_url()); $content = $this->toEmailView()->__toString(); $success = true; if (is_string($email_addresses)) { $email_addresses = explode(',', $email_addresses); } foreach ($email_addresses as $email) { $uniqueContent = str_replace('<!-- ##UNSUBSCRIBE## -->', wp_kses(sprintf(/* translators: URL to the WordPress admin panel. */ __('No longer an administrator for this site? <a href="%s" target="_blank">Click here</a> to stop receiving security alerts.', 'wordfence'), wfUtils::getSiteBaseURL() . '?_wfsf=removeAlertEmail&jwt=' . wfUtils::generateJWT(array('email' => $email))), array('a'=>array('href'=>array(), 'target'=>array()))), $content); if (!wp_mail($email, sprintf(/* translators: 1. Site URL. 2. Localized date. */ __('Wordfence activity for %1$s on %2$s', 'wordfence'), date_i18n(get_option('date_format')), $shortSiteURL), $uniqueContent, 'Content-Type: text/html')) { $success = false; } } return $success; } /** * @return string * @throws wfViewNotFoundException */ public function render() { return $this->toView() ->render(); } /** * @return string */ public function __toString() { return $this->toView() ->__toString(); } /** * @return int */ public function getLimit() { return $this->limit; } /** * @param int $limit */ public function setLimit($limit) { $this->limit = $limit; } } class wfRecentFirewallActivity { private $activity = array(); private $max_fetch = 2000; private $time_range = 604800; public function __construct($max_fetch = null, $time_range = null) { if ($max_fetch !== null) { $this->max_fetch = $max_fetch; } if ($time_range !== null) { $this->time_range = $time_range; } } public function run() { global $wpdb; $table_wfHits = wfDB::networkTable('wfHits'); $results = $wpdb->get_results($wpdb->prepare(<<<SQL SELECT attackLogTime, IP, URL, UA, actionDescription, actionData FROM {$table_wfHits} WHERE action = 'blocked:waf' AND attackLogTime > (UNIX_TIMESTAMP() - %d) ORDER BY attackLogTime DESC LIMIT %d SQL , $this->time_range, $this->max_fetch)); if ($results) { foreach ($results as &$row) { $actionData = json_decode($row->actionData, true); if (!is_array($actionData) || !isset($actionData['paramKey']) || !isset($actionData['paramValue'])) { continue; } if (isset($actionData['failedRules']) && $actionData['failedRules'] == 'blocked') { $row->longDescription = __("Blocked because the IP is blocklisted", 'wordfence'); } else { $row->longDescription = sprintf(__("Blocked for %s", 'wordfence'), $row->actionDescription); } $paramKey = base64_decode($actionData['paramKey']); $paramValue = base64_decode($actionData['paramValue']); if (strlen($paramValue) > 100) { $paramValue = substr($paramValue, 0, 100) . '...'; } if (preg_match('/([a-z0-9_]+\.[a-z0-9_]+)(?:\[(.+?)\](.*))?/i', $paramKey, $matches)) { switch ($matches[1]) { case 'request.queryString': $row->longDescription = sprintf(__('Blocked for %1$s in query string: %2$s = %3$s', 'wordfence'), $row->actionDescription, $matches[2], $paramValue); break; case 'request.body': $row->longDescription = sprintf(__('Blocked for %1$s in POST body: %2$s = %3$s', 'wordfence'), $row->actionDescription, $matches[2], $paramValue); break; case 'request.cookie': $row->longDescription = sprintf(__('Blocked for %1$s in cookie: %2$s = %3$s', 'wordfence'), $row->actionDescription, $matches[2], $paramValue); break; case 'request.fileNames': $row->longDescription = sprintf(__('Blocked for %1$s in file: %2$s = %3$s', 'wordfence'), $row->actionDescription, $matches[2], $paramValue); break; } } } } $this->activity = $results; } public function mostRecentActivity($limit, &$remainder = null) { if ($remainder !== null) { $remainder = count($this->activity) - $limit; } return array_slice($this->activity, 0, $limit); } } class wfRecentlyModifiedFiles extends wfDirectoryIterator { /** * @var int */ private $time_range = 604800; /** * @var array */ private $files = array(); private $excluded_directories; /** * @param string $directory * @param int $max_files_per_directory * @param int $max_iterations * @param int $time_range */ public function __construct($directory = ABSPATH, $max_files_per_directory = 20000, $max_iterations = 250000, $time_range = 604800) { parent::__construct($directory, $max_files_per_directory, $max_iterations); $this->time_range = $time_range; $excluded_directories = explode("\n", wfUtils::cleanupOneEntryPerLine(wfConfig::get('email_summary_excluded_directories', ''))); $this->excluded_directories = array(); foreach ($excluded_directories as $index => $path) { if (($dir = realpath(ABSPATH . $path)) !== false) { $this->excluded_directories[$dir] = 1; } } } /** * @param $dir * @return bool */ protected function scan($dir) { if (!array_key_exists(realpath($dir), $this->excluded_directories)) { return parent::scan($dir); } return true; } /** * @param string $file */ public function file($file) { $mtime = filemtime($file); if (time() - $mtime < $this->time_range) { $this->files[] = array($file, $mtime); } } /** * @param int $limit * @return array */ public function mostRecentFiles($limit = 300) { usort($this->files, array( $this, '_sortMostRecentFiles', )); return array_slice($this->files, 0, $limit); } /** * Sort in descending order. * * @param $a * @param $b * @return int */ private function _sortMostRecentFiles($a, $b) { if ($a[1] > $b[1]) { return -1; } if ($a[1] < $b[1]) { return 1; } return 0; } /** * @return mixed */ public function getFiles() { return $this->files; } } class wfActivityReportView extends wfView { /** * @param $file * @return string */ public function displayFile($file) { $realPath = realpath($file); if (stripos($realPath, ABSPATH) === 0) { return substr($realPath, strlen(ABSPATH)); } return $realPath; } /** * @param null $unix_time * @return string */ public function modTime($unix_time = null) { if ($unix_time === null) { $unix_time = time(); } return wfUtils::formatLocalTime('F j, Y g:ia', $unix_time); } public function attackTime($unix_time = null) { if ($unix_time === null) { $unix_time = time(); } return wfUtils::formatLocalTime('F j, Y', $unix_time) . "<br>" . wfUtils::formatLocalTime('g:ia', $unix_time); } public function displayIP($binaryIP) { $readableIP = wfUtils::inet_ntop($binaryIP); $country = wfUtils::countryCode2Name(wfUtils::IP2Country($readableIP)); return "{$readableIP} (" . ($country ? $country : __('Unknown', 'wordfence')) . ")"; } } }
Save Changes
Rename File
Rename