API tools faq
paste
Guest User

strong password code

a guest
Oct 5th, 2017
34
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.58 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /**
  3. Plugin Name: Force Strong Passwords
  4. Plugin URI: https://github.com/boogah/Force-Strong-Passwords/
  5. Description: Forces privileged users to set a strong password.
  6. Version: 1.7
  7. Author: Jason Cosper
  8. Author URI: http://jasoncosper.com/
  9. License: GPLv2
  10. @package force-strong-passwords
  11. */
  12.  
  13. /**
  14. This program is free software; you can redistribute it and/or modify
  15. it under the terms of the GNU General Public License, version 2, as
  16. published by the Free Software Foundation.
  17.  
  18. This program is distributed in the hope that it will be useful,
  19. but WITHOUT ANY WARRANTY; without even the implied warranty of
  20. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  21. GNU General Public License for more details.
  22.  
  23. You should have received a copy of the GNU General Public License
  24. along with this program; if not, write to the Free Software
  25. Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  26. */
  27. global $wp_version;
  28.  
  29.  
  30. // Make sure we don't expose any info if called directly.
  31. if ( ! function_exists( 'add_action' ) ) {
  32. _e( "Hi there! I'm just a plugin, not much I can do when called directly.", 'slt-force-strong-passwords' );
  33. exit;
  34. }
  35.  
  36.  
  37. /**
  38. Initialize constants.
  39. */
  40.  
  41. // Our plugin.
  42. define( 'FSP_PLUGIN_BASE', __FILE__ );
  43.  
  44. // Allow changing the version number in only one place (the header above).
  45. $plugin_data = get_file_data( FSP_PLUGIN_BASE, array( 'Version' => 'Version' ) );
  46. define( 'FSP_PLUGIN_VERSION', $plugin_data['Version'] );
  47.  
  48. /**
  49. * Use zxcvbn for versions 3.7 and above
  50. *
  51. * @since 1.3
  52. */
  53. define( 'SLT_FSP_USE_ZXCVBN', version_compare( round( $wp_version, 1 ), '3.7' ) >= 0 );
  54.  
  55. if ( ! defined( 'SLT_FSP_CAPS_CHECK' ) ) {
  56. /**
  57. * The default capabilities that will be checked for to trigger strong password enforcement
  58. *
  59. * @deprecated Please use the slt_fsp_caps_check filter to customize the capabilities check for enforcement
  60. * @since 1.1
  61. */
  62. define( 'SLT_FSP_CAPS_CHECK', 'publish_posts,upload_files,edit_published_posts' );
  63. }
  64.  
  65.  
  66. // Initialize other stuff.
  67. add_action( 'plugins_loaded', 'slt_fsp_init' );
  68. function slt_fsp_init() {
  69.  
  70. // Text domain for translation.
  71. load_plugin_textdomain( 'slt-force-strong-passwords', false, dirname( plugin_basename( __FILE__ ) ) . '/languages/' );
  72.  
  73. // Hooks.
  74. add_action( 'user_profile_update_errors', 'slt_fsp_validate_profile_update', 0, 3 );
  75. add_action( 'validate_password_reset', 'slt_fsp_validate_strong_password', 10, 2 );
  76. add_action( 'resetpass_form', 'slt_fsp_validate_resetpass_form', 10 );
  77.  
  78. if ( SLT_FSP_USE_ZXCVBN ) {
  79.  
  80. // Enforce zxcvbn check with JS by passing strength check through to server.
  81. add_action( 'admin_enqueue_scripts', 'slt_fsp_enqueue_force_zxcvbn_script' );
  82. add_action( 'login_enqueue_scripts', 'slt_fsp_enqueue_force_zxcvbn_script' );
  83.  
  84. }
  85.  
  86. }
  87.  
  88.  
  89. /**
  90. Enqueue force zxcvbn check script.
  91. */
  92. function slt_fsp_enqueue_force_zxcvbn_script() {
  93. wp_enqueue_script( 'slt-fsp-force-zxcvbn', plugins_url( 'force-zxcvbn.min.js', __FILE__ ), array( 'jquery' ), FSP_PLUGIN_VERSION );
  94. // Also change hint.
  95. wp_enqueue_script( 'slt-fsp-admin-js', plugins_url( 'js-admin.min.js', __FILE__ ), array( 'jquery' ), FSP_PLUGIN_VERSION );
  96. }
  97.  
  98.  
  99. /**
  100. * Check user profile update and throw an error if the password isn't strong.
  101. */
  102. function slt_fsp_validate_profile_update( $errors, $update, $user_data ) {
  103. return slt_fsp_validate_strong_password( $errors, $user_data );
  104. }
  105.  
  106. /**
  107. Check password reset form and throw an error if the password isn't strong.
  108. */
  109. function slt_fsp_validate_resetpass_form( $user_data ) {
  110. return slt_fsp_validate_strong_password( false, $user_data );
  111. }
  112.  
  113.  
  114. /**
  115. Functionality used by both user profile and reset password validation.
  116. */
  117. function slt_fsp_validate_strong_password( $errors, $user_data ) {
  118. $password_ok = true;
  119. $enforce = true;
  120. $password = ( isset( $_POST['pass1'] ) && trim( $_POST['pass1'] ) ) ? sanitize_text_field( $_POST['pass1'] ) : false;
  121. $role = isset( $_POST['role'] ) ? sanitize_text_field( $_POST['role'] ) : false;
  122. $user_id = isset( $user_data->ID ) ? sanitize_text_field( $user_data->ID ) : false;
  123. $username = isset( $_POST['user_login'] ) ? sanitize_text_field( $_POST['user_login'] ) : $user_data->user_login ;
  124.  
  125. // No password set?
  126. // Already got a password error?
  127. if ( ( false === $password ) || ( is_wp_error( $errors ) && $errors->get_error_data( 'pass' ) ) ) {
  128. return $errors;
  129. }
  130.  
  131. // Should a strong password be enforced for this user?
  132. if ( $user_id ) {
  133.  
  134. // User ID specified.
  135. $enforce = slt_fsp_enforce_for_user( $user_id );
  136.  
  137. } else {
  138.  
  139. // No ID yet, adding new user - omit check for "weaker" roles.
  140. if ( $role && in_array( $role, apply_filters( 'slt_fsp_weak_roles', array( 'subscriber', 'contributor' ) ) ) ) {
  141. $enforce = false;
  142. }
  143. }
  144.  
  145. // Enforce?
  146. if ( $enforce ) {
  147.  
  148. // Using zxcvbn?
  149. if ( SLT_FSP_USE_ZXCVBN ) {
  150.  
  151. // Check the strength passed from the zxcvbn meter.
  152. $compare_strong = html_entity_decode( __( 'strong' ), ENT_QUOTES, 'UTF-8' );
  153. $compare_strong_reset = html_entity_decode( __( 'hide-if-no-js strong' ), ENT_QUOTES, 'UTF-8' );
  154. if ( ! in_array( $_POST['slt-fsp-pass-strength-result'] , array( null, $compare_strong, $compare_strong_reset ) ) ) {
  155. $password_ok = false;
  156. }
  157. } else {
  158.  
  159. // Old-style check.
  160. if ( slt_fsp_password_strength( $password, $username ) !== 4 ) {
  161. $password_ok = false;
  162. }
  163. }
  164. }
  165.  
  166. // Error?
  167. if ( ! $password_ok && is_wp_error( $errors ) ) { // Is this a WP error object?
  168. $errors->add( 'pass', apply_filters( 'slt_fsp_error_message', __( '<strong>ERROR</strong>: Please make the password a strong one.', 'slt-force-strong-passwords' ) ) );
  169. }
  170.  
  171. return $errors;
  172. }
  173.  
  174.  
  175. /**
  176. * Check whether the given WP user should be forced to have a strong password
  177. *
  178. * Tests on basic capabilities that can compromise a site. Doesn't check on higher capabilities.
  179. * It's assumed the someone who can't publish_posts won't be able to update_core!
  180. *
  181. * @since 1.1
  182. * @uses SLT_FSP_CAPS_CHECK
  183. * @uses apply_filters()
  184. * @uses user_can()
  185. * @param int $user_id A user ID.
  186. * @return boolean
  187. */
  188. function slt_fsp_enforce_for_user( $user_id ) {
  189. $enforce = true;
  190.  
  191. // Force strong passwords from network admin screens.
  192. if ( is_network_admin() ) {
  193. return $enforce;
  194. }
  195.  
  196. $check_caps = explode( ',', SLT_FSP_CAPS_CHECK );
  197. $check_caps = apply_filters( 'slt_fsp_caps_check', $check_caps );
  198. $check_caps = (array) $check_caps;
  199. if ( ! empty( $check_caps ) ) {
  200. $enforce = false; // Now we won't enforce unless the user has one of the caps specified.
  201. foreach ( $check_caps as $cap ) {
  202. if ( user_can( $user_id, $cap ) ) {
  203. $enforce = true;
  204. break;
  205. }
  206. }
  207. }
  208. return $enforce;
  209. }
  210.  
  211.  
  212. /**
  213. * Check for password strength - based on JS function in pre-3.7 WP core: /wp-admin/js/password-strength-meter.js
  214. *
  215. * @since 1.0
  216. * @param string $i The password.
  217. * @param string $f The user's username.
  218. * @return integer 1 = very weak; 2 = weak; 3 = medium; 4 = strong
  219. */
  220. function slt_fsp_password_strength( $i, $f ) {
  221. $h = 1;
  222. $e = 2;
  223. $b = 3;
  224. $a = 4;
  225. $d = 0;
  226. $g = null;
  227. $c = null;
  228. if ( strlen( $i ) < 4 ) {
  229. return $h;
  230. }
  231. if ( strtolower( $i ) === strtolower( $f ) ) {
  232. return $e;
  233. }
  234. if ( preg_match( '/[0-9]/', $i ) ) {
  235. $d += 10;
  236. }
  237. if ( preg_match( '/[a-z]/', $i ) ) {
  238. $d += 26;
  239. }
  240. if ( preg_match( '/[A-Z]/', $i ) ) {
  241. $d += 26;
  242. }
  243. if ( preg_match( '/[^a-zA-Z0-9]/', $i ) ) {
  244. $d += 31;
  245. }
  246. $g = log( pow( $d, strlen( $i ) ) );
  247. $c = $g / log( 2 );
  248. if ( $c < 40 ) {
  249. return $e;
  250. }
  251. if ( $c < 56 ) {
  252. return $b;
  253. }
  254. return $a;
  255. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!