Changeset 3492916

Timestamp:

03/27/2026 06:40:02 PM (14 hours ago)

Author:

supersoju

Message:

version 1.1 changes

Location:

block-logins-cf/trunk

Files:

• block-logins-cf.php (modified) (29 diffs)
• readme.txt (modified) (7 diffs)

block-logins-cf/trunk/block-logins-cf.php

@@ -4 +4 @@
  * Plugin URI: https://github.com/supersoju/block-logins-cf
  * Description: Blocks failed login attempts directly through Cloudflare.
- * Version: 1.0
+ * Version: 1.1
  * Author: supersoju
  * Author URI: https://supersoju.com
@@ -142 +142 @@
     // Check if IP should be blocked
     if ($failed_attempts >= $max_attempts) {
+        $auto_unblock_expiry = intval($settings['auto_unblock_hours'] ?? 24) * HOUR_IN_SECONDS;
+        set_transient("cfblocklogins_block_source_$ip", 'login', $auto_unblock_expiry);
         cfblocklogins_block_ip($ip);
         cfblocklogins_log_error("IP blocked after reaching attempt threshold", [
@@ -167 +169 @@
 function cfblocklogins_increment_failed_attempts_atomic($target, $settings, $type = 'ip') {
     $lock_key = "cfblocklogins_lock_{$type}_{$target}";
-    $attempt_key = "cfblocklogins_failed_login" . ($type === 'subnet' ? '_subnet' : '') . "_{$target}";
+    if ($type === 'subnet') {
+        $type_suffix = '_subnet';
+    } elseif ($type === 'xmlrpc') {
+        $type_suffix = '_xmlrpc';
+    } elseif ($type === 'notfound') {
+        $type_suffix = '_notfound';
+    } else {
+        $type_suffix = '';
+    }
+    $attempt_key = "cfblocklogins_failed_login{$type_suffix}_{$target}";
     $block_duration = intval($settings['block_duration'] ?? 60);
     $lock_timeout = 5; // 5 second lock timeout
@@ -359 +370 @@
 
     cfblocklogins_log_error("Successfully blocked subnet via Cloudflare", ['subnet' => $subnet, 'rule_id' => $api_result['result']['id'] ?? 'unknown']);
+    return true;
+}
+
+/**
+ * Fetch blocked IPs from Cloudflare that were created by this plugin.
+ *
+ * @return array{results: array, capped: bool}|WP_Error
+ */
+function cfblocklogins_fetch_cf_blocked_ips() {
+    $credentials = cfblocklogins_get_api_credentials();
+    $email   = $credentials['email']   ?? '';
+    $api_key = $credentials['api_key'] ?? '';
+    $zone_id = $credentials['zone_id'] ?? '';
+
+    if (!$email || !$api_key || !$zone_id) {
+        return new WP_Error(
+            'missing_credentials',
+            __('Cloudflare credentials are not configured. Please check your settings.', 'block-logins-cf')
+        );
+    }
+
+    $results   = [];
+    $page      = 1;
+    $max_pages = 5;
+    $capped    = false;
+
+    while ($page <= $max_pages) {
+        $url      = "https://api.cloudflare.com/client/v4/zones/{$zone_id}/firewall/access_rules/rules?mode=block&per_page=100&page={$page}";
+        $response = wp_remote_get($url, [
+            'headers' => [
+                'X-Auth-Email' => $email,
+                'X-Auth-Key'   => $api_key,
+                'Content-Type' => 'application/json',
+            ],
+            'timeout' => 15,
+        ]);
+
+        $data = cfblocklogins_validate_api_response($response, "fetch_cf_blocked_ips:page_{$page}");
+        if ($data === false) {
+            return new WP_Error(
+                'api_error',
+                __('Failed to retrieve blocked IPs from Cloudflare. Please check your credentials and try again.', 'block-logins-cf')
+            );
+        }
+
+        $rules = $data['result'] ?? [];
+        if (empty($rules)) {
+            break;
+        }
+
+        foreach ($rules as $rule) {
+            $notes  = sanitize_text_field($rule['notes'] ?? '');
+            if (strpos($notes, 'Auto-generated by Block Logins CF plugin') === false) {
+                continue;
+            }
+            $config   = $rule['configuration'] ?? [];
+            $ip_value = $config['value']        ?? '';
+            $target   = $config['target']       ?? 'ip';
+            if (!$ip_value) {
+                continue;
+            }
+            $results[] = [
+                'value'   => $ip_value,
+                'target'  => $target,
+                'rule_id' => $rule['id'] ?? '',
+                'notes'   => $notes,
+            ];
+        }
+
+        $total_pages = intval($data['result_info']['total_pages'] ?? 1);
+        if ($page >= $total_pages) {
+            break;
+        }
+
+        $page++;
+    }
+
+    if ($page > $max_pages) {
+        $capped = true;
+    }
+
+    return ['results' => $results, 'capped' => $capped];
+}
+
+/**
+ * Create local transients for a blocked IP/subnet without calling the Cloudflare API.
+ * Used when importing rules that already exist in Cloudflare.
+ *
+ * @param string $ip IP address or CIDR subnet.
+ * @return bool True on success, false if $ip fails validation.
+ */
+function cfblocklogins_create_local_block($ip) {
+    if (!cfblocklogins_validate_ip_or_cidr($ip)) {
+        return false;
+    }
+
+    $settings             = get_option('cfblocklogins_settings', []);
+    $auto_unblock_hours   = intval($settings['auto_unblock_hours'] ?? 24);
+    $auto_unblock_seconds = $auto_unblock_hours * 3600;
+
+    set_transient("cfblocklogins_block_login_$ip", '1', $auto_unblock_seconds);
+    set_transient("cfblocklogins_block_login_time_$ip", time(), $auto_unblock_seconds);
+
+    wp_cache_delete('cfblocklogins_blocked_ip_transients', 'block-logins-cf');
+    wp_cache_delete('cfblocklogins_blocked_ip_transients_cron', 'block-logins-cf');
+
     return true;
 }
@@ -476 +593 @@
         ]);
 
+        // Clear cached token validation so the next page load re-checks with the new token
+        $cache_key = 'cfblocklogins_token_valid_' . substr(md5($input['api_key']), 0, 8);
+        delete_transient($cache_key);
+
         // Encrypt sensitive credentials before saving
         return cfblocklogins_encrypt_api_credentials($new_settings);
@@ -490 +611 @@
         'xmlrpc_max_attempts' => intval($input['xmlrpc_max_attempts'] ?? ($current['xmlrpc_max_attempts'] ?? 3)),
         'xmlrpc_block_duration' => intval($input['xmlrpc_block_duration'] ?? ($current['xmlrpc_block_duration'] ?? 300)),
+        'enable_404_blocking'   => !empty($input['enable_404_blocking']) ? 1 : 0,
+        '404_max_attempts'      => max(1, intval($input['404_max_attempts'] ?? ($current['404_max_attempts'] ?? 20))),
+        '404_time_window'       => max(60, intval($input['404_time_window'] ?? ($current['404_time_window'] ?? 300))),
         'whitelist' => $input['whitelist'], // preserve whitelist
     ]);
@@ -519 +643 @@
             xmlrpcCheckbox.addEventListener('change', function() {
                 xmlrpcRow.style.display = this.checked ? '' : 'none';
+            });
+        }
+
+        var notfoundCheckbox = document.getElementById('enable_404_blocking');
+        var notfoundRow = document.getElementById('notfound-settings-row');
+        if (notfoundCheckbox && notfoundRow) {
+            notfoundCheckbox.addEventListener('change', function() {
+                notfoundRow.style.display = this.checked ? '' : 'none';
             });
         }
@@ -648 +780 @@
                     </td>
                 </tr>
+                <tr valign="top">
+                    <th scope="row" colspan="2"><strong><?php esc_html_e('404 Scan Protection', 'block-logins-cf'); ?></strong></th>
+                </tr>
+                <tr valign="top">
+                    <th scope="row"><?php esc_html_e('Enable 404 Blocking', 'block-logins-cf'); ?></th>
+                    <td>
+                        <label>
+                            <input type="checkbox" id="enable_404_blocking" name="cfblocklogins_settings[enable_404_blocking]" value="1" <?php checked(!empty($options['enable_404_blocking'])); ?> />
+                            <?php esc_html_e('Block IPs that generate too many 404 responses.', 'block-logins-cf'); ?>
+                        </label>
+                        <p class="description">
+                            <?php esc_html_e('Note: Automattic services (WordPress.com, Jetpack, VaultPress) and logged-in users are automatically excluded.', 'block-logins-cf'); ?>
+                        </p>
+                    </td>
+                </tr>
+                <tr valign="top" id="notfound-settings-row" <?php if (empty($options['enable_404_blocking'])) echo 'style="display:none;"'; ?>>
+                    <th scope="row"><?php esc_html_e('404 Block Settings', 'block-logins-cf'); ?></th>
+                    <td>
+                        <p>
+                            <?php esc_html_e('Block after', 'block-logins-cf'); ?>
+                            <input type="number" min="1" style="width:70px;" name="cfblocklogins_settings[404_max_attempts]" value="<?php echo esc_attr($options['404_max_attempts'] ?? 20); ?>" />
+                            <?php esc_html_e('404 responses within', 'block-logins-cf'); ?>
+                            <input type="number" min="60" style="width:90px;" name="cfblocklogins_settings[404_time_window]" value="<?php echo esc_attr($options['404_time_window'] ?? 300); ?>" />
+                            <?php esc_html_e('seconds', 'block-logins-cf'); ?>
+                        </p>
+                        <p class="description">
+                            <?php esc_html_e('404 blocking uses separate thresholds from regular login blocking.', 'block-logins-cf'); ?>
+                        </p>
+                    </td>
+                </tr>
             </table>
             <?php submit_button(esc_html__('Save Settings', 'block-logins-cf')); ?>
@@ -655 +817 @@
         <h2><?php esc_html_e('Cloudflare API Credentials', 'block-logins-cf'); ?></h2>
         <?php
-        // Validate credentials again for display
+        // Validate credentials again for display (cached for 5 minutes to avoid throttling)
         $valid = false;
         $debug = '';
-        if (!empty($options['api_key'])) {
-            $url = "https://api.cloudflare.com/client/v4/user/tokens/verify";
-            $response = wp_remote_get($url, [
-                'headers' => [
-                    'Authorization' => 'Bearer ' . $options['api_key'],
-                    'Content-Type' => 'application/json',
-                ],
-                'timeout' => 10,
-            ]);
-
-            $api_result = cfblocklogins_validate_api_response($response, 'token_verify_display');
-            $valid = ($api_result !== false);
-            if (!$valid) {
-                $body = wp_remote_retrieve_body($response);
-                $debug_msg = is_wp_error($response) ? $response->get_error_message() : substr($body, 0, 200);
-                $debug = '<pre>' . esc_html($debug_msg) . '</pre>';
+        if (!empty($decrypted_options['api_key'])) {
+            $cache_key = 'cfblocklogins_token_valid_' . substr(md5($decrypted_options['api_key']), 0, 8);
+            $cached = get_transient($cache_key);
+            if ($cached !== false) {
+                $valid = ( 'valid' === $cached );
+            } else {
+                $url = "https://api.cloudflare.com/client/v4/user/tokens/verify";
+                $response = wp_remote_get($url, [
+                    'headers' => [
+                        'Authorization' => 'Bearer ' . $decrypted_options['api_key'],
+                        'Content-Type' => 'application/json',
+                    ],
+                    'timeout' => 10,
+                ]);
+
+                $api_result = cfblocklogins_validate_api_response($response, 'token_verify_display');
+                $valid = ($api_result !== false);
+                set_transient($cache_key, $valid ? 'valid' : 'invalid', 5 * MINUTE_IN_SECONDS);
+                if (!$valid) {
+                    $body = wp_remote_retrieve_body($response);
+                    $debug_msg = is_wp_error($response) ? $response->get_error_message() : substr($body, 0, 200);
+                    $debug = '<pre>' . esc_html($debug_msg) . '</pre>';
+                }
             }
         }
@@ -708 +877 @@
         $settings['last_whitelist_update'] = time(); // Optional: track last update time
         $settings['whitelist'][] = $ip;
-        $result = update_option('cfblocklogins_settings', $settings);
+        update_option('cfblocklogins_settings', $settings);
         wp_cache_delete('cfblocklogins_settings', 'options');
     }
@@ -717 +886 @@
     if (isset($settings['whitelist']) && is_array($settings['whitelist'])) {
         $settings['whitelist'] = array_diff($settings['whitelist'], [$ip]);
-        $result = update_option('cfblocklogins_settings', $settings);
+        update_option('cfblocklogins_settings', $settings);
         wp_cache_delete('cfblocklogins_settings', 'options');
     }
@@ -727 +896 @@
         wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'block-logins-cf'));
     }
+
+    $cf_only_ips    = null;
+    $cf_sync_error  = null;
+    $cf_sync_capped = false;
 
     // Handle unblock
@@ -746 +919 @@
         }
         $ip = sanitize_text_field(wp_unslash($_POST['cfblocklogins_whitelist_ip']));
-        if (filter_var($ip, FILTER_VALIDATE_IP)) {
+        if (cfblocklogins_validate_ip_or_cidr($ip)) {
             cfblocklogins_add_to_whitelist($ip);
-            echo '<div class="updated"><p>Whitelisted IP: ' . esc_html($ip) . '</p></div>';
+            echo '<div class="updated"><p>Whitelisted: ' . esc_html($ip) . '</p></div>';
         } else {
-            echo '<div class="error"><p>Invalid IP address.</p></div>';
+            echo '<div class="error"><p>Invalid IP address or CIDR notation.</p></div>';
         }
     }
@@ -777 +950 @@
     }
 
+    // Handle Cloudflare sync fetch
+    if (isset($_POST['cfblocklogins_fetch_cf_ips']) && check_admin_referer('cfblocklogins_fetch_cf_ips_action')) {
+        if (!current_user_can('manage_options')) {
+            wp_die(esc_html__('You do not have sufficient permissions to perform this action.', 'block-logins-cf'));
+        }
+        $fetch_result = cfblocklogins_fetch_cf_blocked_ips();
+        if (is_wp_error($fetch_result)) {
+            $cf_sync_error = $fetch_result->get_error_message();
+        } else {
+            $cf_sync_capped = $fetch_result['capped'];
+            $cf_only_ips    = [];
+            foreach ($fetch_result['results'] as $rule) {
+                $ip = sanitize_text_field($rule['value']);
+                if (!cfblocklogins_validate_ip_or_cidr($ip)) {
+                    continue; // Skip malformed rules
+                }
+                if (!get_transient("cfblocklogins_block_login_$ip")) {
+                    $cf_only_ips[] = $rule;
+                }
+            }
+        }
+    }
+
+    // Handle single IP import from Cloudflare
+    if (isset($_POST['cfblocklogins_import_cf_ip']) && check_admin_referer('cfblocklogins_import_cf_ip_action')) {
+        if (!current_user_can('manage_options')) {
+            wp_die(esc_html__('You do not have sufficient permissions to perform this action.', 'block-logins-cf'));
+        }
+        $ip = sanitize_text_field(wp_unslash($_POST['cfblocklogins_import_ip'] ?? ''));
+        if (cfblocklogins_create_local_block($ip)) {
+            wp_safe_redirect(admin_url('admin.php?page=block-logins-cf-blocked'));
+        } else {
+            wp_safe_redirect(admin_url('admin.php?page=block-logins-cf-blocked&cf_import_error=1'));
+        }
+        exit;
+    }
+
+    // Handle import all from Cloudflare
+    if (isset($_POST['cfblocklogins_import_all_cf_ips']) && check_admin_referer('cfblocklogins_import_all_cf_ips_action')) {
+        if (!current_user_can('manage_options')) {
+            wp_die(esc_html__('You do not have sufficient permissions to perform this action.', 'block-logins-cf'));
+        }
+        // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitized in loop below
+        $raw_ips = isset($_POST['cfblocklogins_import_ips']) ? (array) wp_unslash($_POST['cfblocklogins_import_ips']) : [];
+        foreach ($raw_ips as $ip) {
+            cfblocklogins_create_local_block(sanitize_text_field($ip));
+        }
+        wp_safe_redirect(admin_url('admin.php?page=block-logins-cf-blocked'));
+        exit;
+    }
+
     // Find blocked IPs (transients)
     global $wpdb;
@@ -788 +1012 @@
             $wpdb->prepare(
                 "SELECT option_name FROM {$wpdb->options} WHERE option_name LIKE %s",
-                '_transient_cf_block_login_%'
+                '_transient_cfblocklogins_block_login_%'
             )
         );
@@ -796 +1020 @@
     foreach ($transients as $transient) {
         $name = $transient->option_name;
-        if (strpos($name, '_transient_cf_block_login_time_') === 0) {
+        if (strpos($name, '_transient_cfblocklogins_block_login_time_') === 0) {
             continue; // skip time transients
         }
-        $ip = str_replace('_transient_cf_block_login_', '', $name);
+        $ip = str_replace('_transient_cfblocklogins_block_login_', '', $name);
         $blocked_ips[] = $ip;
     }
@@ -808 +1032 @@
         <h1><?php esc_html_e('Blocked and Whitelisted IPs', 'block-logins-cf'); ?></h1>
         <h2><?php esc_html_e('Currently Blocked', 'block-logins-cf'); ?></h2>
+        <form method="post" style="margin-bottom:1em;">
+            <?php wp_nonce_field('cfblocklogins_fetch_cf_ips_action'); ?>
+            <input type="submit" name="cfblocklogins_fetch_cf_ips" class="button" value="<?php esc_attr_e('Sync from Cloudflare', 'block-logins-cf'); ?>">
+        </form>
+        <?php if (isset($_GET['cf_import_error']) && sanitize_text_field(wp_unslash($_GET['cf_import_error'])) === '1'): ?>
+            <div class="notice notice-error"><p><?php esc_html_e('Failed to import IP: invalid IP address or CIDR notation.', 'block-logins-cf'); ?></p></div>
+        <?php elseif ($cf_sync_error !== null): ?>
+            <div class="notice notice-error"><p><?php echo esc_html($cf_sync_error); ?></p></div>
+        <?php elseif ($cf_only_ips !== null && empty($cf_only_ips)): ?>
+            <div class="notice notice-success"><p><?php esc_html_e('No untracked IPs found in Cloudflare.', 'block-logins-cf'); ?></p></div>
+        <?php endif; ?>
         <table class="widefat">
             <thead>
                 <tr>
                     <th><?php esc_html_e('IP Address', 'block-logins-cf'); ?></th>
+                    <th><?php esc_html_e('Source', 'block-logins-cf'); ?></th>
                     <th><?php esc_html_e('Time Until Unblock', 'block-logins-cf'); ?></th>
                     <th><?php esc_html_e('Action', 'block-logins-cf'); ?></th>
@@ -818 +1054 @@
             <tbody>
                 <?php if (empty($blocked_ips)): ?>
-                    <tr><td colspan="3"><?php esc_html_e('No blocked IPs.', 'block-logins-cf'); ?></td></tr>
+                    <tr><td colspan="4"><?php esc_html_e('No blocked IPs.', 'block-logins-cf'); ?></td></tr>
                 <?php else: foreach ($blocked_ips as $ip): ?>
                     <tr>
                         <td><?php echo esc_html($ip); ?></td>
+                        <td>
+                            <?php
+                            $source = get_transient("cfblocklogins_block_source_$ip");
+                            $source_labels = [
+                                'notfound' => '<span style="background:#d63638;color:#fff;padding:2px 6px;border-radius:3px;font-size:11px;">404 Scan</span>',
+                                'xmlrpc'   => '<span style="background:#2271b1;color:#fff;padding:2px 6px;border-radius:3px;font-size:11px;">XML-RPC</span>',
+                                'login'    => '<span style="background:#1d2327;color:#fff;padding:2px 6px;border-radius:3px;font-size:11px;">Login</span>',
+                            ];
+                            echo wp_kses($source_labels[$source] ?? $source_labels['login'], ['span' => ['style' => []]]);
+                            ?>
+                        </td>
                         <td>
                             <?php
@@ -854 +1101 @@
             </tbody>
         </table>
-        
+
+        <?php if ($cf_only_ips !== null && !empty($cf_only_ips)): ?>
+        <h2><?php esc_html_e('Cloudflare-only IPs', 'block-logins-cf'); ?></h2>
+        <p><?php esc_html_e('These IPs are blocked in Cloudflare by this plugin but not tracked locally. Import them to sync.', 'block-logins-cf'); ?></p>
+        <?php if ($cf_sync_capped): ?>
+            <div class="notice notice-warning inline"><p><?php esc_html_e('Showing first 500 rules. Additional rules may exist in Cloudflare.', 'block-logins-cf'); ?></p></div>
+        <?php endif; ?>
+        <form method="post" style="margin-bottom:1em;">
+            <?php wp_nonce_field('cfblocklogins_import_all_cf_ips_action'); ?>
+            <?php foreach ($cf_only_ips as $rule): ?>
+                <input type="hidden" name="cfblocklogins_import_ips[]" value="<?php echo esc_attr($rule['value']); ?>">
+            <?php endforeach; ?>
+            <input type="submit" name="cfblocklogins_import_all_cf_ips" class="button button-primary" value="<?php esc_attr_e('Import All', 'block-logins-cf'); ?>">
+        </form>
+        <table class="widefat">
+            <thead>
+                <tr>
+                    <th><?php esc_html_e('IP Address', 'block-logins-cf'); ?></th>
+                    <th><?php esc_html_e('Notes', 'block-logins-cf'); ?></th>
+                    <th><?php esc_html_e('Action', 'block-logins-cf'); ?></th>
+                </tr>
+            </thead>
+            <tbody>
+                <?php foreach ($cf_only_ips as $rule): ?>
+                <tr>
+                    <td><?php echo esc_html($rule['value']); ?></td>
+                    <td><?php echo esc_html($rule['notes']); ?></td>
+                    <td>
+                        <form method="post" style="display:inline;">
+                            <?php wp_nonce_field('cfblocklogins_import_cf_ip_action'); ?>
+                            <input type="hidden" name="cfblocklogins_import_ip" value="<?php echo esc_attr($rule['value']); ?>">
+                            <input type="submit" name="cfblocklogins_import_cf_ip" class="button" value="<?php esc_attr_e('Import', 'block-logins-cf'); ?>">
+                        </form>
+                    </td>
+                </tr>
+                <?php endforeach; ?>
+            </tbody>
+        </table>
+        <?php endif; ?>
+
         <h3><?php esc_html_e('Manually Block an IP', 'block-logins-cf'); ?></h3>
         <form method="post">
@@ -889 +1175 @@
         <form method="post" style="margin-bottom:1em;">
             <?php wp_nonce_field('cfblocklogins_whitelist_ip_action'); ?>
-            <input type="text" name="cfblocklogins_whitelist_ip" placeholder="<?php esc_attr_e('Enter IP address', 'block-logins-cf'); ?>" required>
+            <input type="text" name="cfblocklogins_whitelist_ip" placeholder="<?php esc_attr_e('IP or CIDR (e.g., 192.168.1.0/24)', 'block-logins-cf'); ?>" required>
             <input type="submit" class="button" value="<?php esc_attr_e('Add to Whitelist', 'block-logins-cf'); ?>">
         </form>
+
+        <?php
+        $settings = get_option('cfblocklogins_settings', []);
+        if (!empty($settings['enable_404_blocking'])):
+            $today   = gmdate('Y-m-d');
+            $log_404 = get_transient("cfblocklogins_404_access_$today");
+            ?>
+        <hr>
+        <h2><?php esc_html_e('404 Activity Today', 'block-logins-cf'); ?></h2>
+        <?php if (empty($log_404)): ?>
+            <p><?php esc_html_e('No 404 activity recorded today.', 'block-logins-cf'); ?></p>
+        <?php else: ?>
+            <table class="widefat" style="margin-bottom:1em;max-width:500px;">
+                <tbody>
+                    <tr>
+                        <th><?php esc_html_e('Total requests today', 'block-logins-cf'); ?></th>
+                        <td><?php echo esc_html($log_404['total_requests']); ?></td>
+                    </tr>
+                    <tr>
+                        <th><?php esc_html_e('Unique IPs', 'block-logins-cf'); ?></th>
+                        <td><?php echo esc_html(count($log_404['unique_ips'])); ?></td>
+                    </tr>
+                    <tr>
+                        <th><?php esc_html_e('Top missing paths', 'block-logins-cf'); ?></th>
+                        <td>
+                            <?php foreach ($log_404['top_paths'] as $path => $count): ?>
+                                <code><?php echo esc_html($path); ?></code> (<?php echo esc_html($count); ?>)<br>
+                            <?php endforeach; ?>
+                        </td>
+                    </tr>
+                </tbody>
+            </table>
+
+            <?php if (!empty($log_404['per_ip'])): ?>
+            <h3><?php esc_html_e('Per-IP Breakdown', 'block-logins-cf'); ?></h3>
+            <table class="widefat">
+                <thead>
+                    <tr>
+                        <th><?php esc_html_e('IP Address', 'block-logins-cf'); ?></th>
+                        <th><?php esc_html_e('Requests today', 'block-logins-cf'); ?></th>
+                        <th><?php esc_html_e('Threshold', 'block-logins-cf'); ?></th>
+                        <th><?php esc_html_e('Status', 'block-logins-cf'); ?></th>
+                    </tr>
+                </thead>
+                <tbody>
+                    <?php
+                    $max_attempts = intval($settings['404_max_attempts'] ?? 20);
+                    uasort($log_404['per_ip'], fn($a, $b) => $b['count'] <=> $a['count']);
+                    foreach ($log_404['per_ip'] as $per_ip_addr => $per_ip_data):
+                        $count      = $per_ip_data['count'];
+                        $is_blocked = (bool) get_transient("cfblocklogins_block_login_$per_ip_addr");
+                        if ($is_blocked) {
+                            $status = '<span style="color:#d63638;font-weight:bold;">Blocked</span>';
+                        } elseif ($count >= $max_attempts * 0.75) {
+                            $status = '<span style="color:#d63638;">Approaching</span>';
+                        } else {
+                            $status = '<span style="color:#00a32a;">Normal</span>';
+                        }
+                    ?>
+                    <tr>
+                        <td><?php echo esc_html($per_ip_addr); ?></td>
+                        <td><?php echo esc_html($count); ?></td>
+                        <td><?php echo esc_html($max_attempts); ?></td>
+                        <td><?php echo wp_kses($status, ['span' => ['style' => []]]); ?></td>
+                    </tr>
+                    <?php endforeach; ?>
+                </tbody>
+            </table>
+            <?php endif; ?>
+        <?php endif; ?>
+        <?php endif; ?>
 
     </div>
@@ -904 +1261 @@
     }
     // For IPv6 or invalid, return false or handle as needed
+    return false;
+}
+
+// Validate IP address or CIDR notation
+function cfblocklogins_validate_ip_or_cidr($input) {
+    // Check if it's a plain IP address
+    if (filter_var($input, FILTER_VALIDATE_IP)) {
+        return true;
+    }
+
+    // Check if it's CIDR notation
+    if (strpos($input, '/') !== false) {
+        list($ip, $bits) = explode('/', $input, 2);
+
+        // Validate the IP part
+        if (!filter_var($ip, FILTER_VALIDATE_IP)) {
+            return false;
+        }
+
+        // Validate the prefix length
+        $bits = intval($bits);
+        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            // IPv4: prefix must be 0-32
+            return $bits >= 0 && $bits <= 32;
+        } elseif (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            // IPv6: prefix must be 0-128
+            return $bits >= 0 && $bits <= 128;
+        }
+    }
+
     return false;
 }
@@ -1029 +1416 @@
 
     list($subnet, $bits) = explode('/', $range);
+    $bits = intval($bits);
 
     if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) &&
@@ -1040 +1428 @@
     }
 
-    // IPv6 support could be added here in the future
+    // IPv6 CIDR check
+    if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) &&
+        filter_var($subnet, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+        // Convert IPv6 addresses to binary strings
+        $ip_bin = inet_pton($ip);
+        $subnet_bin = inet_pton($subnet);
+
+        if ($ip_bin === false || $subnet_bin === false) {
+            return false;
+        }
+
+        // Build the netmask binary string
+        $mask = str_repeat('f', intval($bits / 4));
+        $remainder = $bits % 4;
+        if ($remainder > 0) {
+            $mask .= dechex(0xf << (4 - $remainder) & 0xf);
+        }
+        $mask = str_pad($mask, 32, '0');
+        $mask_bin = pack('H*', $mask);
+
+        // Compare masked addresses
+        return ($ip_bin & $mask_bin) === ($subnet_bin & $mask_bin);
+    }
+
     return false;
 }
@@ -1232 +1643 @@
             $wpdb->prepare(
                 "SELECT option_name FROM {$wpdb->options} WHERE option_name LIKE %s",
-                '_transient_cf_block_login_%'
+                '_transient_cfblocklogins_block_login_%'
             )
         );
@@ -1240 +1651 @@
     foreach ($transients as $transient) {
         $name = $transient->option_name;
-        if (strpos($name, '_transient_cf_block_login_time_') === 0) {
+        if (strpos($name, '_transient_cfblocklogins_block_login_time_') === 0) {
             continue; // skip time transients
         }
-        $ip_or_subnet = str_replace('_transient_cf_block_login_', '', $name);
+        $ip_or_subnet = str_replace('_transient_cfblocklogins_block_login_', '', $name);
 
         // Check if this transient should be expired
@@ -1369 +1780 @@
     ]);
 }
+
+function cfblocklogins_log_404_access($ip) {
+    $today      = gmdate('Y-m-d');
+    $cache_key  = "cfblocklogins_404_access_$today";
+    $expiry     = 48 * HOUR_IN_SECONDS;
+
+    $log = get_transient($cache_key);
+    if (!is_array($log)) {
+        $log = [
+            'total_requests' => 0,
+            'unique_ips'     => [],
+            'top_paths'      => [],
+            'per_ip'         => [],
+            'first_seen'     => time(),
+            'last_seen'      => time(),
+        ];
+    }
+
+    // Get request path (strip query string)
+    $raw_uri = isset($_SERVER['REQUEST_URI']) ? sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI'])) : '/';
+    $path    = explode('?', $raw_uri, 2)[0];
+
+    $log['total_requests']++;
+    $log['last_seen'] = time();
+
+    // Track unique IPs (cap at 100)
+    if (!in_array($ip, $log['unique_ips'], true) && count($log['unique_ips']) < 100) {
+        $log['unique_ips'][] = $ip;
+    }
+
+    // Track path counts (sort descending, keep top 10)
+    $log['top_paths'][$path] = ($log['top_paths'][$path] ?? 0) + 1;
+    arsort($log['top_paths']);
+    $log['top_paths'] = array_slice($log['top_paths'], 0, 10, true);
+
+    // Track per-IP counts (cap at 100 entries)
+    if (isset($log['per_ip'][$ip])) {
+        $log['per_ip'][$ip]['count']++;
+        $log['per_ip'][$ip]['last_seen'] = time();
+    } elseif (count($log['per_ip']) < 100) {
+        $log['per_ip'][$ip] = ['count' => 1, 'last_seen' => time()];
+    }
+
+    set_transient($cache_key, $log, $expiry);
+}
+
+function cfblocklogins_track_404() {
+    if (!is_404()) {
+        return;
+    }
+
+    if (is_user_logged_in()) {
+        return;
+    }
+
+    if (wp_doing_ajax() || (defined('REST_REQUEST') && REST_REQUEST)) {
+        return;
+    }
+
+    $settings = get_option('cfblocklogins_settings', []);
+
+    if (empty($settings['enable_404_blocking'])) {
+        return;
+    }
+
+    $ip = cfblocklogins_get_user_ip();
+
+    if (cfblocklogins_is_automattic_ip($ip)) {
+        return;
+    }
+
+    $whitelist = cfblocklogins_get_whitelist();
+    if (in_array($ip, $whitelist, true)) {
+        return;
+    }
+
+    if (cfblocklogins_check_if_blocked($ip)) {
+        return;
+    }
+
+    cfblocklogins_log_404_access($ip);
+
+    $max_attempts  = max(1, intval($settings['404_max_attempts'] ?? 20));
+    $time_window   = max(60, intval($settings['404_time_window'] ?? 300));
+
+    $result = cfblocklogins_increment_failed_attempts_atomic($ip, [
+        'block_duration' => $time_window,
+        'max_attempts'   => $max_attempts,
+    ], 'notfound');
+
+    if ($result && $result['attempts'] >= $max_attempts) {
+        $auto_unblock_expiry = intval($settings['auto_unblock_hours'] ?? 24) * HOUR_IN_SECONDS;
+        set_transient("cfblocklogins_block_source_$ip", 'notfound', $auto_unblock_expiry);
+        cfblocklogins_block_ip($ip);
+        cfblocklogins_log_error('IP blocked for 404 scanning', [
+            'ip'       => $ip,
+            'attempts' => $result['attempts'],
+            'threshold'=> $max_attempts,
+        ]);
+    }
+}
+add_action('template_redirect', 'cfblocklogins_track_404', 1);
 
 // Check if XML-RPC traffic suggests an attack
@@ -1490 +2003 @@
             delete_transient("cfblocklogins_xmlrpc_notification_shown_$today");
 
-            wp_redirect(admin_url('admin.php?page=block-logins-cf&xmlrpc_enabled=1'));
+            wp_safe_redirect(admin_url('admin.php?page=block-logins-cf&xmlrpc_enabled=1'));
             exit;
         }
@@ -1504 +2017 @@
             delete_transient("cfblocklogins_xmlrpc_notification_shown_$today");
 
-            wp_redirect(admin_url('admin.php?page=block-logins-cf&xmlrpc_dismissed=1'));
+            wp_safe_redirect(admin_url('admin.php?page=block-logins-cf&xmlrpc_dismissed=1'));
             exit;
         }
@@ -1551 +2064 @@
         // Check if this attempt should trigger blocking
         if ($attempts >= $max_attempts) {
+            $auto_unblock_expiry = intval($settings['auto_unblock_hours'] ?? 24) * HOUR_IN_SECONDS;
+            set_transient("cfblocklogins_block_source_$ip", 'xmlrpc', $auto_unblock_expiry);
             // Block the IP using existing function
             cfblocklogins_block_ip($ip);

block-logins-cf/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 7.0
 Requires PHP: 7.4
-Stable tag: 1.0
+Stable tag: 1.1
 License: GPL-2.0-or-later
 
@@ -15 +15 @@
 
 - Block IPs via Cloudflare after X failed login attempts
+- Block IPs that generate excessive 404 responses (bots and scanners)
+- Block IPs attacking via XML-RPC with intelligent detection
 - Automatic unblocking after a configurable duration
-- Whitelist IPs to never block or track them
+- Whitelist IPs to never block or track them (supports IPv6 CIDR ranges)
 - View and manually unblock blocked IPs from the admin
+- Block source tracking — see whether each IP was blocked via login, XML-RPC, or 404
+- Sync existing Cloudflare blocks into the local blocked IPs list
 - Secure settings page with Cloudflare API token validation
 - Hourly cron job for automatic maintenance
@@ -26 +30 @@
 
 **What is the Cloudflare API and what is it used for?**
-The Cloudflare API is a RESTful service provided by Cloudflare, Inc. that allows programmatic management of Cloudflare firewall rules. This plugin uses it to automatically block and unblock IP addresses based on failed login attempts.
+The Cloudflare API is a RESTful service provided by Cloudflare, Inc. that allows programmatic management of Cloudflare firewall rules. This plugin uses it to automatically block and unblock IP addresses based on failed login attempts, XML-RPC attacks, and 404 scanning activity.
 
 **What data is sent and when?**
@@ -35 +39 @@
    - Endpoint: `https://api.cloudflare.com/client/v4/user/tokens/verify`
 
-2. **When blocking an IP** (after failed login threshold is reached):
+2. **When blocking an IP** (after a threshold is reached):
    - The IP address to be blocked
    - Your Cloudflare email address and API key/token
@@ -42 +46 @@
    - Endpoint: `https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/access_rules/rules`
 
-No personally identifiable information about your WordPress users is transmitted. Only IP addresses of failed login attempts are sent to Cloudflare.
+3. **When syncing from Cloudflare** (on demand):
+   - Fetches existing firewall rules from your Cloudflare zone
+   - Endpoint: `https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/access_rules/rules`
+
+No personally identifiable information about your WordPress users is transmitted. Only IP addresses are sent to Cloudflare.
 
 **Service provider information:**
@@ -71 +79 @@
 This plugin blocks IPs at the Cloudflare firewall, stopping attacks before they reach your server.
 
+= What does 404 blocking protect against? =
+It detects bots and vulnerability scanners that probe your site by requesting many non-existent URLs. When an IP exceeds the configurable 404 threshold, it is blocked via Cloudflare just like a brute-force login attacker.
+
+= Can I sync blocks I already have in Cloudflare? =
+Yes. Use the "Sync from Cloudflare" button on the Blocked IPs page to import existing Cloudflare firewall rules into the plugin's local list.
+
+== Screenshots ==
+
+1. **Settings Page:** Configure your Cloudflare credentials, blocking thresholds, and auto-unblock duration.
+2. **Blocked IPs Management:** View currently blocked IPs with source tracking, unblock them, and manage your whitelist.
+3. **Whitelist Management:** Add or remove IP addresses (including IPv6 CIDR ranges) from the whitelist.
+
 == Changelog ==
+
+= 1.1 =
+* Added 404-based IP blocking to detect and block bots and vulnerability scanners
+* Added XML-RPC protection with intelligent attack detection
+* Added block source tracking — blocked IPs now show whether they were blocked via login, XML-RPC, or 404
+* Added 404 activity log in the Blocked IPs admin page
+* Added "Sync from Cloudflare" to import existing Cloudflare firewall rules into the local list
+* Added IPv6 CIDR range support in the IP whitelist
+* Added caching for Cloudflare API token validation to prevent throttling
 
 = 1.0 =
@@ -77 +106 @@
 
 == Upgrade Notice ==
+
+= 1.1 =
+Adds 404 blocking, XML-RPC protection, block source tracking, Cloudflare sync, and IPv6 CIDR whitelist support.
 
 = 1.0 =