<?php
class wfFirewall
{
const FIREWALL_MODE_DISABLED = 'disabled';
const FIREWALL_MODE_LEARNING = 'learning-mode';
const FIREWALL_MODE_ENABLED = 'enabled';
const PROTECTION_MODE_EXTENDED = 'extended';
const PROTECTION_MODE_BASIC = 'basic';
const RULE_MODE_COMMUNITY = 'community';
const RULE_MODE_PREMIUM = 'premium';
const BLACKLIST_MODE_DISABLED = 'disabled';
const BLACKLIST_MODE_ENABLED = 'enabled';
const UPDATE_FAILURE_RATELIMIT = 'ratelimit';
const UPDATE_FAILURE_UNREACHABLE = 'unreachable';
const UPDATE_FAILURE_FILESYSTEM = 'filesystem';
/**
* Returns a string suitable for display of the firewall status.
*
* @param null|string $status
* @param null|string $protection
* @return string
*/
public function displayText($status = null, $protection = null) {
if ($status === null) { $status = $this->firewallMode(); }
if ($protection === null) { $protection = $this->protectionMode(); }
switch ($status) {
case self::FIREWALL_MODE_ENABLED:
$statusText = __('Enabled', 'wordfence');
break;
case self::FIREWALL_MODE_LEARNING:
$statusText = __('Learning Mode', 'wordfence');
break;
default:
return __('Disabled', 'wordfence');
}
switch ($protection) {
case self::PROTECTION_MODE_EXTENDED:
$protectionText = __('Extended Protection', 'wordfence');
break;
default:
$protectionText = __('Basic Protection', 'wordfence');
break;
}
return sprintf('%s (%s)', $statusText, $protectionText);
}
/**
* Syncs the status from WAF to the wfConfig table if $toDatabase is true, the reverse if false.
*
* @param bool $toDatabase
*/
public function syncStatus($toDatabase = true) {
if ($toDatabase) {
try {
$status = wfWAF::getInstance()->getStorageEngine()->getConfig('wafStatus');
if (in_array($status, array(self::FIREWALL_MODE_DISABLED, self::FIREWALL_MODE_LEARNING, self::FIREWALL_MODE_ENABLED))) {
wfConfig::set('waf_status', $status);
}
}
catch (Exception $e) {
//Ignore
}
}
else {
try {
$status = wfConfig::get('waf_status');
if (in_array($status, array(self::FIREWALL_MODE_DISABLED, self::FIREWALL_MODE_LEARNING, self::FIREWALL_MODE_ENABLED))) {
wfWAF::getInstance()->getStorageEngine()->setConfig('wafStatus', $status);
}
}
catch (Exception $e) {
//Ignore
}
}
}
/**
* Tests the WAF configuration and returns true if successful.
*
* @return bool
*/
public function testConfig() {
try {
wfWAF::getInstance()->getStorageEngine()->isDisabled();
}
catch (Exception $e) {
return false;
}
return true;
}
/**
* Returns a normalized percentage (i.e., in the range [0, 1]) to the corresponding display percentage
* based on license type.
*
* @param float $percentage
* @param bool $adjust Whether or not to adjust the range to [0, 0.7]
* @return float
*/
protected function _normalizedPercentageToDisplay($percentage, $adjust = true) {
if (wfConfig::get('isPaid') || !$adjust) {
return round($percentage, 2);
}
return round($percentage * 0.70, 2);
}
/**
* Returns the percentage calculation of the overall firewall status, which is displayed under "Firewall"
* on the Dashboard page.
*
* @return float
*/
public function overallStatus() {
try {
$wafStatus = $this->wafStatus();
$bruteForceStatus = $this->bruteForceStatus();
$percentage = 0.0;
$percentage += $wafStatus * 0.80;
$percentage += $bruteForceStatus * 0.20;
return $this->_normalizedPercentageToDisplay($percentage, false);
}
catch (Exception $e) {
//Ignore, return 0%
}
return 0.0;
}
public function statusList($section = null) {
$statusList = array();
$wafStatusList = $this->wafStatusList($section);
$bruteForceStatusList = $this->bruteForceStatusList();
foreach ($wafStatusList as $entry) {
$entry['percentage'] *= 0.8;
$statusList[] = $entry;
}
foreach ($bruteForceStatusList as $entry) {
$entry['percentage'] *= 0.2;
$statusList[] = $entry;
}
return array_filter($statusList);
}
/**
* Returns the percentage calculation of the WAF status, which is displayed under "Web Application
* Firewall" on the Firewall page.
*
* @return float
*/
public function wafStatus() {
try {
$ruleStatus = $this->ruleStatus(true);
$blacklistStatus = $this->blacklistStatus();
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
$extendedProtection = $wafEnabled && WFWAF_AUTO_PREPEND && !WFWAF_SUBDIRECTORY_INSTALL;
$rateLimitingAdvancedBlockingEnabled = wfConfig::get('firewallEnabled', 1);
if (!$wafEnabled) {
return 0.0;
}
$percentage = 0.0;
$percentage += $this->_normalizedPercentageToDisplay($ruleStatus * 0.35, true);
$percentage += $blacklistStatus * 0.35;
$percentage += ($extendedProtection ? 0.20 : 0.0);
$percentage += ($rateLimitingAdvancedBlockingEnabled ? 0.10 : 0.0);
return $this->_normalizedPercentageToDisplay($percentage, false);
}
catch (Exception $e) {
//Ignore, return 0%
}
return 0.0;
}
public function wafStatusList($section = null) {
$statusList = array();
try {
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
if (!$wafEnabled) {
return array(
array(
'percentage' => 1.0,
'title' => __('Enable firewall.', 'wordfence'),
),
);
}
// Get percent of rules enabled.
$ruleStatus = $this->ruleStatusDescription(true);
$premiumStatus = array();
if (!wfConfig::get('isPaid')) {
$premiumStatus = array(
'percentage' => 0.30,
'title' => __('Enable Premium Rules.', 'wordfence'),
);
}
if ($section === 'rules') {
if ($ruleStatus) {
$ruleStatus['percentage'] = $this->_normalizedPercentageToDisplay($ruleStatus['percentage']);
}
return array_filter(array($ruleStatus, $premiumStatus));
}
if ($premiumStatus) {
$premiumStatus['percentage'] *= 0.35;
$premiumStatus['percentage'] = $this->_normalizedPercentageToDisplay($premiumStatus['percentage'], false);
}
if ($ruleStatus) {
$ruleStatus['percentage'] *= 0.35;
$ruleStatus['percentage'] = $this->_normalizedPercentageToDisplay($ruleStatus['percentage']);
}
$statusList = array_merge($statusList, array($ruleStatus), array($premiumStatus));
$blacklistStatus = $this->blacklistStatusDescription();
if ($section === 'blacklist') {
return array_filter(array($blacklistStatus));
}
if ($blacklistStatus) {
$blacklistStatus['percentage'] *= 0.35;
$blacklistStatus['percentage'] = $this->_normalizedPercentageToDisplay($blacklistStatus['percentage'], false);
}
$statusList = array_merge($statusList, array($blacklistStatus));
$extendedProtection = $wafEnabled && WFWAF_AUTO_PREPEND && !WFWAF_SUBDIRECTORY_INSTALL;
if (!$extendedProtection) {
$statusList[] = array(
'percentage' => $this->_normalizedPercentageToDisplay(0.20, false),
'title' => __('Optimize the Wordfence Firewall.', 'wordfence'),
);
}
$rateLimitingAdvancedBlockingEnabled = wfConfig::get('firewallEnabled', 1);
if (!$rateLimitingAdvancedBlockingEnabled) {
$statusList[] = array(
'percentage' => $this->_normalizedPercentageToDisplay(0.10, false),
'title' => __('Enable Rate Limiting and Advanced Blocking.', 'wordfence'),
);
}
return array_filter($statusList);
}
catch (Exception $e) {
//Ignore, return 0%
}
if (!WFWAF_OPERATIONAL) {
return array(array('percentage' => 1.0, 'title' => __('Repair the Wordfence Firewall configuration.', 'wordfence')));
}
return array();
}
/**
* Returns the status of the WAF.
*
* @return string
*/
public function firewallMode() {
try {
return (!WFWAF_ENABLED ? 'disabled' : wfWAF::getInstance()->getStorageEngine()->getConfig('wafStatus'));
}
catch (Exception $e) {
//Ignore
}
return self::FIREWALL_MODE_DISABLED;
}
/**
* Returns the current protection mode configured for the WAF.
*
* @return string
*/
public function protectionMode() {
if (defined('WFWAF_AUTO_PREPEND') && WFWAF_AUTO_PREPEND) {
return self::PROTECTION_MODE_EXTENDED;
}
return self::PROTECTION_MODE_BASIC;
}
/**
* Returns whether or not this installation is in a subdirectory of another WordPress site with the WAF already optimized.
*
* @return bool
*/
public function isSubDirectoryInstallation() {
if (defined('WFWAF_SUBDIRECTORY_INSTALL') && WFWAF_SUBDIRECTORY_INSTALL) {
return true;
}
return false;
}
/**
* Returns the percentage calculation of the firewall rule status, which is displayed under "Firewall Rules" on the
* Firewall page.
*
* The calculation is the number of rules enabled divided by the total number of rules. If the WAF is in learning
* mode, no rules are enforced, so it's clamped to 0%.
*
* @param bool $round Round the percentage (in the range [0, 1]) to be only whole percentages.
* @return float
*/
public function ruleStatus($round = false) {
try {
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
if (!$wafEnabled) {
return 0.0;
}
/*$learningMode = !!wfWAF::getInstance()->isInLearningMode();
if ($learningMode) {
return 0.0;
}*/
$rules = wfWAF::getInstance()->getRules();
$disabledRules = (array) wfWAF::getInstance()->getStorageEngine()->getConfig('disabledRules');
/** @var wfWAFRule $rule */
$enabledCount = 0;
foreach ($rules as $ruleID => $rule) {
if (isset($disabledRules[$ruleID]) && $disabledRules[$ruleID]) {
continue;
}
$enabledCount++;
}
$percentEnabled = (count($rules) == 0 ? 0 : $enabledCount / count($rules));
if ($round) {
return round($percentEnabled, 2);
}
return $this->_normalizedPercentageToDisplay($percentEnabled);
}
catch (Exception $e) {
//Ignore, return 0%
}
return 0.0;
}
/**
* @param bool $round
* @return array
*/
public function ruleStatusDescription($round = false) {
try {
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
if (!$wafEnabled) {
return array(
'percentage' => 1.0,
'title' => __('Enable firewall.', 'wordfence'),
);
}
/*$learningMode = !!wfWAF::getInstance()->isInLearningMode();
if ($learningMode) {
return 0.0;
}*/
$rules = wfWAF::getInstance()->getRules();
$disabledRules = (array) wfWAF::getInstance()->getStorageEngine()->getConfig('disabledRules');
/** @var wfWAFRule $rule */
$enabledCount = 0;
foreach ($rules as $ruleID => $rule) {
if (isset($disabledRules[$ruleID]) && $disabledRules[$ruleID]) {
continue;
}
$enabledCount++;
}
$percentEnabled = 1.0 - ((float) (count($rules) == 0 ? 0 : $enabledCount / count($rules)));
if ($percentEnabled === 0.0) {
return array();
}
$reenbleCount = count($rules) - $enabledCount;
return array(
'percentage' => ($round ? round($percentEnabled, 2) : $percentEnabled),
'title' => sprintf(_n('Re-enable %d firewall rule.', 'Re-enable %d firewall rules.', $reenbleCount, 'wordfence'), number_format_i18n($reenbleCount)),
);
}
catch (Exception $e) {
//Ignore, return 0%
}
return array(
'percentage' => 1.0,
'title' => __('Enable firewall.', 'wordfence'),
);
}
/**
* Returns the rule feed that is in use.
*
* @return string
*/
public function ruleMode() {
if (wfConfig::get('isPaid')) {
return self::RULE_MODE_PREMIUM;
}
return self::RULE_MODE_COMMUNITY;
}
/**
* Returns 100% if the blacklist is enabled, 0% if not.
*
* @return float
*/
public function blacklistStatus() {
try {
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
if (!$wafEnabled) {
return 0.0;
}
return $this->blacklistMode() == self::BLACKLIST_MODE_ENABLED ? 1.0 : 0.0;
}
catch (Exception $e) {
//Ignore, return 0%
}
return 0.0;
}
/**
* Returns 100% if the blacklist is enabled, 0% if not.
*
* @return array
*/
public function blacklistStatusDescription() {
try {
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
if (!$wafEnabled) {
return array(
'percentage' => 1.0,
'title' => __('Enable Firewall.', 'wordfence'),
);
}
if ($this->blacklistMode() == self::BLACKLIST_MODE_ENABLED) {
return array();
}
return array(
'percentage' => 1.0,
'title' => __('Enable Real-Time IP Blocklist.', 'wordfence'),
);
}
catch (Exception $e) {
//Ignore, return 0%
}
return array(
'percentage' => 1.0,
'title' => __('Enable Real-Time IP Blocklist.', 'wordfence'),
);
}
/**
* Returns the blacklist mode.
*
* @return string
*/
public function blacklistMode() {
$blacklistEnabled = false;
try {
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
$blacklistEnabled = $wafEnabled && !wfWAF::getInstance()->getStorageEngine()->getConfig('disableWAFBlacklistBlocking');
}
catch (Exception $e) {
//Do nothing
}
if (wfConfig::get('isPaid') && $blacklistEnabled) {
return self::BLACKLIST_MODE_ENABLED;
}
return self::BLACKLIST_MODE_DISABLED;
}
/**
* Returns a percentage rating for the brute force protection status. This includes both the WFSN enabled status
* and the status of individual login security options. These options are available to all, so they are always
* in the range [0,1].
*
* @return float
*/
public function bruteForceStatus() {
$networkBruteForceEnabled = !!wfConfig::get('other_WFNet');
$localBruteForceEnabled = !!wfConfig::get('loginSecurityEnabled');
$percentage = 0.0;
if ($localBruteForceEnabled) {
$percentage += 0.1;
if ($networkBruteForceEnabled) {
$percentage += 0.5;
}
if (wfConfig::get('loginSec_strongPasswds_enabled') && (wfConfig::get('loginSec_strongPasswds') == 'pubs' || wfConfig::get('loginSec_strongPasswds') == 'all')) {
$percentage += 0.1;
}
if (wfConfig::get('loginSec_maskLoginErrors')) {
$percentage += 0.1;
}
if (wfConfig::get('loginSec_blockAdminReg')) {
$percentage += 0.1;
}
if (wfConfig::get('loginSec_disableAuthorScan')) {
$percentage += 0.1;
}
}
return round($percentage, 2);
}
/**
* Returns the status of the WAF's learning mode.
*
* @return bool|int Returns true if enabled without an automatic switchover, a timestamp if enabled with one, and false if not in learning mode.
*/
public function learningModeStatus() {
if ($this->firewallMode() != self::FIREWALL_MODE_LEARNING) {
return false;
}
try {
$config = wfWAF::getInstance()->getStorageEngine();
if ($config->getConfig('learningModeGracePeriodEnabled')) {
return (int) $config->getConfig('learningModeGracePeriod');
}
return true;
}
catch (Exception $e) {
//Ignore, return false
}
return false;
}
/**
* @return array
*/
public function bruteForceStatusList() {
$networkBruteForceEnabled = !!wfConfig::get('other_WFNet');
$localBruteForceEnabled = !!wfConfig::get('loginSecurityEnabled');
$status = array();
if ($localBruteForceEnabled) {
if (!$networkBruteForceEnabled) {
$status[] = array(
'percentage' => 0.5,
'title' => __('Enable Real-Time Wordfence Security Network.', 'wordfence'),
);
}
if (!wfConfig::get('loginSec_strongPasswds_enabled')) {
$status[] = array(
'percentage' => 0.1,
'title' => __('Enforce Strong Passwords.', 'wordfence'),
);
}
if (!wfConfig::get('loginSec_maskLoginErrors')) {
$status[] = array(
'percentage' => 0.1,
'title' => __('Enable Mask Login Errors.', 'wordfence'),
);
}
if (!wfConfig::get('loginSec_blockAdminReg')) {
$status[] = array(
'percentage' => 0.1,
'title' => __('Enable Block Admin Registration.', 'wordfence'),
);
}
if (!wfConfig::get('loginSec_disableAuthorScan')) {
$status[] = array(
'percentage' => 0.1,
'title' => __('Disable Author Scanning.', 'wordfence'),
);
}
} else {
$status[] = array(
'percentage' => 1.0,
'title' => __('Enable Brute Force Protection.', 'wordfence'),
);
}
return array_filter($status);
}
}