CVE-2022-4537: Brute.php in hide-my-wp/tags/5.0.18/models – WordPress Plugin Repository

1<?php2/**3 * Brute Force Protection Model4 * Called from Brute Force Class5 *6 * @file The Brute Force Model file7 * @package HMWP/BruteForce8 * @since 4.2.09 */1011defined(‘ABSPATH’) || die(‘Cheatin\’ uh?’);1213class HMWP_Models_Brute14{15 /**16 * The user IP address17 * @var string18 */19 protected $user_ip;20 public $response;2122 /**23 * Retrives and sets the ip address the person logging in24 *25 * @return string26 */27 public function brute_get_ip()28 {29 if (isset($this->user_ip)) {30 return $this->user_ip;31 }3233 if(!isset($_SERVER[‘REMOTE_ADDR’])) {34 return '127.0.0.1’;35 }3637 $ip = $_SERVER[‘REMOTE_ADDR’];38 $trusted_header = HMWP_Classes_Tools::getOption(‘trusted_ip_header’);3940 if (is_string($trusted_header) && $trusted_header <> ‘’) {41 if (isset($_SERVER[$trusted_header])) {42 $ip = $_SERVER[$trusted_header];43 }44 }4546 $ips = array_reverse(explode(', ', $ip));47 foreach ($ips as $ip) {48 $ip = $this->clean_ip($ip);4950 // If the IP is in a private or reserved range, keep looking51 if ($ip == ‘127.0.0.1’ || $ip == ‘::1’ || $this->ip_is_private($ip)) {52 continue;53 } else {54 $this->user_ip = $ip;55 return $this->user_ip;56 }57 }5859 $this->user_ip = $this->clean_ip($_SERVER[‘REMOTE_ADDR’]);60 return $this->user_ip;61 }626364 /**65 * Clean the IP address if altered66 * @param $ip67 * @return mixed|string68 */69 public function clean_ip($ip)70 {71 $ip = trim($ip);7273 // Check for IPv4 IP cast as IPv674 if (preg_match('/^::ffff:(\d+\.\d+\.\d+\.\d+)$/’, $ip, $matches)) {75 $ip = $matches[1];76 }7778 return $ip;79 }808182 /**83 * Checks an IP to see if it is within a private range84 *85 * @param string $ip86 * @return bool87 */88 public function ip_is_private($ip)89 {90 $pri_addrs = array(91 '10.0.0.0|10.255.255.255’, // single class A network92 '172.16.0.0|172.31.255.255’, // 16 contiguous class B network93 '192.168.0.0|192.168.255.255’, // 256 contiguous class C network94 '169.254.0.0|169.254.255.255’, // Link-local address also refered to as Automatic Private IP Addressing95 ‘127.0.0.0|127.255.255.255’ // localhost96 );9798 $long_ip = ip2long($ip);99 if ($long_ip != -1) {100101 foreach ($pri_addrs AS $pri_addr) {102 list ($start, $end) = explode('|’, $pri_addr);103104 // IF IS PRIVATE105 if ($long_ip >= ip2long($start) && $long_ip <= ip2long($end)) {106 return true;107 }108 }109 }110111 return false;112 }113114 /**115 * Generate a pivacy key116 * @return string117 */118 public function get_privacy_key()119 {120 // Privacy key generation uses the NONCE_SALT + admin email-- admin email is121 // used to prevent identical privacy keys if NONCE_SALT is not customized122 return substr(md5(NONCE_SALT . get_site_option(‘admin_email’)), 5, 10);123 }124125 /**126 * Checks the status for a given IP. API results are cached as transients in the wp_options table127 *128 * @return array|mixed129 * @throws Exception130 */131 public function brute_check_loginability()132 {133134 $ip = $this->brute_get_ip();135 $headers = $this->brute_get_headers();136 $header_hash = md5(json_encode($headers));137138 $transient_name = ‘hmwp_brute_’ . $header_hash;139 $transient_value = $this->get_transient($transient_name);140141 //Never block login from whitelisted IPs142 if ($this->check_whitelisted_ip($ip)) {143 $transient_value[‘status’] = 'whitelist’;144 return $transient_value;145 }146147 //Check out our transients148 if (isset($transient_value[‘status’]) && $transient_value[‘status’] == ‘ok’) {149 return $transient_value;150 }151152 if (isset($transient_value[‘status’]) && $transient_value[‘status’] == ‘blocked’) {153 //there is a current block-- prevent login154 $this->brute_kill_login();155 }156157158 //If we’ve reached this point, this means that the IP isn’t cached.159 //Now we check to see if we should allow login160 $response = $this->brute_call(‘check_ip’);161162 if ($response[‘status’] == ‘blocked’) {163 $this->brute_kill_login();164 }165166 return $response;167 }168169 /**170 * Check if the current IP address is whitelisted by the user171 *172 * @param string $ip173 * @return bool174 */175 public function check_whitelisted_ip($ip)176 {177 if(HMWP_Classes_Tools::isWhitelistedIP($ip)){178 return true;179 }180181 return false;182 }183184 /**185 * Get the current local host186 *187 * @return mixed|string188 */189 public function brute_get_local_host()190 {191 if (isset($this->local_host)) {192 return $this->local_host;193 }194195 $uri = ‘http://’ . strtolower($_SERVER[‘HTTP_HOST’]);196197 if (HMWP_Classes_Tools::isMultisites()) {198 $uri = network_home_url();199 }200201 $uridata = parse_url($uri);202203 $domain = $uridata[‘host’];204205 //if we still don’t have it, get the site_url206 if (!$domain) {207 $uri = get_site_url(1);208 $uridata = parse_url($uri);209 if (isset($uridata[‘host’])) {210 $domain = $uridata[‘host’];211 }212 }213214 $this->local_host = $domain;215216 return $this->local_host;217 }218219 /**220 * Count the number of fail attempts221 *222 * @return false|int|mixed223 */224 public function brute_get_blocked_attempts()225 {226 $blocked_count = get_site_option(‘bruteprotect_blocked_attempt_count’);227 if (!$blocked_count) {228 $blocked_count = 0;229 }230231 return $blocked_count;232 }233234235 /**236 * Finds out if this site is using http or https237 *238 * @return string239 */240 public function brute_get_protocol()241 {242 return (is_ssl()) ? “https://” : “http://";243 }244245 /**246 * Get all IP headers so that we can process on our server…247 *248 * @return array249 */250 public function brute_get_headers()251 {252 $o = array();253254 $ip_related_headers = array(255 'GD_PHP_HANDLER’,256 'HTTP_AKAMAI_ORIGIN_HOP’,257 'HTTP_CF_CONNECTING_IP’,258 'HTTP_CLIENT_IP’,259 'HTTP_FASTLY_CLIENT_IP’,260 'HTTP_FORWARDED’,261 'HTTP_FORWARDED_FOR’,262 'HTTP_INCAP_CLIENT_IP’,263 'HTTP_TRUE_CLIENT_IP’,264 'HTTP_X_CLIENTIP’,265 'HTTP_X_CLUSTER_CLIENT_IP’,266 'HTTP_X_FORWARDED’,267 'HTTP_X_FORWARDED_FOR’,268 'HTTP_X_IP_TRAIL’,269 'HTTP_X_REAL_IP’,270 'HTTP_X_VARNISH’,271 'REMOTE_ADDR’272273 );274275 foreach ($ip_related_headers as $header) {276 if (isset($_SERVER[$header])) {277 $o[$header] = $_SERVER[$header];278 }279 }280281 return $o;282 }283284 /**285 * process the brute call286 *287 * @param string $action 'check_ip’, 'check_key’, or 'failed_attempt’288 * @param array $info Any custom data to post to the api289 * @return array|mixed290 * @throws Exception291 */292 public function brute_call($action = 'check_ip’, $info = array())293 {294 $headers = $this->brute_get_headers();295 $header_hash = md5(json_encode($headers));296 $transient_name = ‘hmwp_brute_’ . $header_hash;297298 if(!$response = $this->get_transient($transient_name)){299 $response = array();300 }301302 $attempts = (isset($response[‘attempts’]) ? (int)$response[‘attempts’] : 0);303304 if ($action == ‘failed_attempt’) {305 if ($this->check_whitelisted_ip($this->brute_get_ip())) {306 $response[‘status’] = 'ok’;307 return $response;308 }309310 $attempts = (int)$attempts + 1;311312 if ($attempts >= HMWP_Classes_Tools::getOption(‘brute_max_attempts’)) {313314 $info[‘ip’] = $this->brute_get_ip();315 $info[‘host’] = $this->brute_get_local_host();316 $info[‘protocol’] = $this->brute_get_protocol();317 $info[‘headers’] = json_encode($this->brute_get_headers());318319 $response = array_merge($response, $info);320 $response[‘attempts’] = $attempts;321 $response[‘status’] = 'blocked’;322323 //Log the block IP on the server324 HMWP_Classes_ObjController::getClass(‘HMWP_Models_Log’)->hmwp_log_actions('block_ip’, array(‘ip’ => $this->brute_get_ip()));325326 wp_redirect(site_url());327 } else {328 $response[‘attempts’] = $attempts;329 $response[‘status’] = 'ok’;330 }331 $this->set_transient($transient_name, $response, (int)HMWP_Classes_Tools::getOption(‘brute_max_timeout’));332 } elseif ($action == ‘check_ip’) {333 $response[‘status’] = (isset($response[‘status’]) ? $response[‘status’] : ‘ok’);334335 //Always block a banned IP336 if ($this->check_banned_ip($this->brute_get_ip())) {337 $response[‘status’] = 'blocked’;338339 }340341 } elseif ($action == ‘clear_ip’) {342 $this->delete_transient($transient_name);343 }344345 return $response;346 }347348 /**349 * Save the transient with the blocked IP in database350 *351 * @param $transient352 * @param $value353 * @param $expiration354 * @return bool355 */356 public function set_transient($transient, $value, $expiration)357 {358 if (HMWP_Classes_Tools::isMultisites() && !is_main_site()) {359 switch_to_blog($this->get_main_blog_id());360 $return = set_transient($transient, $value, $expiration);361 restore_current_blog();362 return $return;363 }364 return set_transient($transient, $value, $expiration);365 }366367 /**368 * Delete the transient from database369 *370 * @param $transient371 * @return bool372 */373 public function delete_transient($transient)374 {375 if (HMWP_Classes_Tools::isMultisites() && !is_main_site()) {376 switch_to_blog($this->get_main_blog_id());377 $return = delete_transient($transient);378 restore_current_blog();379 return $return;380 }381 return delete_transient($transient);382 }383384 /**385 * Get the saved transient from database386 *387 * @param $transient388 * @return mixed389 */390 public function get_transient($transient)391 {392 if (HMWP_Classes_Tools::isMultisites() && !is_main_site()) {393 switch_to_blog($this->get_main_blog_id());394 $return = get_transient($transient);395 restore_current_blog();396 return $return;397 }398 return get_transient($transient);399 }400401 /**402 * If we’re in a multisite network, return the blog ID of the primary blog403 *404 * @return int405 */406 public function get_main_blog_id()407 {408 if (defined(‘BLOG_ID_CURRENT_SITE’)) {409 return BLOG_ID_CURRENT_SITE;410 }411412 return 1;413 }414415416 /**417 * Get all blocked IPs418 *419 * @return array420 */421 public function get_blocked_ips()422 {423 global $wpdb;424 $ips = array();425 $pattern = '_transient_timeout_hmwp_brute_’;426 //check 20 keyword at one time427 $sql = $wpdb->prepare(“SELECT `option_name` FROM `{$wpdb->options}` WHERE (`option_name` LIKE %s) ORDER BY `option_id` DESC", $pattern . ‘%’);428 //echo $sql; exit();429 if ($rows = $wpdb->get_results($sql)) {430 foreach ($rows as $row) {431 if (!$transient_value = $this->get_transient(str_replace($pattern, 'hmwp_brute_’, $row->option_name))) {432 $this->delete_transient(str_replace($pattern, '’, $row->option_name));433 }elseif (isset($transient_value[‘status’]) && $transient_value[‘status’] == ‘blocked’) {434 $ips[str_replace($pattern, 'hmwp_brute_’, $row->option_name)] = $transient_value;435 }436 }437 }438439440 return $ips;441 }442443 /**444 * Check if the IP address is already banned by the user445 *446 * @param $ip447 * @return bool448 */449 public function check_banned_ip($ip)450 {451 //Never block login from whitelisted IPs452 $banlist = HMWP_Classes_Tools::getOption(‘banlist_ip’);453454 if($banlist <> ‘’ && is_string($banlist)) {455 $bl_items = @json_decode($banlist, true);456457 //add the hook for users to add IPs in the blacklist458 $bl_items = apply_filters('hmwp_blacklisted_ips’, $bl_items);459460 if (!empty($bl_items)) {461 foreach ($bl_items as $item) {462 $item = trim($item);463 if ($ip == $item) {464 return true;465 }466467 if (strpos($item, ‘*’) === false) { //no match, no wildcard468 continue;469 }470471 $iplong = ip2long($ip);472 $ip_low = ip2long(str_replace('*’, '0’, $item));473 $ip_high = ip2long(str_replace('*’, '255’, $item));474475 if ($iplong >= $ip_low && $iplong <= $ip_high) {//IP is within wildcard range476 return true;477 }478479 }480 }481 }482 return false;483 }484485 /**486 * Delete the IP address from database487 *488 * @param $transient489 * @return void490 */491 public function delete_ip($transient)492 {493 $this->delete_transient($transient);494 }495496497 /**498 * Verifies that a user answered the math problem correctly while logging in.499 *500 * @param mixed $user501 * @param mixed $response502 * @return mixed $user Returns the user if the math is correct503 */504 public function brute_math_authenticate($user, $response)505 {506507 if (HMWP_Classes_Tools::getValue(‘brute_ck’)) {508509 $salt = HMWP_Classes_Tools::getOption(‘hmwp_disable’) . get_site_option(‘admin_email’);510 $ans = (int)HMWP_Classes_Tools::getValue('brute_num’, 0);511 $salted_ans = sha1($salt . $ans);512 $correct_ans = HMWP_Classes_Tools::getValue(‘brute_ck’);513514 if ($correct_ans !== false && $salted_ans != $correct_ans) {515 $user = new WP_Error(516 'authentication_failed’,517 sprintf(esc_html__('%sYou failed to correctly answer the math problem.%s Please try again’, ‘hide-my-wp’), '<strong>’, ‘</strong>’)518 );519 }520521 }522523 return $user;524 }525526 /**527 * Requires a user to solve a simple equation. Added to any WordPress login form.528 *529 * @return void outputs html530 */531 public function brute_math_form()532 {533 if (!HMWP_Classes_Tools::getOption(‘brute_use_math’)) {534 return;535 }536 $salt = HMWP_Classes_Tools::getOption(‘hmwp_disable’) . get_site_option(‘admin_email’);537 $num1 = rand(0, 10);538 $num2 = rand(1, 10);539 $sum = $num1 + $num2;540 $ans = sha1($salt . $sum);541 ?>542 <div style="margin: 5px 0 20px;">543 <strong><?php echo esc_html__('Prove your humanity:’, ‘hide-my-wp’) ?> </strong>544 <?php echo esc_attr($num1) ?>   +   <?php echo esc_attr($num2) ?>   =  545 <input type="input” name="brute_num” value="" size="2"/>546 <input type="hidden" name="brute_ck" value="<?php echo esc_attr($ans); ?>" id="brute_ck"/>547 </div>548 <?php549 }550551 /************************************************************************************/552 /**553 * Verifies the Google Captcha while logging in.554 *555 * @param mixed $user556 * @param mixed $response557 * @return mixed $user Returns the user if the math is correct558 * @throws WP_Error message if the math is wrong559 */560 public function brute_catpcha_authenticate($user, $response)561 {562 $error_message = false;563564 if(HMWP_Classes_Tools::getOption(‘brute_use_captcha’)) {565 $error_message = $this->brute_catpcha_call();566 }elseif(HMWP_Classes_Tools::getOption(‘brute_use_captcha_v3’)) {567 $error_message = $this->brute_catpcha_v3_call();568 }569570 if ($error_message) {571 $user = new WP_Error('authentication_failed’, $error_message);572 }573574 return $user;575 }576577578 /**579 * Call the reCaptcha V2 from Google580 */581 public function brute_catpcha_call()582 {583 $error_message = false;584 $error_codes = array(585 ‘missing-input-secret’ => esc_html__('The secret parameter is missing.’, ‘hide-my-wp’),586 ‘invalid-input-secret’ => esc_html__('The secret parameter is invalid or malformed.’, ‘hide-my-wp’),587 ‘missing-input-response’ => esc_html__('Empty ReCaptcha. Please complete reCaptcha.’, ‘hide-my-wp’),588 ‘invalid-input-response’ => esc_html__('The response parameter is invalid or malformed.’, ‘hide-my-wp’)589 );590591 $captcha = HMWP_Classes_Tools::getValue('g-recaptcha-response’, false);592 $secret = HMWP_Classes_Tools::getOption(‘brute_captcha_secret_key’);593594 if ($secret <> ‘’) {595 $response = json_decode(HMWP_Classes_Tools::hmwp_remote_get(“https://www.google.com/recaptcha/api/siteverify?secret=$secret&response=” . $captcha . “&remoteip=” . $_SERVER[‘REMOTE_ADDR’]), true);596597 if (isset($response[‘success’]) && !$response[‘success’]) {598 //If captcha errors, let the user login and fix the error599 if (isset($response[‘error-codes’]) && !empty($response[‘error-codes’])) {600 foreach ($response[‘error-codes’] as $error_code) {601 $error_message = $error_codes[$error_code];602 }603 }604605 if (!$error_message) {606 $error_message = sprintf(esc_html__('%sIncorrect ReCaptcha%s. Please try again’, ‘hide-my-wp’), ‘<strong>’, ‘</strong>’);607 }608 }609 }610611 return $error_message;612 }613614615 /**616 * reCAPTCHA head and login form617 */618 public function brute_recaptcha_head()619 {620 ?>621 <script src=’https://www.google.com/recaptcha/api.js?hl=<?php echo(HMWP_Classes_Tools::getOption(‘brute_captcha_language’) <> ‘’ ? HMWP_Classes_Tools::getOption(‘brute_captcha_language’) : get_locale()) ?>’ async defer></script>622 <style>#login{min-width: 354px;}</style>623 <?php624 }625626 /**627 * reCAPTCHA head and login form628 */629 public function brute_recaptcha_form()630 {631 if (HMWP_Classes_Tools::getOption(‘brute_captcha_site_key’) <> ‘’ && HMWP_Classes_Tools::getOption(‘brute_captcha_secret_key’) <> ‘’) {632 ?>633 <div class="g-recaptcha" data-sitekey="<?php echo HMWP_Classes_Tools::getOption(‘brute_captcha_site_key’) ?>" data-theme="<?php echo HMWP_Classes_Tools::getOption(‘brute_captcha_theme’) ?>" style="margin: 12px 0 24px 0;"></div>634 <?php635 }636 }637638 /**639 * Show the reCaptcha form on login/register640 *641 * @return void642 */643 public function woocommerce_brute_recaptcha_form()644 {645 if (HMWP_Classes_Tools::getOption(‘brute_captcha_site_key’) <> ‘’ && HMWP_Classes_Tools::getOption(‘brute_captcha_secret_key’) <> ‘’) {646 ?>647 <div class="g-recaptcha" data-sitekey="<?php echo HMWP_Classes_Tools::getOption(‘brute_captcha_site_key’) ?>" data-theme="<?php echo HMWP_Classes_Tools::getOption(‘brute_captcha_theme’) ?>"></div>648 <?php649 }650 }651652653 /**654 * Call the reCaptcha V3 from Google655 */656 public function brute_catpcha_v3_call()657 {658659 $error_message = false;660661 if(!HMWP_Classes_Tools::getOption(‘brute_use_captcha_v3’)) {662 return false;663 }664665 $error_codes = array(666 ‘missing-input-secret’ => esc_html__('The secret parameter is missing.’, ‘hide-my-wp’),667 ‘invalid-input-secret’ => esc_html__('The secret parameter is invalid or malformed.’, ‘hide-my-wp’),668 ‘missing-input-response’ => esc_html__('Empty ReCaptcha. Please complete reCaptcha.’, ‘hide-my-wp’),669 ‘invalid-input-response’ => esc_html__('The response parameter is invalid or malformed.’, ‘hide-my-wp’),670 ‘timeout-or-duplicate’ => esc_html__('The response parameter is invalid or malformed.’, ‘hide-my-wp’),671 ‘bad-request’ => esc_html__('The response parameter is invalid or malformed.’, ‘hide-my-wp’)672 );673674 $captcha = HMWP_Classes_Tools::getValue(‘g-recaptcha-response’);675 $secret = HMWP_Classes_Tools::getOption(‘brute_captcha_secret_key_v3’);676677 if ($secret <> ‘’) {678 $response = json_decode(HMWP_Classes_Tools::hmwp_remote_get(“https://www.google.com/recaptcha/api/siteverify?secret=$secret&response=” . $captcha . “&remoteip=” . $_SERVER[‘REMOTE_ADDR’]), true);679680 if (isset($response[‘success’]) && !$response[‘success’]) {681 //If captcha errors, let the user login and fix the error682 if (isset($response[‘error-codes’]) && !empty($response[‘error-codes’])) {683 foreach ($response[‘error-codes’] as $error_code) {684 $error_message = $error_codes[$error_code];685 }686 }687688 if (!$error_message) {689 $error_message = sprintf(esc_html__('%sIncorrect ReCaptcha%s. Please try again’, ‘hide-my-wp’), ‘<strong>’, ‘</strong>’);690 }691 }692 }693694 return $error_message;695 }696697 /**698 * reCAPTCHA head and login form699 */700 public function brute_recaptcha_head_v3()701 {702 ?>703 <script src=’https://www.google.com/recaptcha/api.js?render=<?php echo HMWP_Classes_Tools::getOption(‘brute_captcha_site_key_v3’) ?>’ async defer></script>704 <style>#login{min-width: 354px;}</style>705 <?php706 }707708 /**709 * reCAPTCHA head and login form710 */711 public function brute_recaptcha_form_v3()712 {713 if(!HMWP_Classes_Tools::getOption(‘brute_use_captcha_v3’)) {714 return;715 }716717 if (HMWP_Classes_Tools::getOption(‘brute_captcha_site_key_v3’) <> ‘’ && HMWP_Classes_Tools::getOption(‘brute_captcha_secret_key_v3’) <> ‘’) {718 ?>719 <script>720 function reCaptchaSubmit(e) {721 var form = this;722 e.preventDefault();723 grecaptcha.ready(function() {724 grecaptcha.execute('<?php echo HMWP_Classes_Tools::getOption(‘brute_captcha_site_key_v3’) ?>’, {action: 'submit’}).then(function(token) {725 var input = document.createElement(“input”);726 input.type = "hidden";727 input.name = “g-recaptcha-response” ;728 input.value = token ;729 form.appendChild(input);730 form.submit();731 });732 });733 }734735 if(document.getElementsByTagName(“form”).length > 0) {736 var x = document.getElementsByTagName(“form”);737 for (var i = 0; i < x.length; i++) {738 x[i].addEventListener("submit", reCaptchaSubmit);739 }740 }741 </script>742 <?php743 }744 }745746 /**747 * reCaptcha V3 support for Woocommerce748 * @return void749 */750 public function woocommerce_brute_recaptcha_form_v3()751 {752 if(!HMWP_Classes_Tools::getOption(‘brute_use_captcha_v3’)) {753 return;754 }755756 if (HMWP_Classes_Tools::getOption(‘brute_captcha_site_key_v3’) <> ‘’ && HMWP_Classes_Tools::getOption(‘brute_captcha_secret_key_v3’) <> ‘’) {757 ?>758 <script>759 function reCaptchaSubmit(e) {760 var form = this;761 e.preventDefault();762763 grecaptcha.ready(function() {764 grecaptcha.execute('<?php echo HMWP_Classes_Tools::getOption(‘brute_captcha_site_key_v3’) ?>’, {action: 'submit’}).then(function(token) {765 //add google data766 var input = document.createElement(“input”);767 input.type = "hidden";768 input.name = “g-recaptcha-response” ;769 input.value = token ;770 form.appendChild(input);771772 //complete form integration773 var submit = document.createElement(“input”);774 submit.type = "hidden";775 submit.name = “login” ;776 form.appendChild(submit);777778 form.submit();779 });780 });781 }782783 if(document.getElementsByTagName(“form”).length > 0) {784 var x = document.getElementsByTagName(“form”);785 for (var i = 0; i < x.length; i++) {786 x[i].addEventListener("submit", reCaptchaSubmit);787 }788 }789 </script>790 <?php791 }792 }793794 /************************************************************************************/795 /**796 * Show the error message on IP address banned797 * @return void798 */799 public function brute_kill_login()800 {801802 do_action('hmwp_kill_login’, $this->brute_get_ip());803804 wp_ob_end_flush_all();805 wp_die(806 HMWP_Classes_Tools::getOption(‘hmwp_brute_message’),807 esc_html__('Login Blocked by Hide My WordPress’, ‘hide-my-wp’),808 array(‘response’ => 403)809 );810 }811812}