Merge pull request #149 from MITLibraries/pw-86

Add IP-based block list to wp-config
MITLibraries · Feb 16, 2024 · 79a4a15 · 79a4a15
2 parents acbf963 + 2d11048
commit 79a4a15
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/.github/README.md b/.github/README.md
@@ -259,7 +259,7 @@ Please see the readme for that project for [installation](https://github.com/pan
 #### Optional application secrets
 
 - `SENTRY_DSN` Unique identifier for this project within Sentry.
-
+- `BLOCKED_IPS` A space-separated list of IP addresses which should be blocked from getting a Wordpress response.
 
 ### Environment variables
 

diff --git a/web/wp-config.php b/web/wp-config.php
@@ -69,8 +69,30 @@
       define( 'WP_SENTRY_VERSION', 'v1' );
       define( 'WP_SENTRY_ENV', $_ENV['PANTHEON_ENVIRONMENT'] );
     }
+
+    // Blocked IP address handling - defined as a space-separated string in secrets, and
+    // parsed to an array.
+    if ( array_key_exists( 'BLOCKED_IPS', $secrets ) ) {
+      define( 'BLOCKED_IPS', $secrets['BLOCKED_IPS'] );
+    }
   }
+}
+
+/**
+ * Respond with a 403 error message if the user IP address is on our block list.
+ *
+ * This assumes that BLOCKED_IPS is a string that can be exploded to an array of values.
+ * It also assumes that the block list consists of individual IP addresses, and not
+ * ranges that need to be calculated.
+ */
+if ( defined( 'BLOCKED_IPS' ) ) {
+  $array_blocked_ips = explode( " ", BLOCKED_IPS );
+  $request_remote_addr = $_SERVER['REMOTE_ADDR'];
 
+  if ( in_array($request_remote_addr, $array_blocked_ips) ) {
+    header( 'HTTP/1.0 403 Forbidden' );
+    exit;
+  }
 }
 
 /**