@@ -424,26 +424,38 @@ protected function is_password_secure( $password ): bool {
424424 $ prefix = substr ( $ hash , 0 , 5 );
425425 $ suffix = substr ( $ hash , 5 );
426426
427- $ cached_result = wp_cache_get ( $ prefix . $ suffix , self ::HIBP_CACHE_KEY );
427+ $ cache_key = 'prefix_ ' . $ prefix ;
428+ $ body = wp_cache_get ( $ cache_key , self ::HIBP_CACHE_KEY );
428429
429- if ( false !== $ cached_result || false ) { // remove || false; only used for testing
430- return $ cached_result ;
430+ if ( false === $ body ) {
431+ $ transient_key = self ::HIBP_CACHE_KEY . '_ ' . strtolower ( $ cache_key );
432+ $ body = get_transient ( $ transient_key );
431433 }
432434
433- $ response = wp_remote_get ( self ::HIBP_API_URL . $ prefix , [ 'user-agent ' => '10up Experience WordPress Plugin ' ] );
435+ if ( false === $ body ) {
436+ $ response = wp_remote_get (
437+ self ::HIBP_API_URL . $ prefix ,
438+ [
439+ 'timeout ' => (int ) apply_filters ( 'tenup_experience_hibp_request_timeout ' , 2 ),
440+ 'user-agent ' => '10up Experience WordPress Plugin ' ,
441+ ]
442+ );
434443
435- // Allow for a failed request to the HIPB API.
436- // Don't cache the result if the request failed.
437- if ( is_wp_error ( $ response ) || wp_remote_retrieve_response_code ( $ response ) !== 200 ) {
438- return true ;
439- }
444+ // Allow for a failed request to the HIBP API.
445+ // Don't cache the result if the request failed.
446+ if ( is_wp_error ( $ response ) || wp_remote_retrieve_response_code ( $ response ) !== 200 ) {
447+ return true ;
448+ }
440449
441- $ body = wp_remote_retrieve_body ( $ response );
450+ $ body = wp_remote_retrieve_body ( $ response );
442451
443- // Allow for a failed request to the HIPB API.
444- // Don't cache the result if the request failed.
445- if ( is_wp_error ( $ body ) ) {
446- return true ;
452+ if ( empty ( $ body ) ) {
453+ return true ;
454+ }
455+
456+ // Cache the prefix response only. Avoid storing full password hashes.
457+ wp_cache_set ( $ cache_key , $ body , self ::HIBP_CACHE_KEY , 4 * HOUR_IN_SECONDS );
458+ set_transient ( $ transient_key , $ body , 4 * HOUR_IN_SECONDS );
447459 }
448460
449461 $ lines = explode ( "\r\n" , $ body );
@@ -452,14 +464,12 @@ protected function is_password_secure( $password ): bool {
452464 $ parts = explode ( ': ' , $ line );
453465
454466 // If the suffix is found in the response, the password may be in a breach.
455- if ( $ parts [0 ] === $ suffix ) {
467+ if ( isset ( $ parts [ 0 ] ) && $ parts [0 ] === $ suffix ) {
456468 $ is_password_secure = false ;
469+ break ;
457470 }
458471 }
459472
460- // Cache the result for 4 hours.
461- wp_cache_set ( $ prefix . $ suffix , (int ) $ is_password_secure , self ::HIBP_CACHE_KEY , 60 * 60 * 4 );
462-
463473 return $ is_password_secure ;
464474 }
465475}
0 commit comments