Changeset 3466579

Timestamp:

02/21/2026 08:22:40 PM (5 weeks ago)

Author:

Marc4

Message:

v0.6

Location:

security-hardener

Files:

• tags/0.6 (added)
• tags/0.6/readme.txt (added)
• tags/0.6/security-hardener.php (added)
• tags/0.6/uninstall.php (added)
• trunk/readme.txt (modified) (2 diffs)
• trunk/security-hardener.php (modified) (6 diffs)
• trunk/uninstall.php (modified) (2 diffs)

security-hardener/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.9
 Requires PHP: 8.0
-Stable tag: 0.5
+Stable tag: 0.6
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -161 +161 @@
 == Changelog ==
 
-= 0.5 - 2026-02-09 =
+= 0.6 - 2026-21-02 =
+* Fixed: Removed deprecated load_plugin_textdomain() call (automatic since WordPress 4.6)
+* Fixed: Added wp_unslash() and sanitize_text_field() to $_GET['author'] before sanitization
+* Fixed: Moved HTML markup outside translatable string in login confirmation message
+* Fixed: Escaped $min and $max output in render_number_field() using absint()
+* Fixed: Added phpcs:ignore for native WordPress constants DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS
+* Fixed: Removed error_log() debug call from uninstall.php
+* Fixed: Suppressed false-positive direct database query warning in uninstall.php with inline justification comment
+* Fixed: Removed redundant function_exists() check for wp_cache_flush() in uninstall.php
+
+= 0.5 - 2026-09-02 =
 * Complete rewrite following WordPress hardening best practices
 * Increased minimum PHP requirement to 8.0 (PHP 7.4 is end-of-life)

security-hardener/trunk/security-hardener.php

@@ -4 +4 @@
 Plugin URI: https://wordpress.org/plugins/security-hardener/
 Description: Basic hardening: secure headers, disable XML-RPC/pingbacks, hide version, block user enumeration, login errors, IP-based rate limiting, and optional restriction of the REST API.
-Version: 0.5
+Version: 0.6
 Requires at least: 6.0
-Tested up to: 6.8
+Tested up to: 6.9
 Requires PHP: 8.0
 Author: Marc Armengou
@@ -83 +83 @@
          */
         public function init() {
-            // Load text domain
-            load_plugin_textdomain( 'security-hardener', false, dirname( WPSH_BASENAME ) . '/languages' );
-
             // Define security constants early
             $this->define_security_constants();
@@ -252 +249 @@
             // Disable file editing in WordPress admin
             if ( $this->get_option( 'disable_file_edit', true ) && ! defined( 'DISALLOW_FILE_EDIT' ) ) {
-                define( 'DISALLOW_FILE_EDIT', true );
+                define( 'DISALLOW_FILE_EDIT', true ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound -- Native WordPress constant
             }
 
             // Disable all file modifications (updates, installs) - CAUTION: This breaks updates!
             if ( $this->get_option( 'disable_file_mods', false ) && ! defined( 'DISALLOW_FILE_MODS' ) ) {
-                define( 'DISALLOW_FILE_MODS', true );
+                define( 'DISALLOW_FILE_MODS', true ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound -- Native WordPress constant
             }
         }
@@ -334 +331 @@
             // Check for author query parameter with numeric value
             // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only check
-            $author = isset( $_GET['author'] ) ? $_GET['author'] : null;
+            $author = isset( $_GET['author'] ) ? sanitize_text_field( wp_unslash( $_GET['author'] ) ) : null;
 
             // Block numeric author parameter
@@ -429 +426 @@
                 function ( $message ) {
                     if ( strpos( $message, 'check your email' ) !== false ) {
-                        return __( '<strong>Check your email for the confirmation link.</strong>', 'security-hardener' );
+                        return '<strong>' . esc_html__( 'Check your email for the confirmation link.', 'security-hardener' ) . '</strong>';
                     }
                     return $message;
@@ -865 +862 @@
                 esc_attr( $field_id ),
                 esc_attr( $value ),
-                $min,
-                $max
+                absint( $min ),
+                absint( $max )
             );
         }

security-hardener/trunk/uninstall.php

@@ -23 +23 @@
 global $wpdb;
 
-// Delete login attempts transients using efficient SQL query
-$wpdb->query(
-    "DELETE FROM {$wpdb->options} 
-    WHERE option_name LIKE '_transient_wpsh_login_attempts_%' 
+// Delete login attempts transients using a direct SQL query.
+// There is no WordPress API to delete transients by pattern, so a direct query
+// is the only reliable approach here. Caching is intentionally skipped in an
+// uninstall context; the object cache is flushed immediately afterwards.
+$wpdb->query( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+    "DELETE FROM {$wpdb->options}
+    WHERE option_name LIKE '_transient_wpsh_login_attempts_%'
     OR option_name LIKE '_transient_timeout_wpsh_login_attempts_%'
     OR option_name LIKE '_transient_wpsh_login_blocked_%'
@@ -32 +35 @@
 );
 
-// If using object cache, flush it to remove any cached transients
-if ( function_exists( 'wp_cache_flush' ) ) {
-    wp_cache_flush();
-}
-
-// Optional: Clear any scheduled cron jobs if we add them in the future
-// Example: wp_clear_scheduled_hook( 'wpsh_cleanup_logs' );
-
-// Log uninstallation (optional - only if you want to keep a record)
-// Note: This creates a log entry before deleting options
-if ( function_exists( 'error_log' ) ) {
-    error_log( 'Security Hardener plugin uninstalled at ' . current_time( 'mysql' ) );
-}
+// Flush the object cache to remove any in-memory copies of the deleted transients.
+wp_cache_flush();