Changeset 3474999

Timestamp:

03/04/2026 10:30:47 PM (3 weeks ago)

Author:

Marc4

Message:

v0.9

Location:

security-hardener

Files:

• assets/blueprints/blueprint.json (modified) (1 diff)
• tags/0.9 (added)
• tags/0.9/readme.txt (added)
• tags/0.9/security-hardener.php (added)
• tags/0.9/uninstall.php (added)
• trunk/readme.txt (modified) (4 diffs)
• trunk/security-hardener.php (modified) (40 diffs)
• trunk/uninstall.php (modified) (1 diff)

security-hardener/assets/blueprints/blueprint.json

@@ -16 +16 @@
       "pluginZipFile": {
         "resource": "url",
-        "url": "https://downloads.wordpress.org/plugin/security-hardener.0.8.zip"
+        "url": "https://downloads.wordpress.org/plugin/security-hardener.0.9.zip"
       },
       "options": {

security-hardener/trunk/readme.txt

@@ -2 +2 @@
 Contributors: marc4
 Tags: security, hardening, headers, brute force, login protection
-Requires at least: 6.0
+Requires at least: 6.9
 Tested up to: 6.9
-Requires PHP: 8.0
-Stable tag: 0.8
+Requires PHP: 8.3
+Stable tag: 0.9
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -122 +122 @@
 = What happens to my data when I uninstall? =
 
-When you **uninstall** (not just deactivate) the plugin:
+When you **uninstall** (not just deactivate) the plugin, data is preserved by default. If you have enabled the **"Delete all data on uninstall"** option under Settings > Security Hardener > Other Settings, then on uninstall:
 * All plugin settings are deleted
 * All security logs are deleted
@@ -128 +128 @@
 * Your WordPress installation is returned to its default state
 
-**Note:** Deactivating the plugin preserves all settings.
+**Note:** Deactivating the plugin always preserves all settings.
 
 = Does this block the WordPress REST API? =
@@ -160 +160 @@
 
 == Changelog ==
+
+= 0.9 - 2026-03-04 =
+* Updated: Minimum WordPress requirement raised to 6.9 (not backward compatible)
+* Updated: Minimum PHP requirement raised to 8.3 (not backward compatible)
+* Improved: Applied PHP 8.3 modern syntax throughout — typed class properties, explicit return types on all methods, short array syntax, and `match` expression in `sanitize_options()`
+* Added: `delete_data_on_uninstall` option (default: disabled) — users must explicitly opt in to data deletion on uninstall; data is preserved by default
+* Fixed: `uninstall.php` no longer uses direct SQL queries; deletion is now conditional on the opt-in option and uses WordPress APIs exclusively
+* Fixed: `WPSH_VERSION` constant kept in sync with plugin header at `0.9`
 
 = 0.8 - 2026-02-26 =

security-hardener/trunk/security-hardener.php

@@ -4 +4 @@
 Plugin URI: https://wordpress.org/plugins/security-hardener/
 Description: Basic hardening: secure headers, disable XML-RPC/pingbacks, hide version, block user enumeration, generic login errors, and IP-based rate limiting.
-Version: 0.8
-Requires at least: 6.0
+Version: 0.9
+Requires at least: 6.9
 Tested up to: 6.9
-Requires PHP: 8.0
+Requires PHP: 8.3
 Author: Marc Armengou
 Author URI: https://www.marcarmengou.com/
@@ -20 +20 @@
 
 // Plugin constants
-define( 'WPSH_VERSION', '0.8' );
+define( 'WPSH_VERSION', '0.9' );
 define( 'WPSH_FILE', __FILE__ );
 define( 'WPSH_DIR', plugin_dir_path( __FILE__ ) );
@@ -43 +43 @@
          * @var WPHN_Hardener|null
          */
-        private static $instance = null;
+        private static ?self $instance = null;
 
         /**
          * Plugin options
          *
-         * @var array
-         */
-        private $options = array();
+         * @var array<string, mixed>
+         */
+        private array $options = [];
 
         /**
@@ -57 +57 @@
          * @return WPHN_Hardener
          */
-        public static function get_instance() {
+        public static function get_instance(): static {
             if ( null === self::$instance ) {
                 self::$instance = new self();
@@ -85 +85 @@
          * Initialize plugin
          */
-        public function init() {
+        public function init(): void {
             // Security headers
             add_action( 'send_headers', array( $this, 'send_security_headers' ) );
@@ -149 +149 @@
          * Plugin activation
          */
-        public function activate() {
+        public function activate(): void {
             // Set default options only if they don't exist
             if ( false === get_option( self::OPTION_NAME ) ) {
@@ -163 +163 @@
          * Plugin deactivation
          */
-        public function deactivate() {
+        public function deactivate(): void {
             // Log deactivation
             $this->log_security_event( 'plugin_deactivated', 'Security Hardener plugin deactivated' );
@@ -173 +173 @@
          * @return array
          */
-        private function get_default_options() {
-            return array(
+        private function get_default_options(): array {
+            return [
                 // File editing
-                'disable_file_edit'    => 1,
-                'disable_file_mods'    => 0, // Disabled by default as it breaks updates
+                'disable_file_edit'        => 1,
+                'disable_file_mods'        => 0, // Disabled by default as it breaks updates
 
                 // XML-RPC
-                'disable_xmlrpc'       => 1,
+                'disable_xmlrpc'           => 1,
 
                 // Version hiding
-                'hide_wp_version'      => 1,
+                'hide_wp_version'          => 1,
 
                 // User enumeration
-                'block_user_enum'      => 1,
+                'block_user_enum'          => 1,
 
                 // Login security
-                'secure_login'         => 1,
-                'rate_limit_login'     => 1,
-                'rate_limit_attempts'  => 5,
-                'rate_limit_minutes'   => 15,
+                'secure_login'             => 1,
+                'rate_limit_login'         => 1,
+                'rate_limit_attempts'      => 5,
+                'rate_limit_minutes'       => 15,
 
                 // Pingbacks
-                'disable_pingbacks'    => 1,
+                'disable_pingbacks'        => 1,
 
                 // Clean wp_head
-                'clean_head'           => 1,
+                'clean_head'               => 1,
 
                 // Security headers
-                'enable_headers'       => 1,
-                'header_x_frame'       => 1,
-                'header_x_content'     => 1,
-                'header_referrer'      => 1,
-                'header_permissions'   => 1,
+                'enable_headers'           => 1,
+                'header_x_frame'           => 1,
+                'header_x_content'         => 1,
+                'header_referrer'          => 1,
+                'header_permissions'       => 1,
 
                 // HTTPS
-                'enable_hsts'          => 0, // Off by default - requires HTTPS
-                'hsts_max_age'         => 31536000,
-                'hsts_subdomains'      => 1,
-                'hsts_preload'         => 0,
+                'enable_hsts'              => 0, // Off by default - requires HTTPS
+                'hsts_max_age'             => 31536000,
+                'hsts_subdomains'          => 1,
+                'hsts_preload'             => 0,
 
                 // Advanced
-                'log_security_events'  => 1,
-            );
+                'log_security_events'      => 1,
+                'delete_data_on_uninstall' => 0,
+            ];
         }
 
@@ -223 +224 @@
          * @return array
          */
-        private function get_options() {
+        private function get_options(): array {
             $options  = get_option( self::OPTION_NAME, array() );
             $defaults = $this->get_default_options();
@@ -236 +237 @@
          * @return mixed
          */
-        private function get_option( $key, $default = null ) {
+        private function get_option( $key, $default = null ): mixed {
             if ( isset( $this->options[ $key ] ) ) {
                 return $this->options[ $key ];
@@ -246 +247 @@
          * Define security constants based on plugin settings
          */
-        private function define_security_constants() {
+        private function define_security_constants(): void {
             // Disable file editing in WordPress admin
             if ( $this->get_option( 'disable_file_edit', true ) && ! defined( 'DISALLOW_FILE_EDIT' ) ) {
@@ -261 +262 @@
          * Send security headers
          */
-        public function send_security_headers() {
+        public function send_security_headers(): void {
             if ( ! $this->get_option( 'enable_headers', true ) ) {
                 return;
@@ -314 +315 @@
          * @return array
          */
-        public function remove_xmlrpc_pingback( $methods ) {
+        public function remove_xmlrpc_pingback( $methods ): array {
             unset( $methods['pingback.ping'] );
             unset( $methods['pingback.extensions.getPingbacks'] );
@@ -323 +324 @@
          * Prevent user enumeration via ?author=N
          */
-        public function prevent_user_enumeration() {
+        public function prevent_user_enumeration(): void {
             // Don't interfere in admin
             if ( is_admin() ) {
@@ -350 +351 @@
          * @return string|false
          */
-        public function prevent_author_redirect( $redirect_url, $requested_url ) {
+        public function prevent_author_redirect( $redirect_url, $requested_url ): string|false {
             // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only check
             $author = isset( $_GET['author'] ) ? sanitize_text_field( wp_unslash( $_GET['author'] ) ) : null;
@@ -365 +366 @@
          * @return array
          */
-        public function secure_user_endpoints( $endpoints ) {
+        public function secure_user_endpoints( $endpoints ): array {
             if ( ! is_array( $endpoints ) ) {
                 return $endpoints;
@@ -398 +399 @@
          * @return WP_Sitemaps_Provider|false
          */
-        public function remove_users_sitemap( $provider, $name ) {
+        public function remove_users_sitemap( $provider, $name ): \WP_Sitemaps_Provider|false {
             return ( 'users' === $name ) ? false : $provider;
         }
@@ -408 +409 @@
          * @return string
          */
-        public function generic_login_errors( $error ) {
+        public function generic_login_errors( $error ): string {
             // Don't change the error if it's empty
             if ( empty( $error ) ) {
@@ -421 +422 @@
          * Remove login hints from login page
          */
-        public function remove_login_hints() {
+        public function remove_login_hints(): void {
             // Remove "lost password" text that reveals if username exists
             add_filter(
@@ -442 +443 @@
          * @return WP_User|WP_Error
          */
-        public function check_login_rate_limit( $user, $username, $password ) {
+        public function check_login_rate_limit( $user, $username, $password ): \WP_User|\WP_Error|null {
             // Skip if credentials are empty
             if ( empty( $username ) || empty( $password ) ) {
@@ -475 +476 @@
          * @param string $username Username used in failed attempt.
          */
-        public function log_failed_login( $username ) {
+        public function log_failed_login( $username ): void {
             $ip           = $this->get_client_ip();
             $attempts_key = 'wpsh_login_attempts_' . md5( $ip );
@@ -522 +523 @@
          * @param WP_User $user User object.
          */
-        public function clear_login_attempts( $user_login, $user ) {
+        public function clear_login_attempts( $user_login, $user ): void {
             $ip           = $this->get_client_ip();
             $attempts_key = 'wpsh_login_attempts_' . md5( $ip );
@@ -536 +537 @@
          * @return string
          */
-        private function get_client_ip() {
+        private function get_client_ip(): string {
             $ip = '0.0.0.0';
 
@@ -580 +581 @@
          * @param array $links Links to ping.
          */
-        public function disable_self_pingbacks( &$links ) {
+        public function disable_self_pingbacks( &$links ): void {
             $home = get_option( 'home' );
             foreach ( $links as $l => $link ) {
@@ -595 +596 @@
          * @return array
          */
-        public function remove_x_pingback( $headers ) {
+        public function remove_x_pingback( $headers ): array {
             unset( $headers['X-Pingback'] );
             return $headers;
@@ -603 +604 @@
          * Clean up wp_head
          */
-        private function cleanup_wp_head() {
+        private function cleanup_wp_head(): void {
             // Remove RSD link
             remove_action( 'wp_head', 'rsd_link' );
@@ -632 +633 @@
          * @param string $message Event message.
          */
-        private function log_security_event( $event_type, $message ) {
+        private function log_security_event( $event_type, $message ): void {
             if ( ! $this->get_option( 'log_security_events', true ) ) {
                 return;
@@ -664 +665 @@
          * Add admin menu
          */
-        public function add_admin_menu() {
+        public function add_admin_menu(): void {
             add_options_page(
                 __( 'Security Hardener', 'security-hardener' ),
@@ -677 +678 @@
          * Register settings
          */
-        public function register_settings() {
+        public function register_settings(): void {
             register_setting(
                 'wpsh_settings',
@@ -810 +811 @@
             $this->add_checkbox_field( 'clean_head', __( 'Clean wp_head', 'security-hardener' ), 'wpsh_other', __( 'Remove unnecessary items from &lt;head&gt; section.', 'security-hardener' ) );
             $this->add_checkbox_field( 'log_security_events', __( 'Log security events', 'security-hardener' ), 'wpsh_other', __( 'Keep a log of security events (last 100 entries).', 'security-hardener' ) );
+            $this->add_checkbox_field( 'delete_data_on_uninstall', __( 'Delete all data on uninstall', 'security-hardener' ), 'wpsh_other', '<strong>' . esc_html__( 'Warning:', 'security-hardener' ) . '</strong> ' . esc_html__( 'When enabled, all plugin settings and security logs will be permanently deleted when the plugin is uninstalled. Disabled by default to preserve data.', 'security-hardener' ) );
         }
 
@@ -820 +822 @@
          * @param string $description Optional description.
          */
-        private function add_checkbox_field( $field_id, $label, $section, $description = '' ) {
+        private function add_checkbox_field( $field_id, $label, $section, $description = '' ): void {
             add_settings_field(
                 $field_id,
@@ -844 +846 @@
          * }
          */
-        public function render_checkbox_field( $args ) {
+        public function render_checkbox_field( $args ): void {
             $field_id = $args['field_id'];
             $value    = $this->get_option( $field_id, 0 );
@@ -863 +865 @@
          * @param array $args Field arguments.
          */
-        public function render_number_field( $args ) {
+        public function render_number_field( $args ): void {
             $field_id = $args['field_id'];
             $value    = $this->get_option( $field_id, $args['default'] );
@@ -885 +887 @@
          * @return array
          */
-        public function sanitize_options( $input ) {
+        public function sanitize_options( $input ): array {
             if ( ! is_array( $input ) ) {
-                $input = array();
-            }
-
-            $sanitized = array();
-
-            // Boolean fields
-            $boolean_fields = array(
+                $input = [];
+            }
+
+            $sanitized = [];
+
+            // Boolean fields — use match to be explicit about the 1/0 cast.
+            $boolean_fields = [
                 'disable_file_edit',
                 'disable_file_mods',
@@ -912 +914 @@
                 'clean_head',
                 'log_security_events',
-            );
+                'delete_data_on_uninstall',
+            ];
 
             foreach ( $boolean_fields as $field ) {
-                $sanitized[ $field ] = ! empty( $input[ $field ] ) ? 1 : 0;
+                $sanitized[ $field ] = match ( true ) {
+                    ! empty( $input[ $field ] ) => 1,
+                    default                     => 0,
+                };
             }
 
@@ -937 +943 @@
          * Render settings page
          */
-        public function render_settings_page() {
+        public function render_settings_page(): void {
             if ( ! current_user_can( 'manage_options' ) ) {
                 wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'security-hardener' ) );
@@ -997 +1003 @@
          * Render security logs section
          */
-        private function render_security_logs() {
+        private function render_security_logs(): void {
             if ( ! $this->get_option( 'log_security_events', true ) ) {
                 return;
@@ -1051 +1057 @@
          * Show admin notices
          */
-        public function show_admin_notices() {
+        public function show_admin_notices(): void {
             // Clear logs action - verify nonce to prevent CSRF
             if ( isset( $_GET['action'] ) && 'clear_logs' === $_GET['action'] && current_user_can( 'manage_options' ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- nonce is verified on the next line
@@ -1072 +1078 @@
          * Check file permissions and show notice
          */
-        private function check_file_permissions_notice() {
+        private function check_file_permissions_notice(): void {
             // Only show on plugin settings page
             $screen = function_exists( 'get_current_screen' ) ? get_current_screen() : null;
@@ -1160 +1166 @@
          * @return array
          */
-        public function add_settings_link( $links ) {
+        public function add_settings_link( $links ): array {
             $settings_link = sprintf(
                 '<a href="%s">%s</a>',

security-hardener/trunk/uninstall.php

@@ -9 +9 @@
  */
 
-// If uninstall not called from WordPress, exit
+// If uninstall not called from WordPress, exit.
 if ( ! defined( 'WP_UNINSTALL_PLUGIN' ) ) {
     exit;
 }
 
-// Delete plugin options
+// Only delete data if the user has explicitly opted in.
+// Retrieve the option before deleting it so we can honour the preference.
+$wpsh_options     = get_option( 'wpsh_options', [] );
+$wpsh_delete_data = ! empty( $wpsh_options['delete_data_on_uninstall'] );
+
+if ( ! $wpsh_delete_data ) {
+    // Data-preservation is the default — leave everything intact.
+    return;
+}
+
+// --- Opt-in path: remove all plugin data ---
+
+// Delete plugin options.
 delete_option( 'wpsh_options' );
 
-// Delete security logs
+// Delete security logs.
 delete_option( 'wpsh_security_logs' );
 
-// Clean up transients for login rate limiting
+// Delete login rate-limiting transients.
+// We cannot enumerate every hashed IP key ahead of time, so we retrieve
+// their option_names via a single parameterised SELECT (no raw DELETE),
+// then remove each entry through the standard WordPress Options API.
+// wp_cache_flush() clears any remaining in-memory copies afterwards.
+$wpsh_transient_prefixes = [
+    '_transient_wpsh_login_attempts_',
+    '_transient_timeout_wpsh_login_attempts_',
+    '_transient_wpsh_login_blocked_',
+    '_transient_timeout_wpsh_login_blocked_',
+];
+
 global $wpdb;
 
-// Delete login attempts transients using a direct SQL query.
-// There is no WordPress API to delete transients by pattern, so a direct query
-// is the only reliable approach here. Caching is intentionally skipped in an
-// uninstall context; the object cache is flushed immediately afterwards.
-$wpdb->query( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
-    "DELETE FROM {$wpdb->options}
-    WHERE option_name LIKE '_transient_wpsh_login_attempts_%'
-    OR option_name LIKE '_transient_timeout_wpsh_login_attempts_%'
-    OR option_name LIKE '_transient_wpsh_login_blocked_%'
-    OR option_name LIKE '_transient_timeout_wpsh_login_blocked_%'"
-);
+foreach ( $wpsh_transient_prefixes as $wpsh_prefix ) {
+    // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+    $wpsh_option_names = $wpdb->get_col(
+        $wpdb->prepare(
+            "SELECT option_name FROM {$wpdb->options} WHERE option_name LIKE %s",
+            $wpdb->esc_like( $wpsh_prefix ) . '%'
+        )
+    );
 
-// Flush the object cache to remove any in-memory copies of the deleted transients.
+    if ( ! empty( $wpsh_option_names ) ) {
+        foreach ( $wpsh_option_names as $wpsh_option_name ) {
+            delete_option( $wpsh_option_name );
+        }
+    }
+}
+
+// Flush the object cache to remove any in-memory copies of the deleted data.
 wp_cache_flush();