Changeset 3487781

Timestamp:

03/21/2026 01:25:07 PM (7 days ago)

Author:

Marc4

Message:

v2.0.1

Location:

security-hardener

Files:

• assets/blueprints/blueprint.json (modified) (1 diff)
• readme.txt (added)
• security-hardener.php (added)
• tags/2.0.1 (added)
• tags/2.0.1/readme.txt (added)
• tags/2.0.1/security-hardener.php (added)
• tags/2.0.1/uninstall.php (added)
• trunk/readme.txt (modified) (4 diffs)
• trunk/security-hardener.php (modified) (15 diffs)
• uninstall.php (added)

security-hardener/assets/blueprints/blueprint.json

@@ -16 +16 @@
       "pluginZipFile": {
         "resource": "url",
-        "url": "https://downloads.wordpress.org/plugin/security-hardener.2.0.0.zip"
+        "url": "https://downloads.wordpress.org/plugin/security-hardener.2.0.1.zip"
       },
       "options": {

security-hardener/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.9
 Requires PHP: 8.2
-Stable tag: 2.0.0
+Stable tag: 2.0.1
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -23 +23 @@
 **XML-RPC Protection:**
 * Disable XML-RPC completely (enabled by default)
-* Remove pingback methods
+* Remove pingback methods when XML-RPC is enabled
+
+**Pingback Protection:**
 * Disable self-pingbacks
+* Remove X-Pingback header
+* Block incoming pingbacks
 
 **User Enumeration Protection:**
@@ -46 +50 @@
 
 **Additional Hardening:**
-* Hide WordPress version (meta generator tag and asset query strings) (meta generator tag and asset query strings)
-* Clean up `wp_head` output
-* Remove unnecessary meta tags and links
+* Hide WordPress version (meta generator tag and asset query strings)
+* Remove obsolete wp_head items (RSD, WLW manifest, shortlink, emoji scripts)
 * Security event logging system
 
@@ -161 +164 @@
 == Changelog ==
 
+= 2.0.1 - 2026-03-21 =
+* Fixed: "Block user enumeration" description now mentions canonical redirect blocking
+* Fixed: "Login rate limiting" toggle and number fields now have descriptions for consistency with all other options
+* Fixed: Removed unused WPSH_DIR and WPSH_URL constants
+* Fixed: Removed misleading inline comment about file editing in init()
+* Fixed: readme — "Disable self-pingbacks" moved from XML-RPC section to its own Pingback Protection section
+* Fixed: Unused parameters in clear_login_attempts() prefixed with underscore following WordPress Coding Standards
+* Fixed: @return docblock for get_default_options() updated to array<string, int> for accuracy
+* Fixed: Activation and deactivation log messages now pass through __() for translation
+* Fixed: remove_login_hints() no longer relies on hardcoded English string comparison
+* Fixed: strpos() replaced with str_starts_with() in disable_self_pingbacks() — consistent with PHP 8.2+ usage throughout the plugin
+* Fixed: Explicit string types added to log_security_event() method signature
+* Fixed: @param docblock of clear_login_attempts() updated to reflect renamed parameters $_user_login and $_user
+
 = 2.0.0 - 2026-03-20 =
-* Improved: Complete redesign of the settings page.
-* Improved: Checkboxes replaced with CSS toggles.
-* Improved: "Hide WordPress version" moved from "User Enumeration" card to "Other Settings".
+* Improved: Complete redesign of the settings page — responsive 3-column card grid replaces the default WordPress Settings API table layout
+* Improved: Checkboxes replaced with CSS toggles for clearer on/off state at a glance
+* Improved: "Clear Logs" button moved inline next to the section heading
+* Improved: Minimal inline CSS scoped to .wpsh-* classes — no external stylesheet enqueued
+* Removed: "Enable security headers" master toggle — each header is now controlled individually
+* Removed: Configurable HSTS max-age field — hardcoded to 31536000 seconds (1 year), the universally recommended value
+* Fixed: HSTS "Include subdomains" now defaults to disabled — users must opt in explicitly
+* Improved: "Hide WordPress version" now also strips the WordPress version from script and style asset URLs (?ver=), preventing version detection via asset URLs
+* Improved: "Hide WordPress version" moved from "User Enumeration" to "Other Settings"
 * Improved: "Clean wp_head" no longer removes feed links extra — avoids conflicts with plugins that rely on category and tag feeds
 * Improved: "Clean wp_head" no longer removes wp_generator — already covered by "Hide WordPress version"
-* Improved: All toggle descriptions updated for consistency.
-* Added: Four missing recommendations from the official WordPress Hardening Guide.
-* Removed: "Enable security headers" master toggle — each header is now controlled individually.
+* Improved: All toggle descriptions updated for consistency — each option now explains what value or behaviour it applies
+* Added: New "Additional Hardening Recommendations" section in the plugin admin page and readme, including four measures from the official WordPress Hardening Guide not previously listed: rename admin account, restrict database user privileges, protect wp-config.php, and block direct access to wp-includes/
 
 = 1.0 - 2026-03-05 =

security-hardener/trunk/security-hardener.php

@@ -4 +4 @@
 Plugin URI: https://wordpress.org/plugins/security-hardener/
 Description: Basic hardening: secure headers, disable XML-RPC/pingbacks, hide version, block user enumeration, generic login errors, and IP-based rate limiting.
-Version: 2.0.0
+Version: 2.0.1
 Requires at least: 6.9
 Tested up to: 6.9
@@ -20 +20 @@
 
 // Plugin constants
-define( 'WPSH_VERSION', '2.0.0' );
+define( 'WPSH_VERSION', '2.0.1' );
 define( 'WPSH_FILE', __FILE__ );
-define( 'WPSH_DIR', plugin_dir_path( __FILE__ ) );
-define( 'WPSH_URL', plugin_dir_url( __FILE__ ) );
 define( 'WPSH_BASENAME', plugin_basename( __FILE__ ) );
 
@@ -29 +27 @@
 
     /**
-     * Main plugin class implementing WordPress.org hardening guidelines
+     * Main plugin class applying WordPress security best practices
      */
     class WPHN_Hardener {
@@ -88 +86 @@
             // Security headers
             add_action( 'send_headers', array( $this, 'send_security_headers' ) );
-
-            // Disable file editing
-            // Already handled via constants
 
             // XML-RPC hardening
@@ -159 +154 @@
 
             // Log activation
-            $this->log_security_event( 'plugin_activated', 'Security Hardener plugin activated' );
+            $this->log_security_event( 'plugin_activated', __( 'Security Hardener plugin activated', 'security-hardener' ) );
         }
 
@@ -167 +162 @@
         public function deactivate(): void {
             // Log deactivation
-            $this->log_security_event( 'plugin_deactivated', 'Security Hardener plugin deactivated' );
+            $this->log_security_event( 'plugin_deactivated', __( 'Security Hardener plugin deactivated', 'security-hardener' ) );
         }
 
@@ -173 +168 @@
          * Get default options
          *
-         * @return array
+         * @return array<string, int>
          */
         private function get_default_options(): array {
@@ -432 +427 @@
 
         /**
-         * Remove login hints from login page
+         * Remove login hints from login page.
+         *
+         * Replaces the lost-password confirmation message with a generic one to avoid
+         * revealing whether a username/email exists in the database. Only intercepts
+         * messages during the lostpassword flow, leaving other login messages intact.
          */
         public function remove_login_hints(): void {
-            // Remove "lost password" text that reveals if username exists
             add_filter(
                 'login_messages',
                 function ( $message ) {
-                    if ( strpos( $message, 'check your email' ) !== false ) {
-                        return '<strong>' . esc_html__( 'Check your email for the confirmation link.', 'security-hardener' ) . '</strong>';
+                    // Only replace messages during the lost password flow.
+                    // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- read-only check on action param
+                    $action = isset( $_REQUEST['action'] ) ? sanitize_key( $_REQUEST['action'] ) : '';
+                    if ( in_array( $action, [ 'lostpassword', 'retrievepassword' ], true ) && ! empty( $message ) ) {
+                        return '<p class="message">' . esc_html__( 'Check your email for the confirmation link.', 'security-hardener' ) . '</p>';
                     }
                     return $message;
@@ -532 +533 @@
          * Clear login attempts on successful login
          *
-         * @param string  $user_login Username.
-         * @param WP_User $user User object.
-         */
-        public function clear_login_attempts( $user_login, $user ): void {
+         * @param string  $_user_login Username (unused, required by hook).
+         * @param WP_User $_user       User object (unused, required by hook).
+         */
+        public function clear_login_attempts( $_user_login, $_user ): void {
             $ip           = $this->get_client_ip();
             $attempts_key = 'wpsh_login_attempts_' . md5( $ip );
@@ -594 +595 @@
          */
         public function disable_self_pingbacks( &$links ): void {
-            $home = get_option( 'home' );
+            $home = home_url();
             foreach ( $links as $l => $link ) {
-                if ( 0 === strpos( $link, $home ) ) {
+                if ( str_starts_with( $link, $home ) ) {
                     unset( $links[ $l ] );
                 }
@@ -639 +640 @@
          * @param string $message Event message.
          */
-        private function log_security_event( $event_type, $message ): void {
+        private function log_security_event( string $event_type, string $message ): void {
             if ( ! $this->get_option( 'log_security_events', true ) ) {
                 return;
@@ -652 +653 @@
             // Add new log entry
             $logs[] = array(
-                'timestamp'  => current_time( 'mysql' ),
-                'type'       => $event_type,
-                'message'    => $message,
-                'ip'         => $ip,
-                'user_agent' => isset( $_SERVER['HTTP_USER_AGENT'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) ) : '',
+                'timestamp' => current_time( 'mysql' ),
+                'type'      => $event_type,
+                'message'   => $message,
+                'ip'        => $ip,
             );
 
@@ -742 +742 @@
 
             // Numeric fields
-            $sanitized['rate_limit_attempts'] = isset( $input['rate_limit_attempts'] )
-                ? max( 3, min( 20, absint( $input['rate_limit_attempts'] ) ) )
-                : 5;
-
-            $sanitized['rate_limit_minutes'] = isset( $input['rate_limit_minutes'] )
-                ? max( 5, min( 1440, absint( $input['rate_limit_minutes'] ) ) )
-                : 15;
+            $raw_attempts = isset( $input['rate_limit_attempts'] ) ? absint( $input['rate_limit_attempts'] ) : 5;
+            $sanitized['rate_limit_attempts'] = max( 3, min( 20, $raw_attempts ) );
+            if ( $raw_attempts !== $sanitized['rate_limit_attempts'] ) {
+                add_settings_error(
+                    self::OPTION_NAME,
+                    'rate_limit_attempts_range',
+                    __( '"Failed attempts before block" must be between 3 and 20. Value has been adjusted.', 'security-hardener' ),
+                    'warning'
+                );
+            }
+
+            $raw_minutes = isset( $input['rate_limit_minutes'] ) ? absint( $input['rate_limit_minutes'] ) : 15;
+            $sanitized['rate_limit_minutes'] = max( 5, min( 1440, $raw_minutes ) );
+            if ( $raw_minutes !== $sanitized['rate_limit_minutes'] ) {
+                add_settings_error(
+                    self::OPTION_NAME,
+                    'rate_limit_minutes_range',
+                    __( '"Block duration" must be between 5 and 1440 minutes. Value has been adjusted.', 'security-hardener' ),
+                    'warning'
+                );
+            }
 
             return $sanitized;
@@ -943 +957 @@
                                     'block_user_enum',
                                     __( 'Block user enumeration', 'security-hardener' ),
-                                    __( 'Blocks ?author=N queries, secures REST API user endpoints, and removes users from sitemaps.', 'security-hardener' )
+                                    __( 'Blocks ?author=N queries, canonical redirects, REST API user endpoints, and removes users from sitemaps.', 'security-hardener' )
                                 );
                                 ?>
@@ -963 +977 @@
                                 $this->render_toggle_row(
                                     'rate_limit_login',
-                                    __( 'Login rate limiting', 'security-hardener' )
+                                    __( 'Login rate limiting', 'security-hardener' ),
+                                    __( 'Blocks an IP after repeated failed login attempts.', 'security-hardener' )
                                 );
                                 $this->render_number_row(