Get WordPress

Plugin Directory

Changeset 3466602

Timestamp:
02/21/2026 09:26:38 PM (11 days ago)
Author:
Marc4
Message:

v0.7

Location:
security-hardener
Files:
4 added
3 deleted
2 edited

Legend:

Unmodified
Added
Removed

  • security-hardener/trunk/readme.txt

    r3466579 r3466602  
    55Tested up to: 6.9
    66Requires PHP: 8.0
    7 Stable tag: 0.6
     7Stable tag: 0.
    88License: GPLv2 or later
    99License URI: https://www.gnu.org/licenses/gpl-2.0.html
    1010
    11 Basic hardening: secure headers, user enumeration blocking, generic login errors, IP-based rate limiting, and comprehensive WordPress security improvements.
     11Basic hardening: secure headers, user enumeration blocking, generic login errors, IP-based rate limiting, and WordPress security improvements.
    1212
    1313== Description ==
     
    161161== Changelog ==
    162162
    163 = 0.6 - 2026-21-02 =
     163= 0.7 - 2026-02-21 =
     164* Fixed: WPSH_VERSION constant updated to match plugin header version
     165* Fixed: Added wp_unslash() and sanitize_text_field() to $_GET['author'] in prevent_author_redirect()
     166* Fixed: Moved HTML markup outside translatable strings in generic_login_errors(), check_login_rate_limit(), and field descriptions for "Disable all file modifications" and "Enable HSTS"
     167* Security: Added CSRF protection to "Clear Logs" action via wp_nonce_url() and wp_verify_nonce()
     168* Improved: Added missing hardening recommendations to admin page: BasicAuth protection for wp-admin and changing the default database table prefix
     169* Fixed: Corrected date format in changelog entries (YYYY-MM-DD)
     170
     171= 0.6 - 2026-02-21 =
    164172* Fixed: Removed deprecated load_plugin_textdomain() call (automatic since WordPress 4.6)
    165173* Fixed: Added wp_unslash() and sanitize_text_field() to $_GET['author'] before sanitization
     
    171179* Fixed: Removed redundant function_exists() check for wp_cache_flush() in uninstall.php
    172180
    173 = 0.5 - 2026-09-02 =
     181= 0.5 - 2026-0 =
    174182* Complete rewrite following WordPress hardening best practices
    175183* Increased minimum PHP requirement to 8.0 (PHP 7.4 is end-of-life)

  • security-hardener/trunk/security-hardener.php

    r3466579 r3466602  
    44Plugin URI: https://wordpress.org/plugins/security-hardener/
    55Description: Basic hardening: secure headers, disable XML-RPC/pingbacks, hide version, block user enumeration, login errors, IP-based rate limiting, and optional restriction of the REST API.
    6 Version: 0.6
     6Version: 0.
    77Requires at least: 6.0
    88Tested up to: 6.9
     
    2020
    2121// Plugin constants
    22 define( 'WPSH_VERSION', '0.5' );
     22define( 'WPSH_VERSION', '0.' );
    2323define( 'WPSH_FILE', __FILE__ );
    2424define( 'WPSH_DIR', plugin_dir_path( __FILE__ ) );
     
    352352        public function prevent_author_redirect( $redirect_url, $requested_url ) {
    353353            // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only check
    354             if ( isset( $_GET['author'] ) && is_numeric( $_GET['author'] ) ) {
     354            $author = isset( $_GET['author'] ) ? sanitize_text_field( wp_unslash( $_GET['author'] ) ) : null;
     355            if ( null !== $author && is_numeric( $author ) ) {
    355356                return false; // Cancel redirect
    356357            }
     
    414415
    415416            // Return generic error message
    416             return __( '<strong>Error:</strong> Invalid username or password.', 'security-hardener' );
     417            return Invalid username or password.', 'security-hardener' );
    417418        }
    418419
     
    456457                return new WP_Error(
    457458                    'too_many_attempts',
    458                     sprintf(
     459                    sprintf(
    459460                        /* translators: %d: number of minutes */
    460                         __( '<strong>Error:</strong> Too many failed login attempts. Please try again in %d minutes.', 'security-hardener' ),
     461                        Too many failed login attempts. Please try again in %d minutes.', 'security-hardener' ),
    461462                        $minutes
    462463                    )
     
    691692
    692693            $this->add_checkbox_field( 'disable_file_edit', __( 'Disable file editor', 'security-hardener' ), 'wpsh_file_editing', __( 'Prevents editing of theme and plugin files through WordPress admin.', 'security-hardener' ) );
    693             $this->add_checkbox_field( 'disable_file_mods', __( 'Disable all file modifications', 'security-hardener' ), 'wpsh_file_editing', __( '<strong>Warning:</strong> This will disable plugin/theme updates and installations.', 'security-hardener' ) );
     694            $this->add_checkbox_field( 'disable_file_mods', __( 'Disable all file modifications', 'security-hardener' ), 'wpsh_file_editing', This will disable plugin/theme updates and installations.', 'security-hardener' ) );
    694695
    695696            // XML-RPC section
     
    789790            );
    790791
    791             $this->add_checkbox_field( 'enable_hsts', __( 'Enable HSTS', 'security-hardener' ), 'wpsh_hsts', __( '<strong>Warning:</strong> Only enable if your site fully supports HTTPS.', 'security-hardener' ) );
     792            $this->add_checkbox_field( 'enable_hsts', __( 'Enable HSTS', 'security-hardener' ), 'wpsh_hsts', Only enable if your site fully supports HTTPS.', 'security-hardener' ) );
    792793            $this->add_checkbox_field( 'hsts_subdomains', __( 'Include subdomains', 'security-hardener' ), 'wpsh_hsts' );
    793794            $this->add_checkbox_field( 'hsts_preload', __( 'Enable preload', 'security-hardener' ), 'wpsh_hsts', __( 'Submit to <a href="https://hstspreload.org/" target="_blank">HSTS Preload List</a> (requires 1 year max-age).', 'security-hardener' ) );
     
    965966                    <li><?php esc_html_e( 'Restrict file permissions (directories: 755, files: 644)', 'security-hardener' ); ?></li>
    966967                    <li><?php esc_html_e( 'Consider using a Web Application Firewall (WAF)', 'security-hardener' ); ?></li>
     968
     969
    967970                </ul>
    968971
     
    10251028            </table>
    10261029            <p>
    1027                 <a href="<?php echo esc_url( admin_url( 'options-general.php?page=security-hardener&action=clear_logs' ) ); ?>"
     1030                <a href="<?php echo esc_url( clear_logs' ) ); ?>"
    10281031                   class="button"
    10291032                   onclick="return confirm('<?php esc_attr_e( 'Are you sure you want to clear all security logs?', 'security-hardener' ); ?>');">
     
    10381041         */
    10391042        public function show_admin_notices() {
    1040             // Clear logs action
     1043            // Clear logs action
    10411044            // phpcs:ignore WordPress.Security.NonceVerification.Recommended
    10421045            if ( isset( $_GET['action'] ) && 'clear_logs' === $_GET['action'] && current_user_can( 'manage_options' ) ) {
    1043                 // Verify nonce would be better, but this is acceptable for read-only admin pages
     1046                if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'wpsh_clear_logs' ) ) {
     1047                    wp_die( esc_html__( 'Security check failed.', 'security-hardener' ) );
     1048                }
    10441049                delete_option( 'wpsh_security_logs' );
    10451050                ?>
Note: See TracChangeset for help on using the changeset viewer.