Merge branch 'release-0.16'

chesio · Sep 22, 2020 · 5b94b21 · 5b94b21
2 parents a7a3397 + 2bd757c
commit 5b94b21
Show file tree

Hide file tree

Showing 12 changed files with 165 additions and 73 deletions.
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -4,10 +4,14 @@ on:
   pull_request:
     paths:
       - 'composer.*'
+      - phpcs.xml
+      - phpstan.neon
       - '**.php'
   push:
     paths:
       - 'composer.*'
+      - phpcs.xml
+      - phpstan.neon
       - '**.php'
 
 jobs:

diff --git a/README.md b/README.md
@@ -1,11 +1,15 @@
 # BC Security
 
-Helps keeping WordPress websites secure.
+[![GitHub Actions](https://github.com/chesio/bc-security/workflows/CI%20test%20suite/badge.svg)](https://github.com/chesio/bc-security/actions)
+[![Packagist](https://img.shields.io/packagist/v/chesio/bc-security.svg?color=34D058&style=popout)](https://packagist.org/packages/chesio/bc-security)
+
+
+A WordPress plugin that helps keeping WordPress websites secure.
 
 ## Requirements
 
 * [PHP](https://secure.php.net/) 7.2 or newer
-* [WordPress](https://wordpress.org/) 5.3 or newer
+* [WordPress](https://wordpress.org/) 5.5 or newer
 
 ## Limitations
 
@@ -25,20 +29,9 @@ wp plugin install [--activate] https://github.com/chesio/bc-security/archive/mas
 
 ### Using Composer
 
-BC Security is not available (yet) at [Packagist](https://packagist.org/), but you can install and update it via Composer if you add plugin repository to your project's `composer.json` file:
-
-```json
-{
-  "repositories": [
-    {
-      "type": "git",
-      "url": "https://github.com/chesio/bc-security"
-    }
-  ]
-}
-```
+[Composer](https://getcomposer.org/) is a great tool for managing PHP project dependencies. Although WordPress itself does not make it easy to use Composer to manage WordPress installation as a whole, there are [multiple](https://composer.rarst.net/recipe/site-stack/) [ways](https://roots.io/bedrock/) how to do it.
 
-Then just run `composer require chesio/bc-security` as usual.
+BC Security is available at [Packagist](https://packagist.org/packages/chesio/bc-security), so just run `composer require chesio/bc-security` as usual.
 
 ### Using Git
 
@@ -76,14 +69,16 @@ You may also optionally provide Google API key if you want to check your website
 
 BC Security can help you find potential security issues or even signs of breach.
 
+Since security measures for development instalations do not have to be as strict as for live installations, some checks are run only in *live environment*. A *live environment* is determined as one where [`wp_get_environment_type()`](https://developer.wordpress.org/reference/functions/wp_get_environment_type/) returns either `production` or `staging`, but there is a [dedicated filter](#customization) that can be used to override *live environment* detection.
+
 #### Basic checks
 
 Basic checks cover common security practices. They do not require any information from third party sources to proceed and thus do not leak any information about your website:
 
 1. Is backend editing of plugin and theme PHP files disabled?
 1. Are directory listings disabled?
 1. Is execution of PHP files from uploads directory forbidden?
-1. Is display of PHP errors off by default? This check is only run in live environment (by default when `WP_ENV === 'production'` or `WP_ENV === 'staging'`, but this can be [customized via a filter](#customization)).
+1. Is display of PHP errors off by default? This check is only run in *live environment*.
 1. Is error log file not publicly available? This check is only run if both `WP_DEBUG` and `WP_DEBUG_LOG` constants are set to true.
 1. Are there no common usernames like admin or administrator on the system?
 1. Are user passwords hashed with [more secure hashing algorithm](https://roots.io/improving-wordpress-password-security/) than MD5 used by [WordPress by default](https://core.trac.wordpress.org/ticket/21022)?
@@ -115,7 +110,7 @@ Although plugins can be removed from [Plugins Directory](https://wordpress.org/p
 
 ##### Safe Browsing check
 
-Checks whether your website is included on any of Google's [lists of unsafe web resources](https://developers.google.com/safe-browsing/) - this is usually a solid indicator of compromise. Note that for this check to run you have to provide [properly configured API key](https://developers.google.com/safe-browsing/v4/urls-hashing) via [plugin setup](#setup).
+Checks whether your website is included on any of Google's [lists of unsafe web resources](https://developers.google.com/safe-browsing/) - this is usually a solid indicator of compromise. Note that for this check to run you have to provide [properly configured API key](https://developers.google.com/safe-browsing/v4/urls-hashing) via [plugin setup](#setup). This check is only run in *live environment*.
 
 #### Checklist monitoring
 

diff --git a/bc-security.php b/bc-security.php
@@ -1,14 +1,15 @@
 <?php
+
 /**
  * Plugin Name: BC Security
  * Plugin URI: https://github.com/chesio/bc-security
  * Description: Helps keeping WordPress websites secure.
- * Version: 0.15.2
+ * Version: 0.16.0
  * Author: Česlav Przywara <[email protected]>
  * Author URI: https://www.chesio.com
  * Requires PHP: 7.2
- * Requires WP: 5.3
- * Tested up to: 5.4
+ * Requires WP: 5.5
+ * Tested up to: 5.5
  * Text Domain: bc-security
  * GitHub Plugin URI: https://github.com/chesio/bc-security
  */
@@ -58,7 +59,6 @@
 register_activation_hook(__FILE__, [$bc_security, 'activate']);
 // Register deactivation hook.
 register_deactivation_hook(__FILE__, [$bc_security, 'deactivate']);
-// Ideally, uninstall hook would be registered here, but WordPress allows only static method in uninstall hook...
 
 // Load the plugin.
 $bc_security->load();
diff --git a/classes/BlueChip/Security/Helpers/Is.php b/classes/BlueChip/Security/Helpers/Is.php
@@ -40,7 +40,7 @@ public static function live(): bool
         // Consider both production and staging environment as live.
         return apply_filters(
             Hooks::IS_LIVE,
-            \defined('WP_ENV') && ((WP_ENV === 'production') || (WP_ENV === 'staging'))
+            \in_array(wp_get_environment_type(), ['production', 'staging'], true)
         );
     }
 

diff --git a/classes/BlueChip/Security/Modules/Log/Events/LoginFailure.php b/classes/BlueChip/Security/Modules/Log/Events/LoginFailure.php
@@ -23,6 +23,20 @@ class LoginFailure extends Event
      */
     protected $username = '';
 
+    /**
+     * __('Error code')
+     *
+     * @var string Reason why login failed as error code.
+     */
+    protected $error_code = '';
+
+    /**
+     * __('Error message')
+     *
+     * @var string Reason why login failed as human-readable message.
+     */
+    protected $error_message = '';
+
 
     public function getName(): string
     {
@@ -36,6 +50,28 @@ public function getMessage(): string
     }
 
 
+    /**
+     * Set reason why login attempt failed.
+     *
+     * @param \WP_Error $error
+     *
+     * @return self
+     */
+    public function setError(\WP_Error $error): self
+    {
+        $this->error_code = $error->get_error_code();
+        $this->error_message = $error->get_error_message();
+        return $this;
+    }
+
+
+    /**
+     * Set username used in failed login attempt (if any).
+     *
+     * @param string $username
+     *
+     * @return self
+     */
     public function setUsername(string $username): self
     {
         $this->username = $username;

diff --git a/classes/BlueChip/Security/Modules/Log/EventsMonitor.php b/classes/BlueChip/Security/Modules/Log/EventsMonitor.php
@@ -35,7 +35,7 @@ public function init()
         add_action('auth_cookie_bad_username', [$this, 'logBadCookie'], 5, 1);
         add_action('auth_cookie_bad_hash', [$this, 'logBadCookie'], 5, 1);
         // - failed login
-        add_action('wp_login_failed', [$this, 'logFailedLogin'], 5, 1);
+        add_action('wp_login_failed', [$this, 'logFailedLogin'], 5, 2);
         // - successful login
         add_action('wp_login', [$this, 'logSuccessfulLogin'], 5, 1);
         // - 404 query (only if request did not originate from the webserver itself)
@@ -84,10 +84,11 @@ public function logBadCookie(array $cookie_elements)
      * Log failed login.
      *
      * @param string $username
+     * @param \WP_Error $error
      */
-    public function logFailedLogin(string $username)
+    public function logFailedLogin(string $username, \WP_Error $error)
     {
-        do_action(Action::EVENT, (new Events\LoginFailure())->setUsername($username));
+        do_action(Action::EVENT, (new Events\LoginFailure())->setUsername($username)->setError($error));
     }
 
 

diff --git a/composer.json b/composer.json
@@ -2,7 +2,7 @@
   "name": "chesio/bc-security",
   "type": "wordpress-plugin",
   "license": "Unlicense",
-  "description": "Helps keeping WordPress websites secure.",
+  "description": "A WordPress plugin that helps keeping WordPress websites secure.",
   "homepage": "https://github.com/chesio/bc-security",
   "authors": [
     {