Merge branch 'hotfix-0.17.1'

bc-security.php

@@ -4,7 +4,7 @@
  * Plugin Name: BC Security
  * Plugin URI: https://github.com/chesio/bc-security
  * Description: Helps keeping WordPress websites secure.
- * Version: 0.17.0
+ * Version: 0.17.1
  * Author: Česlav Przywara <[email protected]>
  * Author URI: https://www.chesio.com
  * Requires PHP: 7.3

classes/BlueChip/Security/Core/Settings.php

@@ -80,7 +80,7 @@ public function __set(string $name, $value)
     //// ArrayAccess API ///////////////////////////////////////////////////////
 
     /**
-     * Return true, if there is any setting available under key $offset.
+     * Return true if there is any setting available under key $offset.
      *
      * @internal Implements ArrayAccess interface.
      *
@@ -184,7 +184,7 @@ public function reset(): bool
     /**
      * Remove the data from database (= hard reset).
      *
-     * @return bool True, if settings have been deleted, false otherwise.
+     * @return bool True if settings have been deleted, false otherwise.
      */
     public function destroy(): bool
     {
@@ -195,7 +195,7 @@ public function destroy(): bool
     /**
      * Persist the value of data into database.
      *
-     * @return bool True, if settings have been updated (= changed), false otherwise.
+     * @return bool True if settings have been updated (= changed), false otherwise.
      */
     public function persist(): bool
     {

classes/BlueChip/Security/Helpers/AjaxHelper.php

@@ -14,15 +14,15 @@ abstract class AjaxHelper
 
 
     /**
-     * Register callback as handler for AJAX action. Handler will be only executed, if nonce check passes.
+     * Register callback as handler for AJAX action. Handler will be only executed when nonce check passes.
      *
      * @param string $action
      * @param callable $handler
      */
     public static function addHandler(string $action, callable $handler)
     {
         add_action(self::WP_AJAX_PREFIX . $action, function () use ($action, $handler) {
-            // Check AJAX referer for given action - will die, if invalid.
+            // Check AJAX referer for given action - will die if invalid.
             check_ajax_referer($action);
 
             \call_user_func($handler);

classes/BlueChip/Security/Helpers/HaveIBeenPwned.php

@@ -22,7 +22,7 @@ abstract class HaveIBeenPwned
     /**
      * @link https://haveibeenpwned.com/API/v2#PwnedPasswords
      * @param string $password Password to check.
-     * @return bool True, if $password has been previously exposed in a data breach, false if not, null if check failed.
+     * @return bool True if $password has been previously exposed in a data breach, false if not, null if check failed.
      */
     public static function hasPasswordBeenPwned(string $password): ?bool
     {

classes/BlueChip/Security/Helpers/Is.php

@@ -49,7 +49,7 @@ public static function live(): bool
      * Return true if current request is of given $type.
      *
      * @param string $type One of: admin, ajax, cron, frontend or wp-cli.
-     * @return bool True, if current request is of given $type, false otherwise.
+     * @return bool True if current request is of given $type, false otherwise.
      */
     public static function request(string $type): bool
     {

classes/BlueChip/Security/Helpers/Plugin.php

@@ -25,7 +25,7 @@ abstract class Plugin
 
     /**
      * @param string $plugin_basename
-     * @return string URL of the plugin changelog page or empty string, if it cannot be determined.
+     * @return string URL of the plugin changelog page or empty string if it cannot be determined.
      */
     public static function getChangelogUrl(string $plugin_basename): string
     {
@@ -67,7 +67,7 @@ public static function getChecksumsUrl(string $plugin_basename, array $plugin_da
      * Get slug (ie. bc-security) for plugin with given basename (ie. bc-security/bc-security.php).
      *
      * @param string $plugin_basename
-     * @return string Plugin slug or empty string, if plugin does not seem to be installed in its own directory.
+     * @return string Plugin slug or empty string if plugin does not seem to be installed in its own directory.
      */
     public static function getSlug(string $plugin_basename): string
     {
@@ -81,7 +81,7 @@ public static function getSlug(string $plugin_basename): string
 
     /**
      * @param string $plugin_basename
-     * @return bool True, if there is readme.txt file present in plugin directory, false otherwise.
+     * @return bool True if there is readme.txt file present in plugin directory, false otherwise.
      */
     public static function hasReadmeTxt(string $plugin_basename): bool
     {
@@ -91,7 +91,7 @@ public static function hasReadmeTxt(string $plugin_basename): bool
 
     /**
      * @param string $plugin_basename
-     * @return bool True, if directory of given plugin seems to be under version control (Subversion or Git).
+     * @return bool True if directory of given plugin seems to be under version control (Subversion or Git).
      */
     public static function isVersionControlled(string $plugin_basename): bool
     {

classes/BlueChip/Security/Modules/Checklist/Check.php

@@ -80,7 +80,7 @@ public function getName(): string
 
 
     /**
-     * @return int Timestamp of last run or 0, if no info about last run is available.
+     * @return int Timestamp of last run or 0 if no info about last run is available.
      */
     public function getTimeOfLastRun(): int
     {

classes/BlueChip/Security/Modules/Checklist/CheckResult.php

@@ -16,7 +16,7 @@ class CheckResult
 
 
     /**
-     * @param bool|null $status Check result status: false, if check failed; true, if check passed; null for undetermined status.
+     * @param bool|null $status Check result status: false if check failed; true if check passed; null for undetermined status.
      * @param array|string $message Human readable message explaining the result - inline HTML tags are allowed/expected.
      */
     public function __construct(?bool $status, $message)
@@ -54,7 +54,7 @@ public function getMessageAsPlainText(): string
 
 
     /**
-     * @return bool|null Check result status: false, if check failed; true, if check passed; null means status is undetermined.
+     * @return bool|null Check result status: false if check failed; true if check passed; null means status is undetermined.
      */
     public function getStatus(): ?bool
     {

classes/BlueChip/Security/Modules/Checklist/Checks/CoreIntegrity.php

@@ -25,7 +25,7 @@ public function __construct()
             __('WordPress core files are untouched', 'bc-security'),
             \sprintf(
                 /* translators: 1: link to Wikipedia article about md5sum, 2: link to checksums file at WordPress.org */
-                esc_html__('By comparing %1$s of local core files with %2$s it is possible to determine, if any of core files have been modified or if there are any unknown files in core directories.', 'bc-security'),
+                esc_html__('By comparing %1$s of local core files with %2$s it is possible to determine whether any of core files have been modified or there are any unknown files in core directories.', 'bc-security'),
                 '<a href="' . esc_url(__('https://en.wikipedia.org/wiki/Md5sum', 'bc-security')) . '" rel="noreferrer">' . esc_html__('MD5 checksums', 'bc-security') . '</a>',
                 '<a href="' . esc_url(self::getChecksumsUrl()) . '" rel="noreferrer">' . esc_html__('checksums downloaded from WordPress.org', 'bc-security') . '</a>'
             )

classes/BlueChip/Security/Modules/Checklist/Checks/NoAccessToPhpFilesInUploadsDirectory.php

@@ -43,7 +43,7 @@ protected function runInternal(): Checklist\CheckResult
 
         $url = \substr($result['url'], 0, -3) . 'php';
 
-        // Check, if access to PHP file is forbidden.
+        // Check if access to PHP file is forbidden.
         $status = Checklist\Helper::isAccessToUrlForbidden($url, $php_file_message);
 
         // Remove temporary PHP file from uploads directory

classes/BlueChip/Security/Modules/Checklist/Checks/NoPluginsRemovedFromDirectory.php

@@ -49,15 +49,17 @@ protected function runInternal(): Checklist\CheckResult
         $list_of_unknown_plugins = Helpers\Plugin::implodeList($problematic_plugins['unknown_plugins'], 'DirectoryURL');
 
         if (!empty($list_of_removed_plugins)) {
-            $message = \sprintf(
-                esc_html__('Following plugins seem to have been removed from Plugins Directory: %s', 'bc-security'),
-                $list_of_removed_plugins
-            );
+            $message = [
+                \sprintf(
+                    esc_html__('Following plugins seem to have been removed from Plugins Directory: %s', 'bc-security'),
+                    $list_of_removed_plugins
+                ),
+            ];
 
             if (!empty($list_of_unknown_plugins)) {
                 // Also report any plugins that could not be checked, just in case.
-                $message .= '<br>';
-                $message .= \sprintf(
+                $message[] = '';
+                $message[] = \sprintf(
                     esc_html__('Furthermore, following plugins could not be checked: %s', 'bc-security'),
                     $list_of_unknown_plugins
                 );

classes/BlueChip/Security/Modules/Checklist/Checks/PhpVersionSupported.php

@@ -12,7 +12,7 @@ class PhpVersionSupported extends Checklist\BasicCheck
     private const SUPPORTED_VERSIONS = [
         '7.3' => '2021-12-06',
         '7.4' => '2022-11-28',
-        '8.0' => '2023-11026',
+        '8.0' => '2023-11-26',
     ];
 
 

classes/BlueChip/Security/Modules/Checklist/Checks/PluginsIntegrity.php

@@ -20,7 +20,7 @@ public function __construct()
             __('Plugin files are untouched', 'bc-security'),
             \sprintf(
                 /* translators: 1: link to Wikipedia article about md5sum, 2: link to Plugins Directory at WordPress.org */
-                esc_html__('By comparing %1$s of local plugin files with checksums provided by WordPress.org it is possible to determine, if any of plugin files have been modified or if there are any unknown files in plugin directories. Note that this check works only with plugins installed from %2$s.', 'bc-security'),
+                esc_html__('By comparing %1$s of local plugin files with checksums provided by WordPress.org it is possible to determine whether any of plugin files have been modified or there are any unknown files in plugin directories. Note that this check works only with plugins installed from %2$s.', 'bc-security'),
                 '<a href="' . esc_url(__('https://en.wikipedia.org/wiki/Md5sum', 'bc-security')) . '" rel="noreferrer">' . esc_html__('MD5 checksums', 'bc-security') . '</a>',
                 '<a href="' . esc_url(__('https://wordpress.org/plugins/', 'bc-security')) . '" rel="noreferrer">' . esc_html__('Plugins Directory', 'bc-security') . '</a>'
             )
@@ -67,7 +67,7 @@ protected function runInternal(): Checklist\CheckResult
             // Use checksums to find any unknown files.
             $unknown_files = Checklist\Helper::scanDirectoryForUnknownFiles($plugin_dir, $plugin_dir, $checksums, true);
 
-            // Trigger alert, if any suspicious files have been found.
+            // Trigger alert if any suspicious files have been found.
             if (!empty($modified_files) || !empty($unknown_files)) {
                 $checksums_verification_failed[$plugin_basename] = \array_merge(
                     $plugin_data,

classes/BlueChip/Security/Modules/Checklist/Helper.php

@@ -35,11 +35,11 @@ function (string $file): string {
 
 
     /**
-     * Check, if HTTP request to $url results in 403 forbidden response.
+     * Check if HTTP request to $url results in 403 forbidden response.
      *
      * Method returns:
-     * - true, if HTTP request to $url returns HTTP status 403.
-     * - false, if HTTP request to $url returns HTTP status 200 and response body is equal to $body (if given) or 404
+     * - true if HTTP request to $url returns HTTP status 403.
+     * - false if HTTP request to $url returns HTTP status 200 and response body is equal to $body (if given) or 404
      *   is returned (meaning file does not exist, but access is not forbidden).
      * - null, in all other cases: especially if HTTP request to $url fails or other HTTP status than 200, 403 or 404
      *   is returned. Null is also returned for HTTP status 200 if response body is different than $body (if given).
@@ -50,12 +50,12 @@ function (string $file): string {
      */
     public static function isAccessToUrlForbidden(string $url, ?string $body = null): ?bool
     {
-        // Try to get provided URL. Use HEAD request for simplicity, if response body is of no interest.
+        // Try to get provided URL. Use HEAD request for simplicity if response body is of no interest.
         $response = \is_string($body) ? wp_remote_get($url) : wp_remote_head($url);
 
         switch (wp_remote_retrieve_response_code($response)) {
             case 200:
-                // Status suggests that URL can be accessed, but check response body too, if given.
+                // Status suggests that URL can be accessed, but check response body too if given.
                 return \is_string($body) ? ((wp_remote_retrieve_body($response) === $body) ? false : null) : false;
             case 403:
                 // Status suggests that access to URL is forbidden.
@@ -93,7 +93,7 @@ public static function checkDirectoryForModifiedFiles(string $path, object $chec
             // Get absolute file path.
             $pathname = $path . $filename;
 
-            // Check, if file exists (skip non-existing files).
+            // Check whether file exists (skip non-existing files).
             if (!\file_exists($pathname)) {
                 continue;
             }

classes/BlueChip/Security/Modules/Checklist/Manager.php

@@ -78,7 +78,7 @@ public function constructChecks(\wpdb $wpdb, string $google_api_key): array
             // Display of errors should be off in live environment.
             Checks\DisplayOfPhpErrorsIsOff::getId() => new Checks\DisplayOfPhpErrorsIsOff(),
 
-            // Error log should not be publicly visible, if debugging is on.
+            // Error log should not be publicly visible if debugging is on.
             Checks\ErrorLogNotPubliclyAccessible::getId() => new Checks\ErrorLogNotPubliclyAccessible(),
 
             // There should be no obvious usernames.

classes/BlueChip/Security/Modules/Cron/Job.php

@@ -48,7 +48,7 @@ public function __construct(string $hook, $time, string $recurrence)
 
 
     /**
-     * Schedule this cron job, if not scheduled yet.
+     * Schedule this cron job if not scheduled yet.
      *
      * @return bool True if cron job has been activated or was already active, false otherwise.
      */
@@ -110,7 +110,7 @@ public static function getTimestamp(string $time_string): int
             // Assume $time_string denotes actual time like '01:02:03'.
             $time = $time_string;
         }
-        // Get time zone from settings. Fall back to UTC, if option is empty.
+        // Get time zone from settings. Fall back to UTC if option is empty.
         $time_zone = new \DateTimeZone(get_option('timezone_string') ?: 'UTC');
         // Get DateTime object.
         $date = new \DateTime($time, $time_zone);

classes/BlueChip/Security/Modules/Cron/Manager.php

@@ -66,7 +66,7 @@ public function getJob(string $hook): Job
 
 
     /**
-     * Activate cron job: schedule the job and mark it as permanently active, if scheduling succeeds.
+     * Activate cron job: schedule the job and mark it as permanently active if scheduling succeeds.
      *
      * @param string $hook
      * @return bool True if cron job has been activated or was active already, false otherwise.
@@ -82,7 +82,7 @@ public function activateJob(string $hook): bool
 
 
     /**
-     * Deactivate cron job: unschedule the job and mark it as permanently inactive, if unscheduling succeeds.
+     * Deactivate cron job: unschedule the job and mark it as permanently inactive if unscheduling succeeds.
      *
      * @param string $hook
      * @return bool True if cron job has been deactivated or was inactive already, false otherwise.

classes/BlueChip/Security/Modules/Hardening/Core.php

@@ -72,7 +72,7 @@ public function init()
         if ($this->settings[Settings::CHECK_PASSWORDS]) {
             // Check user password on successful login.
             add_action('wp_login', [$this, 'checkUserPassword'], 10, 2);
-            // Display warning notice, if pwned password has been detected for current user.
+            // Display warning notice if pwned password has been detected for current user.
             add_action('current_screen', [$this, 'displayPasswordPwnedNotice'], 10, 1);
         }
         if ($this->settings[Settings::VALIDATE_PASSWORDS]) {
@@ -207,7 +207,7 @@ public function filterAuthorQuery(array $query_vars): array
      * @link https://hackertarget.com/wordpress-user-enumeration/
      *
      * @param array $query_vars
-     * @return bool True, if `author` key is present and its value is either an array or can be seen as numeric.
+     * @return bool True if `author` key is present and its value is either an array or can be seen as numeric.
      */
     protected static function smellsLikeAuthorScan(array $query_vars): bool
     {
@@ -261,7 +261,7 @@ public function checkUserPassword(string $username, \WP_User $user)
 
 
     /**
-     * Display password pwned notice, if user's password is marked as pwned.
+     * Display password pwned notice if user's password is marked as pwned.
      *
      * @action https://developer.wordpress.org/reference/hooks/current_screen/
      *

classes/BlueChip/Security/Modules/IpBlacklist/AdminPage.php

@@ -273,14 +273,14 @@ private function processBlacklistAction()
         $scope = \filter_input(INPUT_POST, 'scope', FILTER_VALIDATE_INT);
         $comment = \filter_input(INPUT_POST, 'comment', FILTER_SANITIZE_STRING);
 
-        // Check, if input is formally valid.
+        // Check whether input is formally valid.
         if (empty($ip_address) || empty($duration_length) || empty($duration_unit) || empty($scope)) {
             return;
         }
 
         $duration = $duration_length * $duration_unit;
 
-        // Check, if input is semantically valid.
+        // Check whether input is semantically valid.
         if (($duration <= 0) || !\in_array($scope, [LockScope::ADMIN, LockScope::COMMENTS, LockScope::WEBSITE], true)) {
             return;
         }

classes/BlueChip/Security/Modules/IpBlacklist/Bouncer.php

@@ -6,8 +6,8 @@
 
 /**
  * Bouncer takes care of bouncing uninvited guests by:
- * 1) Blocking access to website, if remote IP address cannot be determined.
- * 2) Blocking access to website, if remote IP address is on website blacklist.
+ * 1) Blocking access to website when remote IP address cannot be determined.
+ * 2) Blocking access to website when remote IP address is on website blacklist.
  */
 class Bouncer implements \BlueChip\Security\Modules\Initializable, \BlueChip\Security\Modules\Loadable
 {
@@ -38,12 +38,12 @@ public function __construct(string $remote_address, Manager $bl_manager)
      */
     public function load()
     {
-        // In case of non-cli context, if remote IP address is invalid, die immediately.
+        // In case of non-cli context or if remote IP address is invalid, die immediately.
         if (!Helpers\Is::cli() && empty($this->remote_address)) {
             self::blockAccessTemporarily();
         }
 
-        // Check, if access to website is allowed.
+        // Check if access to website is allowed.
         add_filter('plugins_loaded', [$this, 'checkAccess'], 1, 0); // Leave priority 0 for site maintainers.
     }
 
@@ -78,7 +78,7 @@ public static function blockAccessTemporarily(string $ip_address = '')
     //// Hookers - public methods that should in fact be private
 
     /**
-     * Block access to the website, if remote IP address is locked.
+     * Block access to the website when remote IP address is locked.
      */
     public function checkAccess()
     {
@@ -89,7 +89,7 @@ public function checkAccess()
 
 
     /**
-     * Block access to the login, if remote IP address is locked.
+     * Block access to the login when remote IP address is locked.
      *
      * @param \WP_Error|\WP_User $user
      * @return \WP_Error|\WP_User