Merge branch 'release-0.21.0'

.github/workflows/integrate.yml

@@ -49,7 +49,7 @@ jobs:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
         with:
-          php-version: "7.3"
+          php-version: "8.0"
           extensions: "mbstring"
           coverage: "none"
 
@@ -75,8 +75,6 @@ jobs:
           - "8.2"
           - "8.1"
           - "8.0"
-          - "7.4"
-          - "7.3"
         dependencies:
           - "lowest"
           - "locked"

CHANGELOG.md

@@ -1,7 +1,23 @@
 # BC Security Changelog
 
+## Upcoming version 0.21.0 (2023-08-17)
+
+PHP 8.0 or newer and WordPress 6.0 or newer are now required!
+
+### Added
+
+* WordPress 6.3 is supported [#141](https://github.com/chesio/bc-security/issues/141).
+* Block rules with "website" access scope in internal blocklist can now be synced with `.htaccess` file [#142](https://github.com/chesio/bc-security/issues/142).
+* Remote IP addresses that are scanning your website for weaknesses can be automatically for configured amount of time [#132](https://github.com/chesio/bc-security/issues/132).
+
+### Changed
+
+* PHP 8.0 is required and the policy to run on supported PHP versions only has been restored [#117](https://github.com/chesio/bc-security/issues/117).
+
 ## Version 0.20.1 (2023-04-11)
 
+### Fixed
+
 * Validate IP addresses to avoid potential security issues [#138](https://github.com/chesio/bc-security/issues/138).
 * List of supported PHP versions for PHP version check has been updated to include PHP 8.2 and exclude PHP 7.4 [#137](https://github.com/chesio/bc-security/issues/137).
 

README.md

@@ -9,8 +9,8 @@ A WordPress plugin that helps keeping WordPress websites secure.
 
 ## Requirements
 
-* [PHP](https://www.php.net/) 7.3 or newer
-* [WordPress](https://wordpress.org/) 5.9 or newer
+* [PHP](https://www.php.net/) 8.0 or newer
+* [WordPress](https://wordpress.org/) 6.0 or newer
 
 ## Limitations
 
@@ -140,12 +140,34 @@ Passwords are validated on user creation, password change or password reset. If
 1. BC Security allows you to limit number of login attempts from single IP address. Implementation of this feature is heavily inspired by popular [Limit Login Attempts](https://wordpress.org/plugins/limit-login-attempts/) plugin with an extra feature of immediate blocking of specific usernames (like _admin_ or _administrator_).
 2. BC Security offers an option to only display generic error message as a result of failed login attempt when wrong username, email or password is provided.
 
+### Bad requests banner
+
+Remote IP addresses that are scanning your website for weaknesses can be automatically [locked from access](#internal-blocklist) for configured amount of time. Such scanners can be usually quite easily detected because while scanning a website they trigger a lot of 404 errors and URLs they try to access differ from "valid" 404 errors: usually they try to find a known vulnerable plugin file, forgotten backup file or PHP script used for administrative purposes.
+
+There are two built-in rules available (they are not active by default):
+1. ban when non-existent PHP file is requested (any URL ending with `.php`)
+2. ban when backup file is requested (any URL targeting file with `backup` in basename or with `.back`, `.old` or `.tmp` extension)
+
+You may define custom rules as well (in form of regular expression).
+
 ### Internal blocklist
 
-BC Security maintains a list of IP addresses with limited access to the website. This list is automatically populated by [Login Security](#login-security) module, but manual addition of IP addresses is also possible.
+BC Security maintains a list of IP addresses with limited access to the website. This list is automatically populated by [Login security](#login-security) and [Bad requests banner](#bad-requests-banner) modules, but manual addition of IP addresses is also possible.
 
 Out-dated records are automatically removed from the list by WP-Cron job scheduled to run every night. The job can be deactivated in backend, if desired.
 
+#### Synchronization with .htaccess file
+
+**On Apache webserver in version 2.3 or newer**, block rules with "website" access scope can be automatically synchronized with `.htaccess` file. This makes access blocking much more powerful as all requests to the webserver are blocked this way and not only the ones handled by WordPress.
+
+This feature must be however set up manually - following two lines have to be added at the top of root `.htaccess` file in order for it to work:
+```.apacheconf
+# BEGIN BC Security
+# END BC Security
+```
+
+After you have completed the setup, either wait for automatic synchronization to kick in on next *locking* event or run manual synchronization from the administration page.
+
 ### External blocklist
 
 In addition to [internal blocklist](#internal-blocklist), BC Security can be configured to fetch list of IP addresses to block from external sources. Currently only [Amazon AWS IP ranges](https://ip-ranges.amazonaws.com/ip-ranges.json) can be used this way.

autoload.php

@@ -9,7 +9,7 @@
 // Register autoload function
 \spl_autoload_register(function (string $class) {
     // Only autoload classes shipped with the plugin.
-    if (!\str_starts_with($class, 'BlueChip\\Security') && !\str_starts_with($class, 'Psr\\Log')) {
+    if (!\str_starts_with($class, 'BlueChip\\Security\\') && !\str_starts_with($class, 'Psr\\Log\\')) {
         return;
     }
 

bc-security.php

@@ -4,24 +4,24 @@
  * Plugin Name: BC Security
  * Plugin URI: https://github.com/chesio/bc-security
  * Description: Helps keeping WordPress websites secure.
- * Version: 0.20.1
+ * Version: 0.21.0
  * Author: Česlav Przywara <[email protected]>
  * Author URI: https://www.chesio.com
- * Requires PHP: 7.3
- * Requires WP: 5.9
- * Tested up to: 6.2
+ * Requires PHP: 8.0
+ * Requires WP: 6.0
+ * Tested up to: 6.3
  * Text Domain: bc-security
  * GitHub Plugin URI: https://github.com/chesio/bc-security
  * Update URI: https://github.com/chesio/bc-security
  */
 
-if (version_compare(PHP_VERSION, '7.3', '<')) {
+if (version_compare(PHP_VERSION, '8.0', '<')) {
     // Warn user that his/her PHP version is too low for this plugin to function.
     add_action('admin_notices', function () {
         echo '<div class="notice notice-error"><p>';
         echo esc_html(
             sprintf(
-                __('BC Security plugin requires PHP 7.3 to function properly, but you have version %s installed. The plugin has been auto-deactivated.', 'bc-security'),
+                __('BC Security plugin requires PHP 8.0 to function properly, but you have version %s installed. The plugin has been auto-deactivated.', 'bc-security'),
                 PHP_VERSION
             )
         );

classes/BlueChip/Security/Admin.php

@@ -21,7 +21,7 @@ class Admin
     /**
      * @var \BlueChip\Security\Core\Admin\AbstractPage[]
      */
-    private $pages = [];
+    private array $pages = [];
 
 
     /**

classes/BlueChip/Security/Core/Admin/AbstractPage.php

@@ -20,12 +20,12 @@ abstract class AbstractPage
     /**
      * @var string Page title for menu
      */
-    protected $menu_title;
+    protected string $menu_title;
 
     /**
      * @var string Page title for browser window
      */
-    protected $page_title;
+    protected string $page_title;
 
 
     /**

classes/BlueChip/Security/Core/Admin/CountablePage.php

@@ -2,23 +2,25 @@
 
 namespace BlueChip\Security\Core\Admin;
 
+use BlueChip\Security\Modules\Countable;
+
 /**
  * Provide information for counter displayed along page menu item.
  */
 trait CountablePage
 {
     /**
-     * @var \BlueChip\Security\Modules\Countable An object that provides the actual counter value to be displayed.
+     * @var Countable An object that provides the actual counter value to be displayed.
      */
-    protected $counter;
+    protected Countable $counter;
 
 
     /**
      * Set counter that provides count to be displayed along main menu item for this page.
      *
-     * @param \BlueChip\Security\Modules\Countable $counter
+     * @param Countable $counter
      */
-    protected function setCounter(\BlueChip\Security\Modules\Countable $counter): void
+    protected function setCounter(Countable $counter): void
     {
         $this->counter = $counter;
     }

classes/BlueChip/Security/Core/Admin/ListingPage.php

@@ -2,34 +2,26 @@
 
 namespace BlueChip\Security\Core\Admin;
 
+use BlueChip\Security\Core\ListTable;
+
 trait ListingPage
 {
-    /**
-     * @var \BlueChip\Security\Core\ListTable
-     */
-    private $list_table;
+    private ListTable $list_table;
 
-    /**
-     * @var string
-     */
-    private $per_page_option_name;
+    private string $per_page_option_name;
 
 
     abstract protected function initListTable(): void;
 
 
     /**
      * @link https://developer.wordpress.org/reference/hooks/set-screen-option/
-     *
-     * @param string $option_name
      */
     private function setPerPageOption(string $option_name): void
     {
         $this->per_page_option_name = $option_name;
 
-        add_filter('set-screen-option', function ($status, $option, $value) use ($option_name) {
-            return ($option === $option_name) ? (int) $value : $status;
-        }, 10, 3);
+        add_filter('set-screen-option', fn (mixed $screen_option, string $option, int $value): mixed => ($option === $option_name) ? $value : $screen_option, 10, 3);
     }
 
 

classes/BlueChip/Security/Core/Admin/PageWithAssets.php

@@ -6,15 +6,9 @@
 
 trait PageWithAssets
 {
-    /**
-     * @var \BlueChip\Security\Core\AssetsManager
-     */
-    private $assets_manager;
+    private AssetsManager $assets_manager;
 
 
-    /**
-     * @param \BlueChip\Security\Core\AssetsManager $assets_manager
-     */
     protected function useAssetsManager(AssetsManager $assets_manager): void
     {
         $this->assets_manager = $assets_manager;

classes/BlueChip/Security/Core/Admin/SettingsPage.php

@@ -2,6 +2,8 @@
 
 namespace BlueChip\Security\Core\Admin;
 
+use BlueChip\Security\Core\Settings;
+
 /**
  * Common settings API boilerplate for admin pages.
  */
@@ -10,35 +12,33 @@ trait SettingsPage
     /**
      * @var string Option group
      */
-    protected $option_group;
+    protected string $option_group;
 
     /**
      * @var string Option name
      */
-    protected $option_name;
+    protected string $option_name;
 
     /**
      * @var string|null Recent page serves as default $page for add_settings_field() and add_settings_section() functions.
      */
-    protected $recent_page = null;
+    protected ?string $recent_page = null;
 
     /**
      * @var string|null Recent section serves as default $section for add_settings_field() function.
      */
-    protected $recent_section = null;
+    protected ?string $recent_section = null;
 
     /**
-     * @var \BlueChip\Security\Core\Settings Object with actual settings.
+     * @var Settings Object with actual settings.
      */
-    protected $settings;
+    protected Settings $settings;
 
 
     /**
      * @link https://codex.wordpress.org/Settings_API
-     *
-     * @param \BlueChip\Security\Core\Settings $settings
      */
-    protected function useSettings(\BlueChip\Security\Core\Settings $settings): void
+    protected function useSettings(Settings $settings): void
     {
         // Remember the settings.
         $this->settings = $settings;

classes/BlueChip/Security/Core/AssetsManager.php

@@ -14,18 +14,12 @@ class AssetsManager
      */
     private const JS_ASSETS_DIRECTORY_PATH = 'assets/js/';
 
-    /**
-     * @var string Absolute path to main plugin file.
-     */
-    private $plugin_filename;
-
 
     /**
      * @param string $plugin_filename Absolute path to main plugin file.
      */
-    public function __construct(string $plugin_filename)
+    public function __construct(private string $plugin_filename)
     {
-        $this->plugin_filename = $plugin_filename;
     }
 
 

classes/BlueChip/Security/Core/ListTable.php

@@ -23,22 +23,22 @@ abstract class ListTable extends \WP_List_Table
     /**
      * @var string URL of admin page where the list table is displayed
      */
-    protected $url;
+    protected string $url;
 
     /**
      * @var string Sorting direction (asc or desc)
      */
-    protected $order = 'desc';
+    protected string $order = 'desc';
 
     /**
      * @var string Sorting column
      */
-    protected $order_by = 'id';
+    protected string $order_by = 'id';
 
     /**
      * @var int Number of items per page.
      */
-    protected $items_per_page;
+    protected int $items_per_page;
 
 
     /**