Merge branch 'release-0.15'

.gitattributes

@@ -1,5 +1,6 @@
 /.gitattributes export-ignore
+/.github export-ignore
 /.gitignore export-ignore
 /phpcs.xml export-ignore
 /phpstan.neon export-ignore
-/tests export-ignore
+/tests export-ignore

.github/workflows/php.yml

@@ -0,0 +1,37 @@
+name: CI test suite
+
+on:
+  pull_request:
+    paths:
+      - 'composer.*'
+      - '**.php'
+  push:
+    paths:
+      - 'composer.*'
+      - '**.php'
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        php-versions: ['7.2', '7.3', '7.4']
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: Set up PHP versions
+      uses: shivammathur/setup-php@v1
+      with:
+        php-version: ${{ matrix.php-versions }}
+        extension-csv: mbstring
+
+    - name: Validate composer.json and composer.lock
+      run: composer validate
+
+    - name: Install dependencies
+      run: composer install --prefer-dist --no-progress --no-suggest
+
+    - name: Run CI test suite
+      run: composer run-script ci

README.md

@@ -5,17 +5,69 @@ Helps keeping WordPress websites secure.
 ## Requirements
 
 * [PHP](https://secure.php.net/) 7.2 or newer
-* [WordPress](https://wordpress.org/) 5.1 or newer
+* [WordPress](https://wordpress.org/) 5.3 or newer
 
 ## Limitations
 
 * BC Security has not been tested on WordPress multisite installation.
 * BC Security has not been tested on Windows server.
 
+## Installation
+
+BC Security is not available at WordPress Plugins Directory, but there are several other ways you can get it.
+
+### Using WP-CLI
+
+If you have [WP-CLI](https://wp-cli.org/) installed, you can install (and optionally activate) BC Security with a single command:
+```
+wp plugin install [--activate] https://github.com/chesio/bc-security/archive/master.zip
+```
+
+### Using Composer
+
+BC Security is not available (yet) at [Packagist](https://packagist.org/), but you can install and update it via Composer if you add plugin repository to your project's `composer.json` file:
+
+```json
+{
+  "repositories": [
+    {
+      "type": "git",
+      "url": "https://github.com/chesio/bc-security"
+    }
+  ]
+}
+```
+
+Then just run `composer require chesio/bc-security` as usual.
+
+### Using Git
+
+Master branch always contains latest stable version, so you can install BC Security by cloning it from within your plugins directory:
+```
+cd [your-project]/wp-content/plugins
+git clone --single-branch --branch master https://github.com/chesio/bc-security.git
+```
+
+Updating is as easy as:
+```
+cd [your-project]/wp-content/plugins/bc-security
+git pull
+```
+
+### Using GitHub Updater plugin
+
+BC Security can be installed and updated via [GitHub Updater](https://github.com/afragen/github-updater) plugin.
+
+### Direct download
+
+This method is the least recommended, but it works without any other tool. You can download BC Security directly from [GitHub](https://github.com/chesio/bc-security/releases/latest). Make sure to unpack the plugin into correct directory and drop the version number from folder name.
+
 ## Setup
 
 Several features of BC Security depends on the knowledge of remote IP address, so it is important that you let the plugin know how your server is connected to the Internet. You can either set connection type via _Setup_ page or with `BC_SECURITY_CONNECTION_TYPE` constant.
 
+You may also optionally provide Google API key if you want to check your website against the Google [Safe Browsing](https://transparencyreport.google.com/safe-browsing/overview) lists of unsafe web resources. The key must have [Google Safe Browsing](https://developers.google.com/safe-browsing/) API enabled. As with the connection type, you can configure the key either via _Setup_ page or with `BC_SECURITY_GOOGLE_API_KEY` constant.
+
 **Note:** If you already have an installation with BC Security set up and would like to set up another installation in the same way, you can export plugin settings (including connection type) from the former installation and import them to the latter.
 
 ## Features
@@ -41,7 +93,7 @@ Basic checks cover common security practices. They do not require any informatio
 
 Advanced checks require data from external sources, therefore they leak some information about your website and take more time to execute.
 
-In the moment, list of installed plugins (but only those with _readme.txt_ file) is shared with WordPress.org.
+In the moment, list of installed plugins (but only those with _readme.txt_ file) is shared with WordPress.org and site URL is shared with Google.
 
 ##### WordPress core integrity check
 
@@ -61,6 +113,10 @@ Important: any plugins under version control (Git or Subversion) are automatical
 
 Although plugins can be removed from [Plugins Directory](https://wordpress.org/plugins/) for several reasons (not only because they have [security vulnerability](https://www.wordfence.com/blog/2017/09/display-widgets-malware/)), use of removed plugins is discouraged. Obviously, this check also works only for plugins installed from Plugins Directory.
 
+##### Safe Browsing check
+
+Checks whether your website is included on any of Google's [lists of unsafe web resources](https://developers.google.com/safe-browsing/) - this is usually a solid indicator of compromise. Note that for this check to run you have to provide [properly configured API key](https://developers.google.com/safe-browsing/v4/urls-hashing) via [plugin setup](#setup).
+
 #### Checklist monitoring
 
 Both basic and advanced checks can be run manually from a dedicated page in backend, but can be also configured to run periodically (once a day) in the background. Basic checks are run via a single cron job, while each of advanced checks is run via a separate cron job.

autoload.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Register autoloader for classes shipped with the plugin.
  *

bc-security.php

@@ -3,12 +3,12 @@
  * Plugin Name: BC Security
  * Plugin URI: https://github.com/chesio/bc-security
  * Description: Helps keeping WordPress websites secure.
- * Version: 0.14.0
+ * Version: 0.15.0
  * Author: Česlav Przywara <[email protected]>
  * Author URI: https://www.chesio.com
  * Requires PHP: 7.2
- * Requires WP: 5.1
- * Tested up to: 5.3
+ * Requires WP: 5.3
+ * Tested up to: 5.4
  * Text Domain: bc-security
  * GitHub Plugin URI: https://github.com/chesio/bc-security
  */

classes/BlueChip/Security/Admin.php

@@ -1,7 +1,4 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security;
 
@@ -13,12 +10,12 @@ class Admin
     /**
      * @var string To use Settings API, user has to have manage_options capability.
      */
-    const CAPABILITY = 'manage_options';
+    private const CAPABILITY = 'manage_options';
 
     /**
      * @var string Plugin dashboard menu icon
      */
-    const ICON = 'dashicons-shield-alt';
+    private const ICON = 'dashicons-shield-alt';
 
 
     /**

classes/BlueChip/Security/Core/Admin/AbstractPage.php

@@ -1,7 +1,4 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security\Core\Admin;
 
@@ -13,12 +10,12 @@ abstract class AbstractPage
     /**
      * @var string Page slug (each inheriting class must define its own)
      */
-    const SLUG = 'bc-security';
+    protected const SLUG = 'bc-security';
 
     /**
      * @var string Name of nonce used for any custom actions on admin pages
      */
-    const NONCE_NAME = '_wpnonce';
+    protected const NONCE_NAME = '_wpnonce';
 
     /**
      * @var string Page title for menu

classes/BlueChip/Security/Core/Admin/CountablePage.php

@@ -1,7 +1,4 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security\Core\Admin;
 
@@ -34,7 +31,7 @@ protected function resetCount()
     {
         $user = wp_get_current_user();
         // Update $user's last view time for this page.
-        update_user_meta($user->ID, $this->getCounterUserMetaKey(), current_time('timestamp'));
+        update_user_meta($user->ID, $this->getCounterUserMetaKey(), \time());
     }
 
 

classes/BlueChip/Security/Core/Admin/ListingPage.php

@@ -1,7 +1,4 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security\Core\Admin;
 

classes/BlueChip/Security/Core/Admin/PageWithAssets.php

@@ -1,7 +1,4 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security\Core\Admin;
 

classes/BlueChip/Security/Core/Admin/SettingsPage.php

@@ -1,7 +1,4 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security\Core\Admin;
 

classes/BlueChip/Security/Core/AssetsManager.php

@@ -1,7 +1,4 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security\Core;
 
@@ -10,12 +7,12 @@ class AssetsManager
     /**
      * @var string Relative path to directory with CSS assets.
      */
-    const CSS_ASSETS_DIRECTORY_PATH = 'assets/css/';
+    private const CSS_ASSETS_DIRECTORY_PATH = 'assets/css/';
 
     /**
      * @var string Relative path to directory with JavaScript assets.
      */
-    const JS_ASSETS_DIRECTORY_PATH = 'assets/js/';
+    private const JS_ASSETS_DIRECTORY_PATH = 'assets/js/';
 
     /**
      * @var string Absolute path to main plugin file.

classes/BlueChip/Security/Core/ListTable.php

@@ -1,21 +1,24 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security\Core;
 
 use BlueChip\Security\Helpers\AdminNotices;
+use BlueChip\Security\Helpers\MySQLDateTime;
 
 /**
  * Base class for all list tables in plugin.
  */
 abstract class ListTable extends \WP_List_Table
 {
+    /**
+     * @var string Format of date and time columns in list tables
+     */
+    protected const DATETIME_FORMAT = 'Y-m-d H:i:s';
+
     /**
      * @var string Nonce name used for actions in all tables
      */
-    const NONCE_NAME = '_wpnonce';
+    protected const NONCE_NAME = '_wpnonce';
 
     /**
      * @var string URL of admin page where the list table is displayed
@@ -145,6 +148,18 @@ public function column_default($item, $column_name) // phpcs:ignore
     }
 
 
+    /**
+     * Display datetime database fields in local time.
+     *
+     * @param string $datetime Datetime string retrieved from database.
+     * @return string Date and time of $datetime formatted in local time.
+     */
+    public function formatDateAndTime(string $datetime): string
+    {
+        return wp_date(self::DATETIME_FORMAT, MySQLDateTime::parseTimestamp($datetime));
+    }
+
+
     /**
      * Output "no items" message.
      */

classes/BlueChip/Security/Core/Settings.php

@@ -1,7 +1,4 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security\Core;
 
@@ -17,12 +14,12 @@ abstract class Settings implements \ArrayAccess
     /**
      * @var array Default values for all settings. Descendant classes should override it.
      */
-    const DEFAULTS = [];
+    protected const DEFAULTS = [];
 
     /**
      * @var array Sanitization routines for settings that cannot be just sanitized based on type of their default value.
      */
-    const SANITIZERS = [];
+    protected const SANITIZERS = [];
 
 
     /**
@@ -210,13 +207,13 @@ public function persist(): bool
      * Sanitize $settings array: only keep known keys, provide default values for missing keys.
      *
      * @internal This method serves two purposes: it sanitizes data read from database and it sanitizes POST-ed data.
-     * When using the method for database data sanitization, make sure that you provide default values. However,
-     * when using the method for POST-ed data sanitization (ie. as `sanitize_callback` in `register_setting` function),
-     * you should not provide explicit defaults, as the method will implicitly use data from database (that are already
-     * sanitized) as default values. This way, it is not necessary for POST-ed data to be complete, because any missing
-     * key-value pairs will be correctly preserved.
+     * When using this method for database data sanitization, make sure that you provide default values for all settings.
+     * When using this method for POST-ed data sanitization (ie. as `sanitize_callback` in `register_setting` function),
+     * do not provide explicit $defaults as this method will implicitly use current values (data from DB that are already
+     * sanitized) as defaults. This way POST-ed data do not need to be complete, because any missing settings will be
+     * kept as they were.
      *
-     * @param array $settings Items to sanitize.
+     * @param array $settings Input data to sanitize.
      * @param array $defaults [optional] If provided, used as default values for sanitization instead of local data.
      * @return array
      */
@@ -225,12 +222,13 @@ public function sanitize(array $settings, array $defaults = []): array
         // If no default values are provided, use data from internal cache as default values.
         $values = ($defaults === []) ? $this->data : $defaults;
 
+        // Loop over default values instead of provided $settings - this way only known keys are preserved.
         foreach ($values as $key => $default_value) {
             if (isset($settings[$key])) {
                 // New value is provided, sanitize it either...
                 $values[$key] = isset(static::SANITIZERS[$key])
                     // ...using provided callback...
-                    ? \call_user_func(static::SANITIZERS[$key], $settings[$key])
+                    ? \call_user_func(static::SANITIZERS[$key], $settings[$key], $default_value)
                     // ...or by type.
                     : self::sanitizeByType($settings[$key], $default_value)
                 ;

classes/BlueChip/Security/Helpers/AdminNotices.php

@@ -1,7 +1,4 @@
 <?php
-/**
- * @package BC_Security
- */
 
 namespace BlueChip\Security\Helpers;
 
@@ -10,10 +7,10 @@
  */
 abstract class AdminNotices
 {
-    const ERROR = 'notice-error';
-    const WARNING = 'notice-warning';
-    const SUCCESS = 'notice-success';
-    const INFO = 'notice-info';
+    public const ERROR = 'notice-error';
+    public const WARNING = 'notice-warning';
+    public const SUCCESS = 'notice-success';
+    public const INFO = 'notice-info';
 
     /**
      * Add dismissible admin notice with given $message of given $type.