Merge branch 'release-0.20.0'

.editorconfig

@@ -0,0 +1,24 @@
+# https://EditorConfig.org
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+block_comment_start = /*
+block_comment = *
+block_comment_end = */
+
+[**/*.yml]
+indent_size = 2
+
+[**/*.md]
+trim_trailing_whitespace = false
+indent_size = 2
+
+[**/*.json]
+indent_size = 2

.gitattributes

@@ -1,6 +1,8 @@
+/.editorconfig export-ignore
 /.gitattributes export-ignore
 /.github export-ignore
 /.gitignore export-ignore
+/composer.lock export-ignore
 /phpcs.xml export-ignore
 /phpstan.neon export-ignore
 /tests export-ignore

.github/workflows/integrate.yml

@@ -0,0 +1,198 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow
+
+name: "Integrate"
+
+on:
+  push:
+    branches:
+      - "develop"
+      - "master"
+    paths:
+      - ".github/workflows/**"
+      - "composer.*"
+      - "phpcs.xml"
+      - "phpstan.neon"
+      - "**.php"
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+      - "composer.*"
+      - "phpcs.xml"
+      - "phpstan.neon"
+      - "**.php"
+  # Add [skip ci] to commit message to skip CI.
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  byte_level:
+    name: "0️⃣ Byte-level"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Check file permissions"
+        run: |
+          test "$(find . -type f -not -path './.git/*' -executable)" = "./tests/integration/bin/install-wp-tests.sh"
+
+      - name: "Find non-printable ASCII characters"
+        run: |
+          ! LC_ALL=C.UTF-8 find . -type f -name '*.php' -print0 | xargs -0 -- grep -PHn '[^ -~Č]'
+
+  syntax_errors:
+    name: "1️⃣ Syntax errors"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Set up PHP"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          php-version: "7.3"
+          extensions: "mbstring"
+          coverage: "none"
+
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Install dependencies"
+        uses: "ramsey/composer-install@v2"
+        with:
+          dependency-versions: "highest"
+
+      - name: "Check source code for syntax errors"
+        run: "composer exec -- parallel-lint classes/ tests/"
+
+  unit_tests:
+    name: "2️⃣ Unit and functional tests"
+    needs:
+      - "byte_level"
+      - "syntax_errors"
+    strategy:
+      matrix:
+        php-version:
+          - "8.2"
+          - "8.1"
+          - "8.0"
+          - "7.4"
+          - "7.3"
+        dependencies:
+          - "lowest"
+          - "locked"
+          - "highest"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Set up PHP"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          php-version: "${{ matrix.php-version }}"
+          extensions: "mbstring"
+
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Install dependencies"
+        uses: "ramsey/composer-install@v2"
+        with:
+          dependency-versions: "${{ matrix.dependencies }}"
+
+      - name: "Raise constraint for antecedent/patchwork"
+        if: "${{ matrix.dependencies == 'lowest' }}"
+        run: "composer require --dev --prefer-lowest --update-with-all-dependencies 'antecedent/patchwork:^2.0.8'"
+
+      - name: "Execute unit tests"
+        if: "${{ ! (matrix.php-version == '8.1' && matrix.dependencies == 'highest') }}"
+        run: "composer run-script unit-tests -- --no-coverage"
+
+      - name: "Execute unit tests with coverage"
+        if: "${{ matrix.php-version == '8.1' && matrix.dependencies == 'highest' }}"
+        run: "composer run-script unit-tests"
+
+      - name: "Send coverage to Coveralls"
+        env:
+          COVERALLS_REPO_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        if: "${{ env.COVERALLS_REPO_TOKEN && matrix.php-version == '8.1' && matrix.dependencies == 'highest' }}"
+        run: |
+          wget "https://github.com/php-coveralls/php-coveralls/releases/download/v2.5.2/php-coveralls.phar"
+          php ./php-coveralls.phar -v
+
+  static_analysis:
+    name: "3️⃣ Static Analysis"
+    needs:
+      - "byte_level"
+      - "syntax_errors"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Set up PHP"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          php-version: "8.0"
+          extensions: "mbstring"
+          coverage: "none"
+
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Validate Composer configuration"
+        run: "composer validate --strict"
+
+      - name: "Install dependencies"
+        uses: "ramsey/composer-install@v2"
+        with:
+          dependency-versions: "highest"
+
+      - name: "Check PSR-4 mapping"
+        run: "composer dump-autoload --optimize --strict-psr"
+
+      - name: "Perform static analysis"
+        run: "composer run-script phpstan"
+
+  coding_standards:
+    name: "4️⃣ Coding Standards"
+    needs:
+      - "byte_level"
+      - "syntax_errors"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Set up PHP"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          php-version: "8.0"
+          extensions: "mbstring"
+          coverage: "none"
+
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Check EditorConfig configuration"
+        run: "test -f .editorconfig"
+
+      - name: "Check adherence to EditorConfig"
+        uses: "greut/eclint-action@v0"
+
+      - name: "Install dependencies"
+        uses: "ramsey/composer-install@v2"
+        with:
+          dependency-versions: "highest"
+
+      - name: "Check coding style"
+        run: "composer run-script phpcs"
+
+  exported_files:
+    name: "5️⃣ Exported files"
+    needs:
+      - "byte_level"
+      - "syntax_errors"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Check exported files"
+        run: |
+          EXPECTED="CHANGELOG.md,LICENSE,README.md,autoload.php,bc-security.php,composer.json,uninstall.php"
+          CURRENT="$(git archive HEAD | tar --list --exclude="classes" --exclude="classes/*" --exclude="assets" --exclude="assets/*" | paste --serial --delimiters=",")"
+          echo "CURRENT =${CURRENT}"
+          echo "EXPECTED=${EXPECTED}"
+          test "${CURRENT}" = "${EXPECTED}"

CHANGELOG.md

@@ -1,6 +1,27 @@
 # BC Security Changelog
 
-## Upcoming version 0.19.0 (2022-06-02)
+## Version 0.20.0 (2023-03-31)
+
+This release brings a new feature: __external blocklist__. This feature has its own module named _External Blocklist_. To keep the naming consistent, _IP Blacklist_ module has been renamed to _Internal Blocklist_.
+
+These adjustments led to some breaking changes, therefore during update it is recommended to:
+1. Deactivate the plugin first.
+2. Rename the database table `bc_security_ip_blacklist` to `bc_security_internal_blocklist`.
+3. Update and reactivate the plugin.
+
+### Added
+
+* PHP 8.2 is supported [#130](https://github.com/chesio/bc-security/issues/130).
+* WordPress 6.1 and 6.2 is supported ([#129](https://github.com/chesio/bc-security/issues/129) and [#136](https://github.com/chesio/bc-security/issues/136)).
+* Improve detection of plugins hosted in Plugins Directory: also include plugins that have `readme.md` instead of `readme.txt` file [#128](https://github.com/chesio/bc-security/issues/128).
+* An option to block request coming from Amazon AWS network: either all requests or login requests only coming from AWS network can be blocked [#120](https://github.com/chesio/bc-security/issues/120).
+* Requests blocked by external or internal blocklist are now logged.
+
+### Changed
+
+* WordPress 5.9 or newer is now required [#131](https://github.com/chesio/bc-security/issues/131).
+
+## Version 0.19.0 (2022-06-02)
 
 ### Added
 
@@ -11,7 +32,7 @@
 
 ### Removed
 
-* "Check auth cookies" setting has been removed [#124](https://github.com/chesio/bc-security/issues/124).
+* "Check auth cookies" setting has been removed - the check is now always applied [#124](https://github.com/chesio/bc-security/issues/124).
 
 ## Version 0.18.1 (2021-12-29)
 

README.md

@@ -2,14 +2,15 @@
 
 [![GitHub Actions](https://github.com/chesio/bc-security/workflows/CI%20test%20suite/badge.svg)](https://github.com/chesio/bc-security/actions)
 [![Packagist](https://img.shields.io/packagist/v/chesio/bc-security.svg?color=34D058&style=popout)](https://packagist.org/packages/chesio/bc-security)
+[![Coverage Status](https://coveralls.io/repos/github/chesio/bc-security/badge.svg)](https://coveralls.io/github/chesio/bc-security)
 
 
 A WordPress plugin that helps keeping WordPress websites secure.
 
 ## Requirements
 
 * [PHP](https://www.php.net/) 7.3 or newer
-* [WordPress](https://wordpress.org/) 5.5 or newer
+* [WordPress](https://wordpress.org/) 5.9 or newer
 
 ## Limitations
 
@@ -88,7 +89,7 @@ Basic checks cover common security practices. They do not require any informatio
 
 Advanced checks require data from external sources, therefore they leak some information about your website and take more time to execute.
 
-In the moment, list of installed plugins (but only those with _readme.txt_ file) is shared with WordPress.org and site URL is shared with Google.
+In the moment, list of installed plugins (but only those with _readme.md_ or _readme.txt_ file) is shared with WordPress.org and site URL is shared with Google.
 
 ##### WordPress core integrity check
 
@@ -139,12 +140,18 @@ Passwords are validated on user creation, password change or password reset. If
 1. BC Security allows you to limit number of login attempts from single IP address. Implementation of this feature is heavily inspired by popular [Limit Login Attempts](https://wordpress.org/plugins/limit-login-attempts/) plugin with an extra feature of immediate blocking of specific usernames (like _admin_ or _administrator_).
 2. BC Security offers an option to only display generic error message as a result of failed login attempt when wrong username, email or password is provided.
 
-### IP blacklist
+### Internal blocklist
 
 BC Security maintains a list of IP addresses with limited access to the website. This list is automatically populated by [Login Security](#login-security) module, but manual addition of IP addresses is also possible.
 
 Out-dated records are automatically removed from the list by WP-Cron job scheduled to run every night. The job can be deactivated in backend, if desired.
 
+### External blocklist
+
+In addition to [internal blocklist](#internal-blocklist), BC Security can be configured to fetch list of IP addresses to block from external sources. Currently only [Amazon AWS IP ranges](https://ip-ranges.amazonaws.com/ip-ranges.json) can be used this way.
+
+As with internal blocklist, external blocklist can be used to limit access to entire website or login process only.
+
 ### Notifications
 
 BC Security allows to send automatic email notification to configured recipients on following occasions:
@@ -163,7 +170,12 @@ You can mute all email notifications by setting constant `BC_SECURITY_MUTE_NOTIF
 
 ### Events logging
 
-BC Security logs both short and long lockout events (see [Login Security](#login-security) feature). Also, the following events triggered by WordPress core are logged:
+Following events triggered by BC Security are logged:
+
+1. Short and long lockout events (see [Login Security](#login-security) feature)
+2. Requests blocked by [external](#external-blocklist) or [internal](#internal-blocklist) blocklist
+
+Following events triggered by WordPress core are logged:
 
 1. Attempts to authenticate with bad cookie
 2. Failed and successful login attempts
@@ -179,13 +191,14 @@ Some of the modules listed above come with settings panel. Further customization
 * `bc-security/filter:is-live` - filters boolean value that determines whether your website is running in a live environment.
 * `bc-security/filter:plugin-changelog-url` - filters changelog URL of given plugin. Might come handy in case of plugins not hosted in Plugins Directory.
 * `bc-security/filter:obvious-usernames` - filters array of common usernames that are being checked via [checklist check](#basic-checks). By default, the array consists of _admin_ and _administrator_ values.
-* `bc-security/filter:plugins-to-check-for-integrity` - filters array of plugins that should have their integrity checked. By default, the array consists of all installed plugins that have _readme.txt_ file. Note that plugins under version control are automatically omitted.
-* `bc-security/filter:plugins-to-check-for-removal` - filters array of plugins to check for their presence in WordPress.org Plugins Directory. By default, the array consists of all installed plugins that have _readme.txt_ file.
+* `bc-security/filter:plugins-to-check-for-integrity` - filters array of plugins that should have their integrity checked. By default, the array consists of all installed plugins that have _readme.md__ or _readme.txt_ file. Note that plugins under version control are automatically omitted.
+* `bc-security/filter:plugins-to-check-for-removal` - filters array of plugins to check for their presence in WordPress.org Plugins Directory. By default, the array consists of all installed plugins that have _readme.md__ or _readme.txt_ file.
 * `bc-security/filter:modified-files-ignored-in-core-integrity-check` - filters array of files that should not be reported as __modified__ in checksum verification of core WordPress files. By default, the array consist of _wp-config-sample.php_ and _wp-includes/version.php_ values.
 * `bc-security/filter:unknown-files-ignored-in-core-integrity-check` - filters array of files that should not be reported as __unknown__ in checksum verification of core WordPress files. By default, the array consist of _.htaccess_, _wp-config.php_, _liesmich.html_, _olvasdel.html_ and _procitajme.html_ values.
 * `bc-security/filter:show-pwned-password-warning` - filters whether the ["pwned password" warning](#passwords-check) should be displayed for current user on current screen.
-* `bc-security/filter:ip-blacklist-default-manual-lock-duration` - filters number of seconds that is used as default value in lock duration field of manual IP blacklisting form. By default, the value is equal to one month in seconds.
-* `bc-security/filter:is-ip-address-locked` - filters boolean value that determines whether given IP address is currently locked within given scope. By default, the value is based on plugin bookkeeping data.
+* `bc-security/filter:internal-blocklist-default-manual-lock-duration` - filters number of seconds that is used as default value in lock duration field of manual internal blocklisting form. By default, the value is equal to one month in seconds.
+* `bc-security/filter:is-ip-address-locked` - filters boolean value that determines whether given IP address is currently on internal blocklist (within given scope).
+* `bc-security/filter:is-ip-address-blocked` - filters boolean value that determines whether given IP address is currently blocked either by external or internal blocklist (within given scope).
 * `bc-security/filter:log-404-event` - filters boolean value that determines whether current HTTP request that resulted in [404 response](https://en.wikipedia.org/wiki/HTTP_404) should be logged or not. To completely disable logging of 404 events, you can attach [`__return_false`](https://developer.wordpress.org/reference/functions/__return_false/) function to the filter.
 * `bc-security/filter:events-with-hostname-resolution` - filters array of IDs of events for which hostname of involved IP address should be resolved via reverse DNS lookup. By default the following events are registered: attempts to authenticate with bad cookie, failed and successful login attempts and lockout events. Note that this functionality only relates to event logs report in backend - in case email notification is sent, hostname of reported IP address (if any) is always resolved separately.
 * `bc-security/filter:username-blacklist` - filters array of blacklisted usernames. Blacklisted usernames cannot be registered when opening new account and any login attempt using non-existing blacklisted username triggers long lockout. There are no default values, but the filter operates on usernames set via module settings, so it can be used to enforce blacklisting of particular usernames.