Merge branch 'release-0.10.0'

README.md

@@ -4,14 +4,20 @@ Helps keeping WordPress websites secure.
 
 ## Requirements
 
-* [PHP](https://secure.php.net/) 7.0 or newer
+* [PHP](https://secure.php.net/) 7.1 or newer
 * [WordPress](https://wordpress.org/) 4.9 or newer
 
 ## Limitations
 
 * BC Security has not been tested on WordPress multisite installation.
 * BC Security is primarily being developed for Apache webserver and Unix-like environments.
 
+## Setup
+
+Several features of BC Security depends on the knowledge of remote IP address, so it is important that you let the plugin know how your server is connected to the Internet. You can either set connection type via _Setup_ page or with via `BC_SECURITY_CONNECTION_TYPE` constant.
+
+**Note:** If you already have an installation with BC Security set up and would like to set up another installation in the same way, you can export plugin settings (including connection type) from the former installation and import them to the latter.
+
 ## Features
 
 ### Checklist
@@ -122,6 +128,7 @@ Some of the modules listed above come with settings panel. Further customization
 1. Part of [psr/log](https://packagist.org/packages/psr/log) package codebase is shipped with the plugin.
 1. [WordPress core integrity check](#wordpress-core-integrity-check) is heavily inspired by [Checksum Verifier](https://github.com/pluginkollektiv/checksum-verifier) plugin by Sergej Müller.
 1. Some features (like "[Removed plugins check](#removed-plugins-check)") are inspired by [Wordfence Security](https://wordpress.org/plugins/wordfence/) from [Defiant](https://www.defiant.com/).
+1. Big thanks to [Vincent Driessen](https://nvie.com/about/) for his "[A successful Git branching model](https://nvie.com/posts/a-successful-git-branching-model/)" article that I find particularly useful every time I do some work on BC Security.
 
 ## Alternatives (and why I do not use them)
 

bc-security.php

@@ -3,23 +3,23 @@
  * Plugin Name: BC Security
  * Plugin URI: https://github.com/chesio/bc-security
  * Description: Helps keeping WordPress websites secure.
- * Version: 0.9.0
+ * Version: 0.10.0
  * Author: Česlav Przywara <[email protected]>
  * Author URI: https://www.chesio.com
- * Requires PHP: 7.0
+ * Requires PHP: 7.1
  * Requires WP: 4.9
  * Tested up to: 4.9
  * Text Domain: bc-security
  * GitHub Plugin URI: https://github.com/chesio/bc-security
  */
 
-if (version_compare(PHP_VERSION, '7.0', '<')) {
+if (version_compare(PHP_VERSION, '7.1', '<')) {
     // Warn user that his/her PHP version is too low for this plugin to function.
     add_action('admin_notices', function () {
         echo '<div class="error"><p>';
         echo esc_html(
             sprintf(
-                __('BC Security plugin requires PHP 7.0 to function properly, but you have version %s installed. The plugin has been auto-deactivated.', 'bc-security'),
+                __('BC Security plugin requires PHP 7.1 to function properly, but you have version %s installed. The plugin has been auto-deactivated.', 'bc-security'),
                 PHP_VERSION
             )
         );

classes/BlueChip/Security/Core/Settings.php

@@ -148,6 +148,42 @@ public function getOptionName(): string
     }
 
 
+    /**
+     * Get option data.
+     *
+     * @return array
+     */
+    public function get(): array
+    {
+        return $this->data;
+    }
+
+
+    /**
+     * Set $data as option data.
+     *
+     * @param array $data
+     * @return bool
+     */
+    public function set(array $data): bool
+    {
+        $this->data = $this->sanitize($data);
+        return $this->persist();
+    }
+
+
+    /**
+     * Reset option data.
+     *
+     * @return bool
+     */
+    public function reset(): bool
+    {
+        $this->data = static::DEFAULTS;
+        return $this->persist();
+    }
+
+
     /**
      * Sanitize $settings array: only keep known keys, provide default values for missing keys.
      *
@@ -221,7 +257,7 @@ protected static function parseList($list): array
     /**
      * Persist the value of data into database.
      *
-     * @return bool
+     * @return bool True, if settings have been updated (= changed), false otherwise.
      */
     protected function persist(): bool
     {

classes/BlueChip/Security/Helpers/Hooks.php

@@ -16,4 +16,12 @@ interface Hooks
      * @see \BlueChip\Security\Helpers\Is::admin()
      */
     const IS_ADMIN = 'bc-security/filter:is-admin';
+
+
+    /**
+     * Filter: allows to change plugin's changelog URL.
+     *
+     * @see \BlueChip\Security\Helpers\Plugin::getChangelogUrl()
+     */
+    const PLUGIN_CHANGELOG_URL = 'bc-security/filter:plugin-changelog-url';
 }

classes/BlueChip/Security/Helpers/Plugin.php

@@ -14,12 +14,35 @@ abstract class Plugin
      */
     const CHECKSUMS_API_URL_BASE = 'https://downloads.wordpress.org/plugin-checksums/';
 
-
     /**
-     * @var string
+     * @var string URL of Plugins Directory.
      */
     const PLUGINS_DIRECTORY_URL = 'https://wordpress.org/plugins/';
 
+    /**
+     * @var string Path (although not technically) to changelog page relative to URL of plugin homepage at Plugins Directory.
+     */
+    const PLUGINS_DIRECTORY_CHANGELOG_PATH = '#developers';
+
+
+    /**
+     * @param string $plugin_basename
+     * @return string URL of the plugin changelog page or empty string, if it cannot be determined.
+     */
+    public static function getChangelogUrl(string $plugin_basename): string
+    {
+        // By default, changelog URL is unknown.
+        $url = '';
+
+        if (self::hasReadmeTxt($plugin_basename)) {
+            // Assume that any plugin with readme.txt comes from Plugins Directory.
+            $url = self::getDirectoryUrl($plugin_basename) . self::PLUGINS_DIRECTORY_CHANGELOG_PATH;
+        }
+
+        // Allow the changelog URL to be filtered.
+        return apply_filters(Hooks::PLUGIN_CHANGELOG_URL, $url, $plugin_basename);
+    }
+
 
     /**
      * @param string $plugin_basename
@@ -103,6 +126,18 @@ public static function getPluginsInstalledFromWordPressOrg(): array
     }
 
 
+    /**
+     * @internal Only use in admin (back-end) context.
+     * @param string $plugin_basename
+     * @return array
+     */
+    public static function getPluginData(string $plugin_basename): array
+    {
+        // Note: get_plugin_data() function is only defined in admin.
+        return get_plugin_data(WP_PLUGIN_DIR . '/' . $plugin_basename);
+    }
+
+
     /**
      * Get absolute path to plugin directory for given $plugin_basename (ie. "bc-security/bc-security.php").
      *

classes/BlueChip/Security/Helpers/Transients.php

@@ -15,6 +15,7 @@ abstract class Transients
      */
     const NAME_PREFIX = 'bc-security_';
 
+
     /**
      * Delete transient.
      *
@@ -26,6 +27,32 @@ public static function deleteFromSite(string ...$key): bool
         return delete_site_transient(self::name($key));
     }
 
+
+    /**
+     * Remove all stored transients from database. Entire object cache is flushed as well, so use with caution.
+     *
+     * @link https://css-tricks.com/the-deal-with-wordpress-transients/
+     *
+     * @param \wpdb $wpdb WordPress database access abstraction object
+     */
+    public static function flush(\wpdb $wpdb)
+    {
+        $table_name = is_multisite() ? $wpdb->sitemeta : $wpdb->options;
+
+        // First, delete all transients from database...
+        $wpdb->query(
+            sprintf(
+                "DELETE FROM {$table_name} WHERE (option_name LIKE '%s' OR option_name LIKE '%s')",
+                '_site_transient_' . self::NAME_PREFIX . '%',
+                '_site_transient_timeout_' . self::NAME_PREFIX . '%'
+            )
+        );
+
+        // ...then flush object cache, because transients may be stored there as well.
+        wp_cache_flush();
+    }
+
+
     /**
      * Get transient.
      *
@@ -37,6 +64,7 @@ public static function getForSite(string ...$key)
         return get_site_transient(self::name($key));
     }
 
+
     /**
      * Set transient.
      *
@@ -52,6 +80,7 @@ public static function setForSite($value, ...$args): bool
         return set_site_transient(self::name($args), $value, $expiration);
     }
 
+
     /**
      * Create transient name from $key.
      *

classes/BlueChip/Security/Modules/Checklist/AdminPage.php

@@ -80,6 +80,15 @@ public function loadPage()
     }
 
 
+    /**
+     * @return int Number of meaningful checks that are monitored and failed the last time they have been executed.
+     */
+    public function getCount(): int
+    {
+        return count($this->checklist_manager->getChecks(['meaningful' => true, 'monitored' => true, 'status' => false]));
+    }
+
+
     /**
      * Output admin page.
      */
@@ -102,9 +111,9 @@ public function printContents()
 
         echo '<form method="post" action="' . admin_url('options.php') .'">';
 
-        $this->printBasicChecksSection($this->checklist_manager->getChecks(true, BasicCheck::class));
+        $this->printBasicChecksSection($this->checklist_manager->getBasicChecks());
 
-        $this->printAdvancedChecksSection($this->checklist_manager->getChecks(true, AdvancedCheck::class));
+        $this->printAdvancedChecksSection($this->checklist_manager->getAdvancedChecks());
 
         $this->printChecklistMonitoringSection();
 

classes/BlueChip/Security/Modules/Checklist/Check.php

@@ -102,11 +102,11 @@ public function getResult(): CheckResult
 
 
     /**
-     * By default, every check makes sense.
+     * By default, every check is meaningful.
      *
      * @return bool
      */
-    public function makesSense(): bool
+    public function isMeaningful(): bool
     {
         return true;
     }

classes/BlueChip/Security/Modules/Checklist/Checks/DisplayOfPhpErrorsIsOff.php

@@ -27,7 +27,7 @@ public function __construct()
      *
      * @return bool
      */
-    public function makesSense(): bool
+    public function isMeaningful(): bool
     {
         return defined('WP_ENV') && (WP_ENV === 'production');
     }

classes/BlueChip/Security/Modules/Checklist/Checks/ErrorLogNotPubliclyAccessible.php

@@ -23,7 +23,7 @@ public function __construct()
      *
      * @return bool
      */
-    public function makesSense(): bool
+    public function isMeaningful(): bool
     {
         return WP_DEBUG && WP_DEBUG_LOG;
     }