Merge branch 'release-0.7.0'

README.md

@@ -3,13 +3,13 @@
 Helps keeping WordPress websites secure.
 
 ## Requirements
-* [PHP](https://secure.php.net/) 5.6 or newer
+* [PHP](https://secure.php.net/) 7.0 or newer
 * [WordPress](https://wordpress.org/) 4.7 or newer
 
 ## Limitations
 
 * BC Security has not been tested on WordPress multisite installation.
-* BC Security is primarily being developed for Apache webserver environment.
+* BC Security is primarily being developed for Apache webserver and Unix-like environments.
 
 ## Features
 
@@ -24,7 +24,7 @@ BC Security features a checklist of common security practices. In the moment, th
 1. Are there no common usernames like admin or administrator on the system?
 1. Are user passwords hashed with some non-default hashing algorithm?
 
-### WordPress Hardening
+### WordPress hardening
 
 BC Security allows you to:
 1. Disable pingbacks
@@ -33,18 +33,20 @@ BC Security allows you to:
 
 ### Checksums verification
 
-BC Security once a day performs integrity check of WordPress core files. This check is done in two phases:
+BC Security once a day performs integrity check of WordPress core and plugin files. Any file that is evaluated as modified or unknown is [logged](#events-logging) and (optionally) reported via [email notification](#notifications).
+
+WordPress core files verification is done in two phases:
 1. Official md5 checksums from WordPress.org are used to determine if any of core files have been modified.
 1. All files in root directory, `wp-admin` directory (including subdirectories) and `wp-includes` directory (including subdirectories) are checked against official checksums list to determine if the file is official (known) file.
 
-Any file that is evaluated as modified or unknown is [logged](#events-logging) and (optionally) reported via [email notification](#notifications).
+Plugin files verification works only for plugins hosted at [WordPress Plugins](https://wordpress.org/plugins/) directory. The verification process is akin to the core files verification, although the API is slightly different (see [related Trac ticket](https://meta.trac.wordpress.org/ticket/3192) and [specification](https://docs.google.com/document/d/14-SMpaPtDGEBm8hE9ZwnA-vik5OvECDig32KqX8uFlg/edit)).
 
-### Login Security
+### Login security
 
 1. BC Security allows you to limit number of login attempts from single IP address. Implementation of this feature is heavily inspired by popular [Limit Login Attempts](https://wordpress.org/plugins/limit-login-attempts/) plugin with an extra feature of immediate blocking of specific usernames (like _admin_ or _administrator_).
 1. BC Security offers an option to only display generic error message as a result of failed login attempt when wrong username, email or password is provided.
 
-### IP Blacklist
+### IP blacklist
 
 BC Security maintains a list of IP addresses with limited access to the website. This list is automatically populated by [Login Security](#login-security) module, but manual addition of IP addresses is also possible.
 
@@ -78,9 +80,9 @@ Logs are stored in database and can be viewed on backend. Logs are automatically
 
 ## Credits
 
-1. [Login Security](#login-security) feature has been inspired by [Limit Login Attempts](https://wordpress.org/plugins/limit-login-attempts/) plugin by Johan Eenfeldt.
+1. [Login Security](#login-security) feature is inspired by [Limit Login Attempts](https://wordpress.org/plugins/limit-login-attempts/) plugin by Johan Eenfeldt.
 1. Part of [psr/log](https://packagist.org/packages/psr/log) package codebase is shipped with the plugin.
-1. [Checksums verification](#checksums-verification) feature is almost verbatim taken from [Checksum Verifier](https://github.com/pluginkollektiv/checksum-verifier) plugin by Sergej Müller.
+1. [Checksums verification](#checksums-verification) feature is heavily inspired by [Checksum Verifier](https://github.com/pluginkollektiv/checksum-verifier) plugin by Sergej Müller.
 
 ## Alternatives (and why I do not use them)
 

autoload.php

@@ -6,7 +6,7 @@
  */
 
 // Register autoload function
-spl_autoload_register(function ($class) {
+spl_autoload_register(function (string $class) {
     // Only autoload classes shipped with the plugin.
     if ((strpos($class, 'BlueChip\\Security') !== 0) && (strpos($class, 'Psr\\Log') !== 0)) {
         return;

bc-security.php

@@ -2,22 +2,22 @@
 /**
  * Plugin Name: BC Security
  * Plugin URI: https://github.com/chesio/bc-security
- * Description: Helps keeping WordPress websites secure. Plugin requires PHP 5.6 or newer to run.
- * Version: 0.6.4
+ * Description: Helps keeping WordPress websites secure. Plugin requires PHP 7.0 or newer to run.
+ * Version: 0.7.0
  * Author: Česlav Przywara <[email protected]>
  * Author URI: https://www.chesio.com
  * Requires at least: 4.7
- * Tested up to: 4.8
+ * Tested up to: 4.9
  * Text Domain: bc-security
  */
 
-if (version_compare(PHP_VERSION, '5.6', '<')) {
+if (version_compare(PHP_VERSION, '7.0', '<')) {
     // Warn user that his/her PHP version is too low for this plugin to function.
     add_action('admin_notices', function () {
         echo '<div class="error"><p>';
         echo esc_html(
             sprintf(
-                __('BC Security plugin requires PHP 5.6 to function properly, but you have version %s installed. The plugin has been auto-deactivated.', 'bc-security'),
+                __('BC Security plugin requires PHP 7.0 to function properly, but you have version %s installed. The plugin has been auto-deactivated.', 'bc-security'),
                 PHP_VERSION
             )
         );

classes/BlueChip/Security/Admin.php

@@ -33,7 +33,7 @@ class Admin
      * @param string $plugin_basename
      * @return self
      */
-    public function init($plugin_basename)
+    public function init(string $plugin_basename): self
     {
         add_action('admin_menu', [$this, 'makeAdminMenu']);
         add_action('admin_init', [$this, 'initAdminPages']);
@@ -48,7 +48,7 @@ public function init($plugin_basename)
      * @param \BlueChip\Security\Core\Admin\AbstractPage $page
      * @return self
      */
-    public function addPage(Core\Admin\AbstractPage $page)
+    public function addPage(Core\Admin\AbstractPage $page): self
     {
         $this->pages[$page->getSlug()] = $page;
         return $this;
@@ -109,7 +109,7 @@ public function makeAdminMenu()
      * @param array $links
      * @return array
      */
-    public function filterActionLinks(array $links)
+    public function filterActionLinks(array $links): array
     {
         if (current_user_can(self::CAPABILITY) && isset($this->pages['bc-security-setup'])) {
             $links[] = sprintf(
@@ -128,7 +128,7 @@ public function filterActionLinks(array $links)
      * @param \BlueChip\Security\Core\Admin\AbstractPage $page
      * @return string
      */
-    private function renderCounter(Core\Admin\AbstractPage $page)
+    private function renderCounter(Core\Admin\AbstractPage $page): string
     {
         // Counter is optional.
         return method_exists($page, 'getCount') && !empty($count = $page->getCount())

classes/BlueChip/Security/Core/Admin/AbstractPage.php

@@ -35,7 +35,7 @@ abstract public function printContents();
     /**
      * @return string Menu title of page.
      */
-    public function getMenuTitle()
+    public function getMenuTitle(): string
     {
         return $this->menu_title;
     }
@@ -44,7 +44,7 @@ public function getMenuTitle()
     /**
      * @return string Browser title of page.
      */
-    public function getPageTitle()
+    public function getPageTitle(): string
     {
         return $this->page_title;
     }
@@ -53,7 +53,7 @@ public function getPageTitle()
     /**
      * @return string Page slug.
      */
-    public function getSlug()
+    public function getSlug(): string
     {
         return static::SLUG;
     }
@@ -62,7 +62,7 @@ public function getSlug()
     /**
      * @return string URL of admin page.
      */
-    public function getUrl()
+    public function getUrl(): string
     {
         return static::getPageUrl();
     }
@@ -71,7 +71,7 @@ public function getUrl()
     /**
      * @return string URL of admin page.
      */
-    public static function getPageUrl()
+    public static function getPageUrl(): string
     {
         // Why static and not self? See: http://php.net/manual/en/language.oop5.late-static-bindings.php
         return add_query_arg('page', static::SLUG, admin_url('admin.php'));
@@ -85,7 +85,7 @@ public static function getPageUrl()
      *
      * @param string $page_hook
      */
-    public function setPageHook($page_hook)
+    public function setPageHook(string $page_hook)
     {
         add_action('load-' . $page_hook, [$this, 'loadPage']);
     }

classes/BlueChip/Security/Core/Admin/CountablePage.php

@@ -43,7 +43,7 @@ protected function resetCount()
      *
      * @return int
      */
-    public function getCount()
+    public function getCount(): int
     {
         $user = wp_get_current_user();
 
@@ -56,7 +56,7 @@ public function getCount()
     /**
      * @return string
      */
-    private function getCounterUserMetaKey()
+    private function getCounterUserMetaKey(): string
     {
         return implode('/', [$this->getSlug(), 'last-visit']);
     }

classes/BlueChip/Security/Core/Admin/ListingPage.php

@@ -26,7 +26,7 @@ abstract protected function initListTable();
      *
      * @param string $option_name
      */
-    private function setPerPageOption($option_name)
+    private function setPerPageOption(string $option_name)
     {
         $this->per_page_option_name = $option_name;
 

classes/BlueChip/Security/Core/Admin/SettingsPage.php

@@ -84,7 +84,7 @@ public function unregisterSettings()
      * of SETTINGS_* constants as $page.
      * @param string $page
      */
-    public function setSettingsPage($page)
+    public function setSettingsPage(string $page)
     {
         $this->recent_page = $page;
     }
@@ -101,7 +101,7 @@ public function setSettingsPage($page)
      * @param string $title
      * @param callable $callback
      */
-    public function addSettingsSection($section, $title, $callback = null)
+    public function addSettingsSection(string $section, string $title, $callback = null)
     {
         if (!is_string($this->recent_page)) {
             _doing_it_wrong(__METHOD__, 'No recent page set yet!', '0.1.0');
@@ -125,7 +125,7 @@ public function addSettingsSection($section, $title, $callback = null)
      * @param callable $callback Callback that produces form input for the field
      * @param array $args [Optional] Any extra arguments for $callback function
      */
-    public function addSettingsField($key, $title, callable $callback, array $args = [])
+    public function addSettingsField(string $key, string $title, callable $callback, array $args = [])
     {
         if (!is_string($this->recent_page)) {
             _doing_it_wrong(__METHOD__, 'No recent page set yet!', '0.1.0');

classes/BlueChip/Security/Core/ListTable.php

@@ -43,7 +43,7 @@ abstract class ListTable extends \WP_List_Table
      * @param string $per_page_option_name Option name for "per page" screen option.
      * @param array $args
      */
-    public function __construct($url, $per_page_option_name, array $args = [])
+    public function __construct(string $url, string $per_page_option_name, array $args = [])
     {
         $default_args = [
             'singular' => __('Record', 'bc-security'),
@@ -77,7 +77,7 @@ public function __construct($url, $per_page_option_name, array $args = [])
      * @param string $single The text to be used in notice if action affected single item.
      * @param string $plural The text to be used in notice if action affected multiple items.
      */
-    protected function displayNotice($action, $single, $plural)
+    protected function displayNotice(string $action, string $single, string $plural)
     {
         // Have any items been affected by given action?
         $result = filter_input(INPUT_GET, $action, FILTER_VALIDATE_INT);
@@ -86,7 +86,7 @@ protected function displayNotice($action, $single, $plural)
                 _n($single, $plural, $result, 'bc-security'),
                 AdminNotices::SUCCESS
             );
-            add_filter('removable_query_args', function ($removable_query_args) use ($action) {
+            add_filter('removable_query_args', function (array $removable_query_args) use ($action): array {
                 $removable_query_args[] = $action;
                 return $removable_query_args;
             });
@@ -103,7 +103,7 @@ protected function displayNotice($action, $single, $plural)
      * @param string $label
      * @return string
      */
-    protected function renderRowAction($action, $id, $class, $label)
+    protected function renderRowAction(string $action, int $id, string $class, string $label): string
     {
         return sprintf(
             '<span class="' . $class . '"><a href="%s">%s</a></span>',

classes/BlueChip/Security/Core/Settings.php

@@ -24,7 +24,7 @@ abstract class Settings implements \ArrayAccess
     /**
      * @param string $option_name
      */
-    public function __construct($option_name)
+    public function __construct(string $option_name)
     {
         // Read settings from wp_options table and sanitize them right away.
         $this->option_name = $option_name;
@@ -38,7 +38,7 @@ public function __construct($option_name)
      * @param string $name
      * @return mixed A null value is returned if $name is not a valid key.
      */
-    public function __get($name)
+    public function __get(string $name)
     {
         if (isset($this->data[$name])) {
             return $this->data[$name];
@@ -55,7 +55,7 @@ public function __get($name)
      * @param string $name
      * @param mixed $value
      */
-    public function __set($name, $value)
+    public function __set(string $name, $value)
     {
         if (isset($this->data[$name])) {
             $this->update($name, $value);
@@ -75,7 +75,7 @@ public function __set($name, $value)
      * @param string $offset
      * @return bool
      */
-    public function offsetExists($offset)
+    public function offsetExists($offset): bool
     {
         return isset($this->data[$offset]);
     }
@@ -113,6 +113,7 @@ public function offsetSet($offset, $value)
      * Reset setting under key $offset to its default value.
      *
      * @internal Implements ArrayAccess interface.
+     *
      * @param string $offset
      */
     public function offsetUnset($offset)
@@ -126,7 +127,7 @@ public function offsetUnset($offset)
      *
      * @return string
      */
-    public function getOptionName()
+    public function getOptionName(): string
     {
         return $this->option_name;
     }
@@ -138,7 +139,7 @@ public function getOptionName()
      * @param array $settings
      * @return array
      */
-    abstract public function sanitize(array $settings);
+    abstract public function sanitize(array $settings): array;
 
 
     /**
@@ -147,7 +148,7 @@ abstract public function sanitize(array $settings);
      * @param array|string $list
      * @return array
      */
-    protected function parseList($list)
+    protected function parseList($list): array
     {
         return is_array($list) ? $list : array_filter(array_map('trim', explode(PHP_EOL, $list)));
     }
@@ -160,7 +161,7 @@ protected function parseList($list)
      * @param mixed $value
      * @return bool
      */
-    protected function update($name, $value)
+    protected function update(string $name, $value): bool
     {
         if (!isset($this->data[$name])) {
             // Cannot update, invalid setting name.

classes/BlueChip/Security/Helpers/AdminNotices.php

@@ -24,7 +24,7 @@ abstract class AdminNotices
      * @param string $type Type: error, warning, success or info.
      * @param bool $escape_html
      */
-    public static function add($message, $type = self::INFO, $escape_html = true)
+    public static function add($message, string $type = self::INFO, bool $escape_html = true)
     {
         add_action('admin_notices', function () use ($message, $type, $escape_html) {
             echo sprintf('<div class="notice %s is-dismissible">', $type);

classes/BlueChip/Security/Helpers/FormHelper.php

@@ -125,7 +125,7 @@ public static function printTextArea(array $args)
      * @param array $properties
      * @return string
      */
-    protected static function renderFieldProperties(array $properties)
+    protected static function renderFieldProperties(array $properties): string
     {
         $filtered = array_filter(
             $properties,
@@ -155,7 +155,7 @@ function ($key, $value) {
      * @param array $args
      * @param bool $inline
      */
-    protected static function printAppendix(array $args, $inline)
+    protected static function printAppendix(array $args, bool $inline)
     {
         if (isset($args['description'])) {
             echo sprintf(