iThemes Security (formerly Better WP Security) - Version 5.9.0

Version Description

  • New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.
Download this release

Release Info

Developer chrisjean
Plugin Icon 128x128 iThemes Security (formerly Better WP Security)
Version 5.9.0
Comparing to
See all releases

Code changes from version 5.8.1 to 5.9.0

Files changed (9) hide show
  1. better-wp-security.php +1 -1
  2. core/class-itsec-core.php +1 -1
  3. core/history.txt +2 -0
  4. core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php +18 -0
  5. core/modules/wordpress-tweaks/settings-page.php +18 -0
  6. core/modules/wordpress-tweaks/settings.php +1 -0
  7. core/modules/wordpress-tweaks/validator.php +1 -0
  8. history.txt +2 -0
  9. readme.txt +6 -3
better-wp-security.php CHANGED
@@ -6,7 +6,7 @@
6
  * Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7
  * Author: iThemes
8
  * Author URI: https://ithemes.com
9
- * Version: 5.8.1
10
  * Text Domain: better-wp-security
11
  * Network: True
12
  * License: GPLv2
6
  * Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7
  * Author: iThemes
8
  * Author URI: https://ithemes.com
9
+ * Version: 5.9.0
10
  * Text Domain: better-wp-security
11
  * Network: True
12
  * License: GPLv2
core/class-itsec-core.php CHANGED
@@ -74,7 +74,7 @@ if ( ! class_exists( 'ITSEC_Core' ) ) {
74
  public function init( $plugin_file, $plugin_name ) {
75
  global $itsec_globals, $itsec_logger, $itsec_lockout;
76
 
77
- $this->plugin_build = 4044; // used to trigger updates
78
  $this->plugin_file = $plugin_file;
79
  $this->plugin_dir = dirname( $plugin_file ) . '/';
80
  $this->current_time = current_time( 'timestamp' );
74
  public function init( $plugin_file, $plugin_name ) {
75
  global $itsec_globals, $itsec_logger, $itsec_lockout;
76
 
77
+ $this->plugin_build = 4045; // used to trigger updates
78
  $this->plugin_file = $plugin_file;
79
  $this->plugin_dir = dirname( $plugin_file ) . '/';
80
  $this->current_time = current_time( 'timestamp' );
core/history.txt CHANGED
@@ -474,3 +474,5 @@
474
  Misc: Updated the description for the Lockout Period setting to indicate that the default value of 15 minutes is recommended.
475
  2.7.1 - 2016-12-06 - Chris Jean
476
  Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
 
 
474
  Misc: Updated the description for the Lockout Period setting to indicate that the default value of 15 minutes is recommended.
475
  2.7.1 - 2016-12-06 - Chris Jean
476
  Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
477
+ 2.8.0 - 2016-12-08 - Chris Jean
478
+ New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.
core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php CHANGED
@@ -95,6 +95,8 @@ final class ITSEC_WordPress_Tweaks {
95
  add_filter( 'xmlrpc_methods', array( $this, 'xmlrpc_methods' ) );
96
  }
97
 
 
 
98
  if ( $this->settings['safe_jquery'] ) {
99
  add_action( 'wp_enqueue_scripts', array( $this, 'current_jquery' ) );
100
  }
@@ -120,6 +122,22 @@ final class ITSEC_WordPress_Tweaks {
120
  }
121
  }
122
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
123
  public function add_block_tabnapping_script() {
124
  wp_enqueue_script( 'blankshield', plugins_url( 'js/blankshield/blankshield.min.js', __FILE__ ), array(), ITSEC_Core::get_plugin_build(), true );
125
  wp_enqueue_script( 'itsec-wt-block-tabnapping', plugins_url( 'js/block-tabnapping.js', __FILE__ ), array( 'blankshield' ), ITSEC_Core::get_plugin_build(), true );
95
  add_filter( 'xmlrpc_methods', array( $this, 'xmlrpc_methods' ) );
96
  }
97
 
98
+ add_filter( 'rest_authentication_errors', array( $this, 'filter_rest_authentication_errors' ), 50 );
99
+
100
  if ( $this->settings['safe_jquery'] ) {
101
  add_action( 'wp_enqueue_scripts', array( $this, 'current_jquery' ) );
102
  }
122
  }
123
  }
124
 
125
+ public function filter_rest_authentication_errors( $error ) {
126
+ if ( 'disable' === $this->settings['rest_api'] ) {
127
+ return new WP_Error( 'itsec_wt_rest_api_disabled', esc_html__( 'The REST API is disabled on this site.', 'better-wp-security' ), array( 'status' => 403 ) );
128
+ }
129
+
130
+ if ( 'require-admin' === $this->settings['rest_api'] ) {
131
+ require_once( ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-canonical-roles.php' );
132
+
133
+ if ( ! ITSEC_Lib_Canonical_Roles::is_user_at_least( 'administrator' ) ) {
134
+ return new WP_Error( 'itsec_wt_rest_api_requires_admin', esc_html__( 'You are not authorized to access the REST API on this site.', 'better-wp-security' ), array( 'status' => 403 ) );
135
+ }
136
+ }
137
+
138
+ return $error;
139
+ }
140
+
141
  public function add_block_tabnapping_script() {
142
  wp_enqueue_script( 'blankshield', plugins_url( 'js/blankshield/blankshield.min.js', __FILE__ ), array(), ITSEC_Core::get_plugin_build(), true );
143
  wp_enqueue_script( 'itsec-wt-block-tabnapping', plugins_url( 'js/block-tabnapping.js', __FILE__ ), array( 'blankshield' ), ITSEC_Core::get_plugin_build(), true );
core/modules/wordpress-tweaks/settings-page.php CHANGED
@@ -33,6 +33,12 @@ final class ITSEC_WordPress_Tweaks_Settings_Page extends ITSEC_Module_Settings_P
33
  true => __( 'Allow', 'better-wp-security' ),
34
  );
35
 
 
 
 
 
 
 
36
 
37
  $jquery_version = ITSEC_Modules::get_setting( $this->id, 'jquery_version' );
38
  $jquery_version_is_safe = ITSEC_Lib::is_jquery_version_safe();
@@ -108,6 +114,18 @@ final class ITSEC_WordPress_Tweaks_Settings_Page extends ITSEC_Module_Settings_P
108
  </ul>
109
  </td>
110
  </tr>
 
 
 
 
 
 
 
 
 
 
 
 
111
  <tr>
112
  <th scope="row"><label for="itsec-wordpress-tweaks-safe_jquery"><?php esc_html_e( 'Replace jQuery With a Safe Version', 'better-wp-security' ); ?></label></th>
113
  <td>
33
  true => __( 'Allow', 'better-wp-security' ),
34
  );
35
 
36
+ $rest_api_options = array(
37
+ 'disable' => esc_html__( 'Disable REST API (recommended)', 'better-wp-security' ),
38
+ 'require-admin' => esc_html__( 'Require Admin Privileges', 'better-wp-security' ),
39
+ 'enable' => esc_html__( 'Enable REST API', 'better-wp-security' ),
40
+ );
41
+
42
 
43
  $jquery_version = ITSEC_Modules::get_setting( $this->id, 'jquery_version' );
44
  $jquery_version_is_safe = ITSEC_Lib::is_jquery_version_safe();
114
  </ul>
115
  </td>
116
  </tr>
117
+ <tr>
118
+ <th scope="row"><label for="itsec-wordpress-tweaks-rest_api"><?php esc_html_e( 'REST API', 'better-wp-security' ); ?></label></th>
119
+ <td>
120
+ <p><?php printf( wp_kses( __( 'WordPress\' <a href="%s">REST API</a> provides a method for developers to pull additional information from the site. Most of this information can be accessed without requiring authentication. The follow settings control how this feature operates.', 'better-wp-security' ), array( 'a' => array( 'href' => array() ) ) ), esc_url( 'http://wp-api.org/' ) ); ?></p>
121
+ <?php $form->add_select( 'rest_api', $rest_api_options ); ?>
122
+ <ul>
123
+ <li><?php echo wp_kses( __( '<strong>Disable REST API</strong> - The REST API is disabled on the site. If your site does not use the REST API (there are very few plugins, themes, or other tools that currently use the REST API), we recommend disabling it for now.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
124
+ <li><?php echo wp_kses( __( '<strong>Require Admin Privileges</strong> - The REST API can only be used by logged in users with admin-level privileges. This allows privileged users to test and develop with the REST API without allowing anonymous access to the data.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
125
+ <li><?php echo wp_kses( __( '<strong>Enable REST API</strong> - The REST API is fully enabled and will function as normal. Use this setting only if the site makes use of the REST API.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
126
+ </ul>
127
+ </td>
128
+ </tr>
129
  <tr>
130
  <th scope="row"><label for="itsec-wordpress-tweaks-safe_jquery"><?php esc_html_e( 'Replace jQuery With a Safe Version', 'better-wp-security' ); ?></label></th>
131
  <td>
core/modules/wordpress-tweaks/settings.php CHANGED
@@ -13,6 +13,7 @@ final class ITSEC_Wordpress_Tweaks_Settings extends ITSEC_Settings {
13
  'file_editor' => true,
14
  'disable_xmlrpc' => 0,
15
  'allow_xmlrpc_multiauth' => false,
 
16
  'safe_jquery' => false,
17
  'login_errors' => false,
18
  'force_unique_nicename' => false,
13
  'file_editor' => true,
14
  'disable_xmlrpc' => 0,
15
  'allow_xmlrpc_multiauth' => false,
16
+ 'rest_api' => 'enable',
17
  'safe_jquery' => false,
18
  'login_errors' => false,
19
  'force_unique_nicename' => false,
core/modules/wordpress-tweaks/validator.php CHANGED
@@ -23,6 +23,7 @@ class ITSEC_WordPress_Tweaks_Validator extends ITSEC_Validator {
23
  $this->sanitize_setting( 'positive-int', 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
24
  $this->sanitize_setting( array( 0, 1, 2 ), 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
25
  $this->sanitize_setting( 'bool', 'allow_xmlrpc_multiauth', __( 'Multiple Authentication Attempts per XML-RPC Request', 'better-wp-security' ) );
 
26
  $this->sanitize_setting( 'bool', 'safe_jquery', __( 'Replace jQuery With a Safe Version', 'better-wp-security' ) );
27
  $this->sanitize_setting( 'bool', 'login_errors', __( 'Login Error Messages', 'better-wp-security' ) );
28
  $this->sanitize_setting( 'bool', 'force_unique_nicename', __( 'Force Unique Nickname', 'better-wp-security' ) );
23
  $this->sanitize_setting( 'positive-int', 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
24
  $this->sanitize_setting( array( 0, 1, 2 ), 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
25
  $this->sanitize_setting( 'bool', 'allow_xmlrpc_multiauth', __( 'Multiple Authentication Attempts per XML-RPC Request', 'better-wp-security' ) );
26
+ $this->sanitize_setting( array( 'disable', 'require-admin', 'enable' ), 'rest_api', __( 'REST API', 'better-wp-security' ) );
27
  $this->sanitize_setting( 'bool', 'safe_jquery', __( 'Replace jQuery With a Safe Version', 'better-wp-security' ) );
28
  $this->sanitize_setting( 'bool', 'login_errors', __( 'Login Error Messages', 'better-wp-security' ) );
29
  $this->sanitize_setting( 'bool', 'force_unique_nicename', __( 'Force Unique Nickname', 'better-wp-security' ) );
history.txt CHANGED
@@ -594,3 +594,5 @@
594
  Misc: Updated the description for the Lockout Period setting to indicate that the default value of 15 minutes is recommended.
595
  5.8.1 - 2016-12-06 - Chris Jean
596
  Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
 
 
594
  Misc: Updated the description for the Lockout Period setting to indicate that the default value of 15 minutes is recommended.
595
  5.8.1 - 2016-12-06 - Chris Jean
596
  Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
597
+ 5.9.0 - 2016-12-08 - Chris Jean
598
+ New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: ithemes, chrisjean, gerroald, mattdanner
3
  Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4
  Requires at least: 4.5
5
  Tested up to: 4.7
6
- Stable tag: 5.8.1
7
  License: GPLv2 or later
8
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
 
@@ -188,6 +188,9 @@ Free support may be available with the help of the community in the <a href="htt
188
 
189
  == Changelog ==
190
 
 
 
 
191
  = 5.8.1 =
192
  * Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
193
 
@@ -1627,5 +1630,5 @@ This release is a complete rewrite from the ground up. Special thanks to Cory Mi
1627
 
1628
  == Upgrade Notice ==
1629
 
1630
- = 5.8.1 =
1631
- Version 5.8.1 fixes a bug that could prevent database backup zips from being sent. It is recommended for all users.
3
  Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4
  Requires at least: 4.5
5
  Tested up to: 4.7
6
+ Stable tag: 5.9.0
7
  License: GPLv2 or later
8
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
 
188
 
189
  == Changelog ==
190
 
191
+ = 5.9.0 =
192
+ * New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.
193
+
194
  = 5.8.1 =
195
  * Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
196
 
1630
 
1631
  == Upgrade Notice ==
1632
 
1633
+ = 5.9.0 =
1634
+ Version 5.9.0 adds a new feature to block REST API requests. It is recommended for all users.