iThemes Security (formerly Better WP Security)

Version Description

Bug Fix: Removed "comodo" from the list of user agents blocked by the HackRepair.com blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM is able to function.
- Updated Feature: Updated the "REST API" feature in the WordPress Tweaks section. The feature now has proper support for protecting privacy on your site without preventing the REST API from functioning.
- Enhancement: Updated Security Check to enforce setting the "REST API" setting to "Restricted Access".

Release Info

Developer	chrisjean
Plugin	iThemes Security (formerly Better WP Security)
Version	6.0.0
Comparing to
See all releases

Code changes from version 5.9.0 to 6.0.0

Files changed (14) hide show

better-wp-security.php +1 -1
core/class-itsec-core.php +1 -1
core/history.txt +5 -0
core/modules/ban-users/lists/hackrepair-apache.inc +0 -1
core/modules/ban-users/lists/hackrepair-litespeed.inc +0 -1
core/modules/ban-users/lists/hackrepair-nginx.inc +0 -1
core/modules/security-check/scanner.php +1 -0
core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php +108 -9
core/modules/wordpress-tweaks/settings-page.php +5 -7
core/modules/wordpress-tweaks/settings.php +1 -1
core/modules/wordpress-tweaks/setup.php +14 -0
core/modules/wordpress-tweaks/validator.php +1 -1
history.txt +4 -0
readme.txt +8 -3

better-wp-security.php CHANGED Viewed

	@@ -6,7 +6,7 @@
6	* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7	* Author: iThemes
8	* Author URI: https://ithemes.com
9	- * Version: 5.9.0
10	* Text Domain: better-wp-security
11	* Network: True
12	* License: GPLv2


6	* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7	* Author: iThemes
8	* Author URI: https://ithemes.com
9	+ * Version: 6.0.0
10	* Text Domain: better-wp-security
11	* Network: True
12	* License: GPLv2

core/class-itsec-core.php CHANGED Viewed

	@@ -74,7 +74,7 @@ if ( ! class_exists( 'ITSEC_Core' ) ) {
74	public function init( $plugin_file, $plugin_name ) {
75	global $itsec_globals, $itsec_logger, $itsec_lockout;
76
77	- $this->plugin_build = ~~4045~~; // used to trigger updates
78	$this->plugin_file = $plugin_file;
79	$this->plugin_dir = dirname( $plugin_file ) . '/';
80	$this->current_time = current_time( 'timestamp' );


74	public function init( $plugin_file, $plugin_name ) {
75	global $itsec_globals, $itsec_logger, $itsec_lockout;
76
77	+ $this->plugin_build = 4050; // used to trigger updates
78	$this->plugin_file = $plugin_file;
79	$this->plugin_dir = dirname( $plugin_file ) . '/';
80	$this->current_time = current_time( 'timestamp' );

core/history.txt CHANGED Viewed

	@@ -476,3 +476,8 @@
476	Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
477	2.8.0 - 2016-12-08 - Chris Jean
478	New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.


476	Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
477	2.8.0 - 2016-12-08 - Chris Jean
478	New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.
479	+ 2.8.1 - 2016-12-15 - Chris Jean
480	+ Bug Fix: Removed "comodo" from the list of user agents blocked by the HackRepair.com blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM is able to function.
481	+ 2.9.0 - 2016-12-28 - Chris Jean
482	+ Updated Feature: Updated the "REST API" feature in the WordPress Tweaks section. The feature now has proper support for protecting privacy on your site without preventing the REST API from functioning.
483	+ Enhancement: Updated Security Check to enforce setting the "REST API" setting to "Restricted Access".

core/modules/ban-users/lists/hackrepair-apache.inc CHANGED Viewed

	@@ -17,7 +17,6 @@ RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR]
17	RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
18	RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
19	RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]
20	- RewriteCond %{HTTP_USER_AGENT} "^comodo" [NC,OR]
21	RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
22	RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
23	RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]


17	RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
18	RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
19	RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]

20	RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
21	RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
22	RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]

core/modules/ban-users/lists/hackrepair-litespeed.inc CHANGED Viewed

	@@ -17,7 +17,6 @@ RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR]
17	RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
18	RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
19	RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]
20	- RewriteCond %{HTTP_USER_AGENT} "^comodo" [NC,OR]
21	RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
22	RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
23	RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]


17	RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
18	RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
19	RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]

20	RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
21	RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
22	RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]

core/modules/ban-users/lists/hackrepair-nginx.inc CHANGED Viewed

	@@ -16,7 +16,6 @@ if ($http_user_agent ~* "^checkprivacy"){return 403;}
16	if ($http_user_agent ~* "^ChinaClaw"){return 403;}
17	if ($http_user_agent ~* "^clshttp"){return 403;}
18	if ($http_user_agent ~* "^cmsworldmap"){return 403;}
19	- if ($http_user_agent ~* "^comodo"){return 403;}
20	if ($http_user_agent ~* "^Custo"){return 403;}
21	if ($http_user_agent ~* "^Default Browser 0"){return 403;}
22	if ($http_user_agent ~* "^diavol"){return 403;}


16	if ($http_user_agent ~* "^ChinaClaw"){return 403;}
17	if ($http_user_agent ~* "^clshttp"){return 403;}
18	if ($http_user_agent ~* "^cmsworldmap"){return 403;}

19	if ($http_user_agent ~* "^Custo"){return 403;}
20	if ($http_user_agent ~* "^Default Browser 0"){return 403;}
21	if ($http_user_agent ~* "^diavol"){return 403;}

core/modules/security-check/scanner.php CHANGED Viewed

	@@ -28,6 +28,7 @@ final class ITSEC_Security_Check_Scanner {
28	self::enforce_activation( 'wordpress-tweaks', __( 'WordPress Tweaks', 'better-wp-security' ) );
29	self::enforce_setting( 'wordpress-tweaks', 'file_editor', true, __( 'Disabled the File Editor in WordPress Tweaks.', 'better-wp-security' ) );
30	self::enforce_setting( 'wordpress-tweaks', 'allow_xmlrpc_multiauth', false, __( 'Changed the Multiple Authentication Attempts per XML-RPC Request setting in WordPress Tweaks to "Block".', 'better-wp-security' ) );

31
32	self::enforce_setting( 'global', 'write_files', true, __( 'Enabled the Write to Files setting in Global Settings.', 'better-wp-security' ) );
33


28	self::enforce_activation( 'wordpress-tweaks', __( 'WordPress Tweaks', 'better-wp-security' ) );
29	self::enforce_setting( 'wordpress-tweaks', 'file_editor', true, __( 'Disabled the File Editor in WordPress Tweaks.', 'better-wp-security' ) );
30	self::enforce_setting( 'wordpress-tweaks', 'allow_xmlrpc_multiauth', false, __( 'Changed the Multiple Authentication Attempts per XML-RPC Request setting in WordPress Tweaks to "Block".', 'better-wp-security' ) );
31	+ self::enforce_setting( 'wordpress-tweaks', 'rest_api', 'restrict-access', __( 'Changed the REST API setting in WordPress Tweaks to "Restricted Access".', 'better-wp-security' ) );
32
33	self::enforce_setting( 'global', 'write_files', true, __( 'Enabled the Write to Files setting in Global Settings.', 'better-wp-security' ) );
34

core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php CHANGED Viewed

@@ -95,7 +95,7 @@ final class ITSEC_WordPress_Tweaks {
             			add_filter( 'xmlrpc_methods', array( $this, 'xmlrpc_methods' ) );
+            		}
-            -
            		add_filter( 'rest_authentication_errors', array( $this, 'filter_rest_authentication_errors' ), 50 );
             		if ( $this->settings['safe_jquery'] ) {
             			add_action( 'wp_enqueue_scripts', array( $this, 'current_jquery' ) );
@@ -122,22 +122,121 @@ final class ITSEC_WordPress_Tweaks {
+            		}
+            	}
-            -
            	public function filter_rest_authentication_errors( $error ) {
-            -
            		if ( 'disable' === $this->settings['rest_api'] ) {
-            -
            			return new WP_Error( 'itsec_wt_rest_api_disabled', esc_html__( 'The REST API is disabled on this site.', 'better-wp-security' ), array( 'status' => 403 ) );
+            		}
-            -
            		if ( 'require-admin' === $this->settings['rest_api'] ) {
-            -
            			require_once( ITSEC_Core::get_core_dir() . '/lib/class-itsec-lib-canonical-roles.php' );
-            -
            			if ( ! ITSEC_Lib_Canonical_Roles::is_user_at_least( 'administrator' ) ) {
-            -
            				return new WP_Error( 'itsec_wt_rest_api_requires_admin', esc_html__( 'You are not authorized to access the REST API on this site.', 'better-wp-security' ), array( 'status' => 403 ) );
+            			}
+            		}
-            -
            		return $error;
+            	}
             	public function add_block_tabnapping_script() {
             		wp_enqueue_script( 'blankshield', plugins_url( 'js/blankshield/blankshield.min.js', __FILE__ ), array(), ITSEC_Core::get_plugin_build(), true );
             		wp_enqueue_script( 'itsec-wt-block-tabnapping', plugins_url( 'js/block-tabnapping.js', __FILE__ ), array( 'blankshield' ), ITSEC_Core::get_plugin_build(), true );


95	add_filter( 'xmlrpc_methods', array( $this, 'xmlrpc_methods' ) );
96	}
97
98	+ add_filter( 'rest_dispatch_request', array( $this, 'filter_rest_dispatch_request' ), 10, 4 );
99
100	if ( $this->settings['safe_jquery'] ) {
101	add_action( 'wp_enqueue_scripts', array( $this, 'current_jquery' ) );

122	}
123	}
124
125	+ public function filter_rest_dispatch_request( $result, $request, $route_schema, $handler ) {
126	+ if ( in_array( $this->settings['rest_api'], array( 'enable', 'default-access' ) ) ) {
127	+ return $result;
128	}
129
130	+ $route = $request->get_route();
131	+ $route_parts = explode( '/', trim( $route, '/' ) );
132
133	+ if ( 'wp' !== $route_parts[0] ) {
134	+ // Only interested in the wp endpoints for now.
135	+ return $result;
136	+ }
137	+
138	+ if ( ! isset( $route_parts[2] ) ) {
139	+ // Only interested in requests that extend beyond the wp/v2 endpoint.
140	+ return $result;
141	+ }
142	+
143	+ if ( 'settings' === $route_parts[2] ) {
144	+ // The settings endpoint requires specific capabilities already.
145	+ return $result;
146	+ }
147	+
148	+ // Each of the following endpoints can be restricted based on a simple capability check.
149	+ $endpoint_caps = array(
150	+ 'comments' => 'moderate_comments',
151	+ 'statuses' => 'edit_posts',
152	+ 'taxonomies' => 'edit_terms',
153	+ 'types' => 'edit_posts',
154	+ );
155	+
156	+ foreach ( $endpoint_caps as $endpoint => $cap ) {
157	+ if ( $endpoint === $route_parts[2] ) {
158	+ if ( current_user_can( $cap ) ) {
159	+ return $result;
160	+ }
161	+
162	+ return new WP_Error( 'itsec_rest_api_access_restricted', __( 'You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.', 'better-wp-security' ) );
163	+ }
164	+ }
165	+
166	+ if ( 'users' === $route_parts[2] ) {
167	+ if ( isset( $route_parts[3] ) && 'me' === $route_parts[3] ) {
168	+ // The users/me endpoint has its own permissions checks.
169	+ return $result;
170	}
171	+
172	+ if ( current_user_can( 'list_users' ) ) {
173	+ // All other users endpoints can be restricted to those with the list_users cap.
174	+ return $result;
175	+ }
176	+
177	+ return new WP_Error( 'itsec_rest_api_access_restricted', __( 'You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.', 'better-wp-security' ) );
178	+ }
179	+
180	+
181	+ // Pulling the specific taxonomy or post type object out for proper cap checking is a bit complex.
182	+
183	+ if ( is_array( $handler['callback'] ) && isset( $handler['callback'][0] ) && is_object( $handler['callback'][0] ) ) {
184	+ // Get the callback object if one exists.
185	+ $callback_object = $handler['callback'][0];
186	+ } else {
187	+ return $result;
188	}
189
190	+ if ( is_a( $callback_object, 'WP_REST_Terms_Controller' ) ) {
191	+ // The callback handles requests for terms, so we know that the request is for a term.
192	+
193	+ // Get the registered taxonomies.
194	+ $taxonomies = get_taxonomies( array(), 'objects' );
195	+
196	+ foreach ( $taxonomies as $taxonomy ) {
197	+ // Find the taxonomy that matches the request.
198	+
199	+ if ( ( isset( $taxonomy->rest_base ) && $taxonomy->rest_base === $route_parts[2] ) \|\| $taxonomy->name === $route_parts[2] ) {
200	+ // This is the requested taxonomy. Check to ensure that the current user can edit this taxonomy.
201	+ if ( current_user_can( $taxonomy->cap->edit_terms ) ) {
202	+ return $result;
203	+ } else {
204	+ return new WP_Error( 'itsec_rest_api_access_restricted', __( 'You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.', 'better-wp-security' ) );
205	+ }
206	+ }
207	+ }
208	+
209	+ return $result;
210	+ }
211	+
212	+ if ( is_a( $callback_object, 'WP_REST_Posts_Controller' ) ) {
213	+ // The callback handles requests for post types, so we know that the request is for a post type.
214	+
215	+ // Get the registered post types
216	+ $post_types = get_post_types( array(), 'objects' );
217	+
218	+ foreach ( $post_types as $post_type ) {
219	+ // Find the post type that matches the request.
220	+
221	+ if ( ( isset( $post_type->rest_base ) && $post_type->rest_base === $route_parts[2] ) \|\| $post_type->name === $route_parts[2] ) {
222	+ // This is the requested post type. Check to ensure that the current user can edit this post type.
223	+ if ( current_user_can( $post_type->cap->edit_posts ) ) {
224	+ return $result;
225	+ } else {
226	+ return new WP_Error( 'itsec_rest_api_access_restricted', __( 'You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.', 'better-wp-security' ) );
227	+ }
228	+ }
229	+ }
230	+
231	+ return $result;
232	+ }
233	+
234	+
235	+ // We don't have any specific rules to handle this request, default to doing nothing.
236	+ return $result;
237	}
238
239	+
240	public function add_block_tabnapping_script() {
241	wp_enqueue_script( 'blankshield', plugins_url( 'js/blankshield/blankshield.min.js', __FILE__ ), array(), ITSEC_Core::get_plugin_build(), true );
242	wp_enqueue_script( 'itsec-wt-block-tabnapping', plugins_url( 'js/block-tabnapping.js', __FILE__ ), array( 'blankshield' ), ITSEC_Core::get_plugin_build(), true );

core/modules/wordpress-tweaks/settings-page.php CHANGED Viewed

	@@ -34,9 +34,8 @@ final class ITSEC_WordPress_Tweaks_Settings_Page extends ITSEC_Module_Settings_P
34	);
35
36	$rest_api_options = array(
37	- '~~disable~~' => esc_html__( '~~Disable~~ ~~REST~~ ~~API~~ (recommended)', 'better-wp-security' ),
38	- '~~require~~-~~admin~~' => esc_html__( '~~Require~~ ~~Admin Privileges~~', 'better-wp-security' ),
39	- 'enable' => esc_html__( 'Enable REST API', 'better-wp-security' ),
40	);
41
42
	@@ -117,12 +116,11 @@ final class ITSEC_WordPress_Tweaks_Settings_Page extends ITSEC_Module_Settings_P
117	<tr>
118	<th scope="row"><label for="itsec-wordpress-tweaks-rest_api"><?php esc_html_e( 'REST API', 'better-wp-security' ); ?></label></th>
119	<td>
120	- <p><?php printf( wp_kses( __( '~~WordPress\'~~ <a href="%s">REST API</a> ~~provides~~ a ~~method~~ ~~for~~ developers to ~~pull~~ ~~additional~~ ~~information~~ ~~from~~ ~~the~~ ~~site.~~ ~~Most~~ of ~~this~~ information ~~can~~ be ~~accessed~~ ~~without~~ ~~requiring~~ ~~authentication~~. ~~The~~ ~~follow~~ ~~settings~~ ~~control~~ ~~how~~ ~~this~~ ~~feature~~ ~~operates.~~', 'better-wp-security' ), array( 'a' => array( 'href' => array() ) ) ), esc_url( '~~http~~://wp-api~~.org/~~' ) ); ?></p>
121	<?php $form->add_select( 'rest_api', $rest_api_options ); ?>
122	<ul>
123	- <li><?php echo wp_kses( __( '<strong>~~Disable~~ ~~REST API~~</strong> - ~~The~~ ~~REST~~ ~~API~~ is ~~disabled~~ on ~~the site~~. If ~~your~~ ~~site~~ ~~does~~ ~~not~~ ~~use~~ ~~the~~ ~~REST~~ ~~API~~ ~~(there~~ ~~are~~ ~~very~~ ~~few~~ ~~plugins,~~ ~~themes,~~ or ~~other~~ ~~tools~~ ~~that~~ ~~currently~~ ~~use~~ ~~the~~ ~~REST~~ ~~API),~~ we recommend ~~disabling~~ it ~~for now~~.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
124	- <li><?php echo wp_kses( __( '<strong>~~Require~~ ~~Admin Privileges~~</strong> - ~~The~~ REST API ~~can~~ ~~only~~ be ~~used~~ ~~by logged in users with admin-level privileges~~. ~~This~~ ~~allows~~ ~~privileged~~ ~~users~~ to ~~test~~ and ~~develop~~ ~~with~~ ~~the~~ ~~REST~~ ~~API~~ ~~without~~ ~~allowing~~ ~~anonymous~~ access ~~to the data~~.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
125	- <li><?php echo wp_kses( __( '<strong>Enable REST API</strong> - The REST API is fully enabled and will function as normal. Use this setting only if the site makes use of the REST API.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
126	</ul>
127	</td>
128	</tr>


34	);
35
36	$rest_api_options = array(
37	+ 'restrict-access' => esc_html__( 'Restricted Access (recommended)', 'better-wp-security' ),
38	+ 'default-access' => esc_html__( 'Default Access', 'better-wp-security' ),

39	);
40
41

116	<tr>
117	<th scope="row"><label for="itsec-wordpress-tweaks-rest_api"><?php esc_html_e( 'REST API', 'better-wp-security' ); ?></label></th>
118	<td>
119	+ <p><?php printf( wp_kses( __( 'The <a href="%1$s">WordPress REST API</a> is part of WordPress and provides developers with new ways to manage WordPress. By default, it could give public access to information that you believe is private on your site. For more details, see our post about the WordPress REST API <a href="%1$s">here</a>.', 'better-wp-security' ), array( 'a' => array( 'href' => array() ) ) ), esc_url( 'https://ithemes.com/security/wordpress-rest-api-restrict-access' ) ); ?></p>
120	<?php $form->add_select( 'rest_api', $rest_api_options ); ?>
121	<ul>
122	+ <li><?php echo wp_kses( __( '<strong>Restricted Access</strong> - Restrict access to most REST API data. This means that most requests will require a logged in user or a user with specific privileges, blocking public requests for potentially-private data. We recommend selecting this option.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
123	+ <li><?php echo wp_kses( __( '<strong>Default Access</strong> - Access to REST API data is left as default. Information including published posts, user details, and media library entries is available for public access.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>

124	</ul>
125	</td>
126	</tr>

core/modules/wordpress-tweaks/settings.php CHANGED Viewed

	@@ -13,7 +13,7 @@ final class ITSEC_Wordpress_Tweaks_Settings extends ITSEC_Settings {
13	'file_editor' => true,
14	'disable_xmlrpc' => 0,
15	'allow_xmlrpc_multiauth' => false,
16	- 'rest_api' => '~~enable~~',
17	'safe_jquery' => false,
18	'login_errors' => false,
19	'force_unique_nicename' => false,


13	'file_editor' => true,
14	'disable_xmlrpc' => 0,
15	'allow_xmlrpc_multiauth' => false,
16	+ 'rest_api' => 'default-access',
17	'safe_jquery' => false,
18	'login_errors' => false,
19	'force_unique_nicename' => false,

core/modules/wordpress-tweaks/setup.php CHANGED Viewed

@@ -118,6 +118,20 @@ if ( ! class_exists( 'ITSEC_WordPress_Tweaks_Setup' ) ) {
             					ITSEC_Modules::set_settings( 'wordpress-tweaks', $current_options );
+            				}
+            			}
+            		}
+            	}


118	ITSEC_Modules::set_settings( 'wordpress-tweaks', $current_options );
119	}
120	}
121	+
122	+ if ( $itsec_old_version < 4050 ) {
123	+ $settings = ITSEC_Modules::get_settings( 'wordpress-tweaks' );
124	+
125	+ if ( isset( $settings['rest_api'] ) ) {
126	+ if ( 'enable' === $settings['rest_api'] ) {
127	+ $settings['rest_api'] = 'default-access';
128	+ } else if ( in_array( $settings['rest_api'], array( 'disable', 'require-admin' ) ) ) {
129	+ $settings['rest_api'] = 'restrict-access';
130	+ }
131	+
132	+ ITSEC_Modules::set_settings( 'wordpress-tweaks', $settings );
133	+ }
134	+ }
135	}
136
137	}

core/modules/wordpress-tweaks/validator.php CHANGED Viewed

	@@ -23,7 +23,7 @@ class ITSEC_WordPress_Tweaks_Validator extends ITSEC_Validator {
23	$this->sanitize_setting( 'positive-int', 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
24	$this->sanitize_setting( array( 0, 1, 2 ), 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
25	$this->sanitize_setting( 'bool', 'allow_xmlrpc_multiauth', __( 'Multiple Authentication Attempts per XML-RPC Request', 'better-wp-security' ) );
26	- $this->sanitize_setting( array( '~~disable~~', '~~require~~-~~admin~~', ~~'enable'~~ ), 'rest_api', __( 'REST API', 'better-wp-security' ) );
27	$this->sanitize_setting( 'bool', 'safe_jquery', __( 'Replace jQuery With a Safe Version', 'better-wp-security' ) );
28	$this->sanitize_setting( 'bool', 'login_errors', __( 'Login Error Messages', 'better-wp-security' ) );
29	$this->sanitize_setting( 'bool', 'force_unique_nicename', __( 'Force Unique Nickname', 'better-wp-security' ) );


23	$this->sanitize_setting( 'positive-int', 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
24	$this->sanitize_setting( array( 0, 1, 2 ), 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
25	$this->sanitize_setting( 'bool', 'allow_xmlrpc_multiauth', __( 'Multiple Authentication Attempts per XML-RPC Request', 'better-wp-security' ) );
26	+ $this->sanitize_setting( array( 'default-access', 'restrict-access' ), 'rest_api', __( 'REST API', 'better-wp-security' ) );
27	$this->sanitize_setting( 'bool', 'safe_jquery', __( 'Replace jQuery With a Safe Version', 'better-wp-security' ) );
28	$this->sanitize_setting( 'bool', 'login_errors', __( 'Login Error Messages', 'better-wp-security' ) );
29	$this->sanitize_setting( 'bool', 'force_unique_nicename', __( 'Force Unique Nickname', 'better-wp-security' ) );

history.txt CHANGED Viewed

	@@ -596,3 +596,7 @@
596	Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
597	5.9.0 - 2016-12-08 - Chris Jean
598	New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.


596	Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.
597	5.9.0 - 2016-12-08 - Chris Jean
598	New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.
599	+ 6.0.0 - 2016-12-28 - Chris Jean
600	+ Bug Fix: Removed "comodo" from the list of user agents blocked by the HackRepair.com blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM is able to function.
601	+ Updated Feature: Updated the "REST API" feature in the WordPress Tweaks section. The feature now has proper support for protecting privacy on your site without preventing the REST API from functioning.
602	+ Enhancement: Updated Security Check to enforce setting the "REST API" setting to "Restricted Access".

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: ithemes, chrisjean, gerroald, mattdanner
3	Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4	Requires at least: 4.5
5	Tested up to: 4.7
6	- Stable tag: 5.9.0
7	License: GPLv2 or later
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
	@@ -188,6 +188,11 @@ Free support may be available with the help of the community in the <a href="htt
188
189	== Changelog ==
190





191	= 5.9.0 =
192	* New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.
193
	@@ -1630,5 +1635,5 @@ This release is a complete rewrite from the ground up. Special thanks to Cory Mi
1630
1631	== Upgrade Notice ==
1632
1633	- = 5.9.0 =
1634	- Version 5.9.0 adds a ~~new~~ ~~feature~~ to ~~block~~ REST API ~~requests~~. It is recommended for all users.


3	Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4	Requires at least: 4.5
5	Tested up to: 4.7
6	+ Stable tag: 6.0.0
7	License: GPLv2 or later
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9

188
189	== Changelog ==
190
191	+ = 6.0.0 =
192	+ * Bug Fix: Removed "comodo" from the list of user agents blocked by the HackRepair.com blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM is able to function.
193	+ * Updated Feature: Updated the "REST API" feature in the WordPress Tweaks section. The feature now has proper support for protecting privacy on your site without preventing the REST API from functioning.
194	+ * Enhancement: Updated Security Check to enforce setting the "REST API" setting to "Restricted Access".
195	+
196	= 5.9.0 =
197	* New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.
198

1635
1636	== Upgrade Notice ==
1637
1638	+ = 6.0.0 =
1639	+ Version 6.0.0 adds privacy enhancement for the REST API. It is recommended for all users.

iThemes Security (formerly Better WP Security) - Version 6.0.0

Version Description

Release Info

Code changes from version 5.9.0 to 6.0.0