<?php

[0] Fix | Delete

/**

[1] Fix | Delete

* Site security

[2] Fix | Delete

*

[3] Fix | Delete

* Implement Zero Spam's recommended WordPress security practices.

[4] Fix | Delete

*

[5] Fix | Delete

* @package ZeroSpam

[6] Fix | Delete

*/

[7] Fix | Delete

[8] Fix | Delete

namespace ZeroSpam\Modules\Security;

[9] Fix | Delete

[10] Fix | Delete

// Security Note: Blocks direct access to the plugin PHP files.

[11] Fix | Delete

defined( 'ABSPATH' ) || die();

[12] Fix | Delete

[13] Fix | Delete

/**

[14] Fix | Delete

* Security class

[15] Fix | Delete

*/

[16] Fix | Delete

class Security {

[17] Fix | Delete

/**

[18] Fix | Delete

* Constructor

[19] Fix | Delete

*/

[20] Fix | Delete

public function __construct() {

[21] Fix | Delete

add_action( 'init', array( $this, 'init' ) );

[22] Fix | Delete

}

[23] Fix | Delete

[24] Fix | Delete

/**

[25] Fix | Delete

* Fires after WordPress has finished loading but before any headers are sent

[26] Fix | Delete

*/

[27] Fix | Delete

public function init() {

[28] Fix | Delete

add_filter( 'zerospam_setting_sections', array( $this, 'sections' ) );

[29] Fix | Delete

add_filter( 'zerospam_settings', array( $this, 'settings' ), 10, 1 );

[30] Fix | Delete

[31] Fix | Delete

// It can be considered a security risk to make your WP version visible &

[32] Fix | Delete

// public you should hide it.

[33] Fix | Delete

remove_action( 'wp_head', 'wp_generator' );

[34] Fix | Delete

remove_action( 'opml_head', 'the_generator' );

[35] Fix | Delete

[36] Fix | Delete

// XML-RPC can significantly amplify the brute-force attacks.

[37] Fix | Delete

add_filter( 'xmlrpc_enabled', '__return_false' );

[38] Fix | Delete

[39] Fix | Delete

// Fired on detections.

[40] Fix | Delete

add_action( 'zero_spam_detection', array( $this, 'handle_detection' ), 10, 2 );

[41] Fix | Delete

[42] Fix | Delete

// Block XMLRPC. Accessing this file can allow an attacker to exhaust your

[43] Fix | Delete

// server’s resources quite easily as well as potentially enumerate your

[44] Fix | Delete

// WordPress authors and brute force your WordPress logins among other

[45] Fix | Delete

// vectors.

[46] Fix | Delete

add_action( 'init', array( $this, 'block_xmlrpc' ) );

[47] Fix | Delete

[48] Fix | Delete

if (

[49] Fix | Delete

'enabled' === \ZeroSpam\Core\Settings::get_settings( 'remove_resource_query_parameters' )

[50] Fix | Delete

) {

[51] Fix | Delete

remove_action( 'wp_head', 'print_emoji_detection_script', 7 );

[52] Fix | Delete

remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );

[53] Fix | Delete

remove_action( 'wp_print_styles', 'print_emoji_styles' );

[54] Fix | Delete

remove_action( 'admin_print_styles', 'print_emoji_styles' );

[55] Fix | Delete

remove_filter( 'the_content_feed', 'wp_staticize_emoji' );

[56] Fix | Delete

remove_filter( 'comment_text_rss', 'wp_staticize_emoji' );

[57] Fix | Delete

remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' );

[58] Fix | Delete

add_filter( 'tiny_mce_plugins', array( $this, 'disable_emojis' ) );

[59] Fix | Delete

}

[60] Fix | Delete

[61] Fix | Delete

if (

[62] Fix | Delete

'enabled' === \ZeroSpam\Core\Settings::get_settings( 'disable_emojis' )

[63] Fix | Delete

) {

[64] Fix | Delete

add_filter( 'style_loader_src', array( $this, 'remove_resource_query_params' ), 10, 2 );

[65] Fix | Delete

add_filter( 'script_loader_src', array( $this, 'remove_resource_query_params' ), 10, 2 );

[66] Fix | Delete

}

[67] Fix | Delete

[68] Fix | Delete

if (

[69] Fix | Delete

'enabled' === \ZeroSpam\Core\Settings::get_settings( 'disable_rss_feed' )

[70] Fix | Delete

) {

[71] Fix | Delete

add_action( 'do_feed', array( $this, 'disable_rss' ), 1 );

[72] Fix | Delete

add_action( 'do_feed_rdf', array( $this, 'disable_rss' ), 1 );

[73] Fix | Delete

add_action( 'do_feed_rss', array( $this, 'disable_rss' ), 1 );

[74] Fix | Delete

add_action( 'do_feed_rss2', array( $this, 'disable_rss' ), 1 );

[75] Fix | Delete

add_action( 'do_feed_atom', array( $this, 'disable_rss' ), 1 );

[76] Fix | Delete

add_action( 'do_feed_rss2_comments', array( $this, 'disable_rss' ), 1 );

[77] Fix | Delete

add_action( 'do_feed_atom_comments', array( $this, 'disable_rss' ), 1 );

[78] Fix | Delete

add_filter(

[79] Fix | Delete

'the_generator',

[80] Fix | Delete

function () {

[81] Fix | Delete

return '';

[82] Fix | Delete

}

[83] Fix | Delete

);

[84] Fix | Delete

}

[85] Fix | Delete

}

[86] Fix | Delete

[87] Fix | Delete

/**

[88] Fix | Delete

* Admin setting sections

[89] Fix | Delete

*

[90] Fix | Delete

* @param array $sections Array of admin setting sections.

[91] Fix | Delete

*/

[92] Fix | Delete

public function sections( $sections ) {

[93] Fix | Delete

$sections['security'] = array(

[94] Fix | Delete

'title' => __( 'Security', 'zero-spam' ),

[95] Fix | Delete

'icon' => 'modules/security/icon-security.svg',

[96] Fix | Delete

);

[97] Fix | Delete

[98] Fix | Delete

return $sections;

[99] Fix | Delete

}

[100] Fix | Delete

[101] Fix | Delete

/**

[102] Fix | Delete

* Admin settings

[103] Fix | Delete

*

[104] Fix | Delete

* @param array $settings Array of available settings.

[105] Fix | Delete

*/

[106] Fix | Delete

public function settings( $settings ) {

[107] Fix | Delete

$options = get_option( 'zero-spam-security' );

[108] Fix | Delete

[109] Fix | Delete

$settings['remove_resource_query_parameters'] = array(

[110] Fix | Delete

'title' => __( 'Remove Resource Query Parameters', 'zero-spam' ),

[111] Fix | Delete

'desc' => wp_kses(

[112] Fix | Delete

__( 'Web scanners love the <code>&ver=x.x.x</code> type arguments that are appended to your CSS and JS files. This is useful for caching systems and implementing this change could affect the quality of your cache. As long as you are aware of the effects or risks, there really shouldn’t be any other detrimental effects.', 'zero-spam' ),

[113] Fix | Delete

array(

[114] Fix | Delete

'code' => array(),

[115] Fix | Delete

'strong' => array(),

[116] Fix | Delete

'a' => array(

[117] Fix | Delete

'target' => array(),

[118] Fix | Delete

'href' => array(),

[119] Fix | Delete

'rel' => array(),

[120] Fix | Delete

),

[121] Fix | Delete

)

[122] Fix | Delete

),

[123] Fix | Delete

'module' => 'security',

[124] Fix | Delete

'type' => 'checkbox',

[125] Fix | Delete

'options' => array(

[126] Fix | Delete

'enabled' => false,

[127] Fix | Delete

),

[128] Fix | Delete

'value' => ! empty( $options['remove_resource_query_parameters'] ) ? $options['remove_resource_query_parameters'] : false,

[129] Fix | Delete

);

[130] Fix | Delete

[131] Fix | Delete

$settings['disable_emojis'] = array(

[132] Fix | Delete

'title' => __( 'Disable WordPress Emoj\'s', 'zero-spam' ),

[133] Fix | Delete

'desc' => wp_kses(

[134] Fix | Delete

__( 'WordPress emoji’s are one of the vectors scanners use in order to enumerate version information, disable them if you\'re not using them.', 'zero-spam' ),

[135] Fix | Delete

array(

[136] Fix | Delete

'code' => array(),

[137] Fix | Delete

'strong' => array(),

[138] Fix | Delete

'a' => array(

[139] Fix | Delete

'target' => array(),

[140] Fix | Delete

'href' => array(),

[141] Fix | Delete

'rel' => array(),

[142] Fix | Delete

),

[143] Fix | Delete

)

[144] Fix | Delete

),

[145] Fix | Delete

'module' => 'security',

[146] Fix | Delete

'type' => 'checkbox',

[147] Fix | Delete

'options' => array(

[148] Fix | Delete

'enabled' => false,

[149] Fix | Delete

),

[150] Fix | Delete

'value' => ! empty( $options['disable_emojis'] ) ? $options['disable_emojis'] : false,

[151] Fix | Delete

'recommended' => 'enabled',

[152] Fix | Delete

);

[153] Fix | Delete

[154] Fix | Delete

$settings['disable_rss_feed'] = array(

[155] Fix | Delete

'title' => __( 'Disable WordPress RSS Feed', 'zero-spam' ),

[156] Fix | Delete

'desc' => wp_kses(

[157] Fix | Delete

__( 'Having the RSS feed exposed is another way that scanners use to detect your WordPress version as well as other pertinent information such as authors, disable it if you\'re not using it.', 'zero-spam' ),

[158] Fix | Delete

array(

[159] Fix | Delete

'code' => array(),

[160] Fix | Delete

'strong' => array(),

[161] Fix | Delete

'a' => array(

[162] Fix | Delete

'target' => array(),

[163] Fix | Delete

'href' => array(),

[164] Fix | Delete

'rel' => array(),

[165] Fix | Delete

),

[166] Fix | Delete

)

[167] Fix | Delete

),

[168] Fix | Delete

'module' => 'security',

[169] Fix | Delete

'type' => 'checkbox',

[170] Fix | Delete

'options' => array(

[171] Fix | Delete

'enabled' => false,

[172] Fix | Delete

),

[173] Fix | Delete

'value' => ! empty( $options['disable_rss_feed'] ) ? $options['disable_rss_feed'] : false,

[174] Fix | Delete

);

[175] Fix | Delete

[176] Fix | Delete

return $settings;

[177] Fix | Delete

}

[178] Fix | Delete

[179] Fix | Delete

/**

[180] Fix | Delete

* Disables emojis

[181] Fix | Delete

*/

[182] Fix | Delete

public function disable_emojis( $plugins ) {

[183] Fix | Delete

if ( is_array( $plugins ) ) {

[184] Fix | Delete

return array_diff( $plugins, array( 'wpemoji' ) );

[185] Fix | Delete

} else {

[186] Fix | Delete

return array();

[187] Fix | Delete

}

[188] Fix | Delete

}

[189] Fix | Delete

[190] Fix | Delete

/**

[191] Fix | Delete

* Disables RSS feeds

[192] Fix | Delete

*/

[193] Fix | Delete

public function disable_rss() {

[194] Fix | Delete

wp_die( __( 'No feed available.', 'zero-spam' ) );

[195] Fix | Delete

}

[196] Fix | Delete

[197] Fix | Delete

/**

[198] Fix | Delete

* Removes resource query parameters

[199] Fix | Delete

*/

[200] Fix | Delete

public function remove_resource_query_params( $src ) {

[201] Fix | Delete

if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) ) {

[202] Fix | Delete

$src = remove_query_arg( 'ver', $src );

[203] Fix | Delete

}

[204] Fix | Delete

[205] Fix | Delete

return $src;

[206] Fix | Delete

}

[207] Fix | Delete

[208] Fix | Delete

/**

[209] Fix | Delete

* Handles detections.

[210] Fix | Delete

*

[211] Fix | Delete

* @param array $details Detection details.

[212] Fix | Delete

*/

[213] Fix | Delete

public function handle_detection( $details ) {

[214] Fix | Delete

}

[215] Fix | Delete

[216] Fix | Delete

/**

[217] Fix | Delete

* Block access to xmlrpc.php

[218] Fix | Delete

*/

[219] Fix | Delete

public function block_xmlrpc() {

[220] Fix | Delete

$current_url = rtrim( $_SERVER['REQUEST_URI'], '/' );

[221] Fix | Delete

add_filter(

[222] Fix | Delete

'bloginfo_url',

[223] Fix | Delete

function ( $output, $property ) {

[224] Fix | Delete

return ( $property == 'pingback_url' ) ? null : $output;

[225] Fix | Delete

},

[226] Fix | Delete

11,

[227] Fix | Delete

2

[228] Fix | Delete

);

[229] Fix | Delete

[230] Fix | Delete

add_filter( 'xmlrpc_enabled', '__return_false' );

[231] Fix | Delete

[232] Fix | Delete

if ( strpos( $current_url, '/xmlrpc.php' ) !== false ) {

[233] Fix | Delete

status_header( 404 );

[234] Fix | Delete

nocache_headers();

[235] Fix | Delete

wp_die( __( 'This file is not accessible.', 'zero-spam' ) );

[236] Fix | Delete

}

[237] Fix | Delete

}

[238] Fix | Delete

}

[239] Fix | Delete

[240] Fix | Delete