Changeset 2580701
- Timestamp:
- 08/10/2021 08:07:26 AM (5 years ago)
- Location:
- wp-author-security
- Files:
-
- 7 added
- 6 edited
-
assets/screenshot-1.png (modified) (previous)
-
tags/1.3.0 (added)
-
tags/1.3.0/languages (added)
-
tags/1.3.0/languages/wp-author-security-de_DE.mo (added)
-
tags/1.3.0/languages/wp-author-security-de_DE.po (added)
-
tags/1.3.0/options.php (added)
-
tags/1.3.0/readme.txt (added)
-
tags/1.3.0/wp-author-security.php (added)
-
trunk/languages/wp-author-security-de_DE.mo (modified) (previous)
-
trunk/languages/wp-author-security-de_DE.po (modified) (2 diffs)
-
trunk/options.php (modified) (5 diffs)
-
trunk/readme.txt (modified) (3 diffs)
-
trunk/wp-author-security.php (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
wp-author-security/trunk/languages/wp-author-security-de_DE.po
r2359805 r2580701 3 3 msgid "" 4 4 msgstr "" 5 "PO-Revision-Date: 202 0-08-13 10:03+0200\n"5 "PO-Revision-Date: 2021-08-10 09:34+0200\n" 6 6 "MIME-Version: 1.0\n" 7 7 "Content-Type: text/plain; charset=UTF-8\n" 8 8 "Content-Transfer-Encoding: 8bit\n" 9 9 "Plural-Forms: nplurals=2; plural=n != 1;\n" 10 "X-Generator: Poedit 2.4. 1\n"10 "X-Generator: Poedit 2.4.2\n" 11 11 "Language: de\n" 12 12 "Project-Id-Version: Plugins - WP Author Security - Stable (latest release)\n" … … 77 77 msgstr "WP Author Security Einstellungen" 78 78 79 #: options.php:164 80 msgid "Remove author name in feeds" 81 msgstr "Entferne Autorennamen in Feeds" 82 83 #: options.php:167 84 msgid "Setting this option will remove the author name in the /feed endpoint." 85 msgstr "Diese Option entfernt den Autorennamen beim Aufruf der URI /feed." 86 87 #: options.php:180 88 msgid "Remove author name in embeds" 89 msgstr "Entferne Autorennamen in eingebetten Beiträgen" 90 91 #: options.php:183 92 msgid "Setting this option will remove the author name and link in the oEmbed API endpoint e.g.: /wp-json/oembed/1.0/embed?url=https://<yourdomain>." 93 msgstr "Diese Option entfernt den Autorennamen und den Link beim Aufruf der oEmbed API z.B.: /wp-json/oembed/1.0/embed?url=https://<yourdomain>." 94 79 95 #. Author URI of the plugin 80 96 msgid "https://www.mgm-sp.com" -
wp-author-security/trunk/options.php
r2359730 r2580701 50 50 'default' => true 51 51 ); 52 $argsFilterFeed = array( 53 'description' => 'Remove the author name in feeds', 54 'type' => 'booelan', 55 'sanitize_callback' => 'wpas_sanitize_checkbox', 56 'default' => true 57 ); 58 $argsFilterEmbed = array( 59 'description' => 'Remove the author name in embeds', 60 'type' => 'booelan', 61 'sanitize_callback' => 'wpas_sanitize_checkbox', 62 'default' => true 63 ); 52 64 53 65 register_setting( 'wp-author-security-group', 'protectAuthor', array_merge($argsBase, $argsAuthor) ); … … 56 68 register_setting( 'wp-author-security-group', 'disableRestUser', array_merge($argsBase, $argsRestUser) ); 57 69 register_setting( 'wp-author-security-group', 'customLoginError', array_merge($argsBase, $argsLoginError) ); 70 register_setting( 'wp-author-security-group', 'wpas_filterFeed', array_merge($argsBase, $argsFilterFeed) ); 71 register_setting( 'wp-author-security-group', 'wpas_filterEmbed', array_merge($argsBase, $argsFilterEmbed) ); 58 72 59 73 add_option( 'protectAuthor', $argsAuthor['default']); … … 62 76 add_option( 'disableRestUser', $argsRestUser['default']); 63 77 add_option( 'customLoginError', $argsLoginError['default']); 78 add_option( 'wpas_filterFeed', $argsFilterFeed['default']); 79 add_option( 'wpas_filterEmbed', $argsFilterEmbed['default']); 64 80 }; 65 81 … … 113 129 </option> 114 130 </select> 115 <p ><?php echo __('Disable the /?author=<id> endpoint.', 'wp-author-security'); ?></p>131 <p class="description"><?php echo __('Disable the /?author=<id> endpoint.', 'wp-author-security'); ?></p> 116 132 </td> 117 133 </tr> … … 134 150 </option> 135 151 </select> 136 <p><?php echo __('Disable the /author/<name> and /?author_name=<name> endpoints.', 'wp-author-security'); ?></p> 137 </td> 138 </tr> 139 152 <p class="description"><?php echo __('Disable the /author/<name> and /?author_name=<name> endpoints.', 'wp-author-security'); ?></p> 153 </td> 154 </tr> 155 156 <tr valign="top"> 157 <th scope="row"><?php echo __('Protect REST API user enumeration', 'wp-author-security'); ?></th> 158 <td> 159 <input type="checkbox" name="disableRestUser"<?php if ( get_option('disableRestUser') ) echo ' checked="checked"'; ?> /> 160 <p class="description"><?php echo __('Disable REST API endpoint wp-json/wp/v2/users.', 'wp-author-security'); ?></p> 161 </td> 162 </tr> 163 <tr valign="top"> 164 <th scope="row"><?php echo __('Stop user enumeration on login/reset password form', 'wp-author-security'); ?></th> 165 <td> 166 <input type="checkbox" name="customLoginError"<?php if ( get_option('customLoginError') ) echo ' checked="checked"'; ?> /> 167 <p class="description"><?php echo __('Displays a neutral message when either the username or password is incorrect.', 'wp-author-security'); ?></p> 168 </td> 169 </tr> 170 171 <tr valign="top"> 172 <th scope="row"><?php echo __('Remove author name in feeds', 'wp-author-security'); ?></th> 173 <td> 174 <input type="checkbox" name="wpas_filterFeed"<?php if ( get_option('wpas_filterFeed') ) echo ' checked="checked"'; ?> /> 175 <p class="description"><?php echo __('Setting this option will remove the author name in the /feed endpoint.', 'wp-author-security'); ?></p> 176 </td> 177 </tr> 178 179 <tr valign="top"> 180 <th scope="row"><?php echo __('Remove author name in embeds', 'wp-author-security'); ?></th> 181 <td> 182 <input type="checkbox" name="wpas_filterEmbed"<?php if ( get_option('wpas_filterEmbed') ) echo ' checked="checked"'; ?> /> 183 <p class="description"><?php echo __('Setting this option will remove the author name and link in the oEmbed API endpoint e.g.: /wp-json/oembed/1.0/embed?url=https://<yourdomain>.', 'wp-author-security'); ?></p> 184 </td> 185 </tr> 186 140 187 <tr valign="top"> 141 188 <th scope="row"><?php echo __('Disable for logged in users', 'wp-author-security'); ?></th> 142 189 <td> 143 190 <input type="checkbox" name="disableLoggedIn"<?php if ( get_option('disableLoggedIn') ) echo ' checked="checked"'; ?> /> 144 <p><?php echo __('Disable protection for logged in users.', 'wp-author-security'); ?></p> 145 </td> 146 </tr> 147 148 <tr valign="top"> 149 <th scope="row"><?php echo __('Protect REST API user enumeration', 'wp-author-security'); ?></th> 150 <td> 151 <input type="checkbox" name="disableRestUser"<?php if ( get_option('disableRestUser') ) echo ' checked="checked"'; ?> /> 152 <p><?php echo __('Disable REST API endpoint wp-json/wp/v2/users.', 'wp-author-security'); ?></p> 153 </td> 154 </tr> 155 <tr valign="top"> 156 <th scope="row"><?php echo __('Stop user enumeration on login/reset password form', 'wp-author-security'); ?></th> 157 <td> 158 <input type="checkbox" name="customLoginError"<?php if ( get_option('customLoginError') ) echo ' checked="checked"'; ?> /> 159 <p><?php echo __('Displays a neutral message when either the username or password is incorrect.', 'wp-author-security'); ?></p> 191 <p class="description"><?php echo __('Disable protection for logged in users.', 'wp-author-security'); ?></p> 160 192 </td> 161 193 </tr> -
wp-author-security/trunk/readme.txt
r2579357 r2580701 3 3 Tags: security, user-enumeration, privacy, author, wpscan 4 4 Requires at least: 4.7 5 Tested up to: 5. 85 Tested up to: 5.7 6 6 Requires PHP: 5.6 7 Stable tag: 1. 2.17 Stable tag: 1.3.0 8 8 License: GPLv3 9 9 … … 28 28 * The log in page where different error messages will indicate whether an entered user name or mail address exists or not. The plugin will display a neutral error message independently whether the user exists or not. 29 29 * The password forgotten function will also allow an attacker to check for the existence of a user. As for the log in page the plugin will display a neutral message even when the user does not exists. 30 * Requesting the feed endpoint /feed of your blog will also allow others to see the username or display name of the author. The plugin will remove the name from the results list. 31 * Wordpress supports so called oEmbeds. This is a technique were you can embed a reference to a post into another post. However, this reference will also contain the author name and a direct link to the profile page. The plugin will also remove the name and link here. 30 32 31 33 == Screenshots == … … 36 38 == Changelog == 37 39 40 = 1.3.0 = 41 * added protection for the /feed endpoint 42 * added protection for the oEmbed endpoint 43 38 44 = 1.2.1 = 39 45 * updated documentation -
wp-author-security/trunk/wp-author-security.php
r2359730 r2580701 7 7 * Author: mgmsp 8 8 * Author URI: https://www.mgm-sp.com 9 * Version: 1. 2.19 * Version: 1.3.0 10 10 * License: GPLv3 11 11 * Plugin URI: https://github.com/mgm-sp/wp-author-security … … 28 28 add_filter( 'login_errors', 'wpas_login_error_message', 1 ); 29 29 add_action( 'lost_password', 'wpas_check_lost_password_error' ); 30 add_filter( 'the_author', 'wpas_filter_feed', 1); 31 add_filter( 'oembed_response_data', 'wpas_filter_oembed', 10, 4 ); 30 32 } 31 33 … … 182 184 183 185 /** 186 * Filter feeds and remove the author name 187 * @param string $displayName The display name of the author 188 * @return string 189 */ 190 function wpas_filter_feed($displayName) { 191 192 //check if protection is enabled 193 if( !get_option( 'wpas_filterFeed') || !wpas_is_enabled_for_logged_in() ) { 194 return $displayName; 195 } 196 197 if ( is_feed() ) { 198 return ''; 199 } 200 201 // leave other occurrences untouched 202 return $displayName; 203 } 204 /** 205 * Filter oembed and remove the author name and link 206 * @param array $data 207 * @param WP_Post $post 208 * @param int $width 209 * @param int $height 210 * @return array 211 */ 212 function wpas_filter_oembed( $data, $post, $width, $height ) { 213 214 //check if protection is enabled 215 // note: user is always unauthenticated when this function is reached, therefore it can not be disabled for logged in users 216 if( !get_option( 'wpas_filterEmbed') || !wpas_is_enabled_for_logged_in() ) { 217 return $data; 218 } 219 220 unset($data['author_name']); 221 unset($data['author_url']); 222 223 return $data; 224 }; 225 226 227 /** 184 228 * Checks whether plugin is enabled for logged in users or not 185 229 * @return boolean
Note: See TracChangeset
for help on using the changeset viewer.