Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3380779

Timestamp:

10/19/2025 11:29:34 AM (6 months ago)

Author:

webfiable

Message:

Update to version 2.0.0 from GitHub

Location:

Files:

: 18 added
: 6 edited
: 1 copied

tags/2.0.0 (copied) (copied from webfiable-info/trunk)
tags/2.0.0/README.md (modified) (1 diff)
tags/2.0.0/includes (added)
tags/2.0.0/includes/admin.php (added)
tags/2.0.0/includes/constants.php (added)
tags/2.0.0/includes/endpoint.php (added)
tags/2.0.0/includes/i18n.php (added)
tags/2.0.0/includes/options.php (added)
tags/2.0.0/includes/registration.php (added)
tags/2.0.0/includes/routing.php (added)
tags/2.0.0/readme.txt (modified) (2 diffs)
tags/2.0.0/uninstall.php (added)
tags/2.0.0/webfiable-info.php (modified) (2 diffs)
trunk/README.md (modified) (1 diff)
trunk/includes (added)
trunk/includes/admin.php (added)
trunk/includes/constants.php (added)
trunk/includes/endpoint.php (added)
trunk/includes/i18n.php (added)
trunk/includes/options.php (added)
trunk/includes/registration.php (added)
trunk/includes/routing.php (added)
trunk/readme.txt (modified) (2 diffs)
trunk/uninstall.php (added)
trunk/webfiable-info.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

webfiable-info/tags/2.0.0/README.md

-                      r3365319
+                      r3380779
+=== Webfiable Info ===
+Contributors: webfiable
+Tags: security, monitoring, WordPress security
+Requires at least: 5.0
+Tested up to: 6.7
+Stable tag: 1.4
+License: GPLv3 or later
+License URI: https://www.gnu.org/licenses/gpl-3.0.html
+# Webfiable Info
 Webfiable is a monitoring plugin that provides insights into your site's health and security posture. Requires a free Webfiable subscription.
+> A lightweight, privacy-respecting companion plugin that connects your WordPress site to the [Webfiable](https://webfiable.com) security service for configuration monitoring and actionable recommendations.
+== Description ==
+- Status: Publicly available in white-march (early access)
+- License: GPLv3 or later
+- WordPress: 5.0+
+- PHP: 7.4+
+**Ensure your website's security posture and configuration health with monitoring and recommendations. Requires an active Webfiable subscription (currently free).**
+## Overview
 The Webfiable Info plugin is a component of the Webfiable security service, designed to help you maintain a robust security posture for your WordPress website. By securely gathering information about your site's plugins, themes, and WordPress version, the plugin enables the Webfiable service to perform in-depth analysis and provide weekly recommendations tailored to your specific configuration.
+Webfiable Info securely gathers a minimal software inventory (WordPress version, installed plugins and themes, and basic site metadata) and registers your site with [Webfiable](https://webfiable.com). You receive the first full report and ongoing summaries via email.
+== Features ==
+During the white-march period there is no separate sign-up or billingthe plugin registers your site from the settings screen and the service is free to use. A subscription may be required after general availability; administrators will be notified well in advance.
+* **Simple and Reliable Design**: Built with simplicity in mind, this plugin minimizes the risk of issues arising on your website and reduces the need for frequent updates, contributing to a stable and secure environment.
+* **Lightweight and Efficient**: The plugin is designed to be very lightweight, executing its tasks within seconds, and running no more than once per day, ensuring no impact on your website's performance.
+* **Secure Data Transmission**: Utilizes advanced hybrid encryption (AES + RSA) to securely transmit data to the Webfiable service.
+* **Proactive Security Monitoring**: Enables continuous monitoring of your site’s security posture and configuration health.
+* **Part of the Webfiable Service**: Requires an active Webfiable subscription (currently free).
+## Features
+== Security Features ==
+- One-click registration: enter a report email, grant consent, and enable the endpoint. The plugin verifies the endpoint and completes registration automatically.
+- Opt-in endpoint: the public `/webfiable` endpoint is disabled by default and verified when enabled. If verification or registration fails, the plugin safely disables it.
+- Consent-aware behavior: turning off consent simply saves your choice and disables the endpoint; you can re-enable later.
+- Lightweight by design: no heavy background jobs; the endpoint serves inventory on demand and runs in milliseconds.
+- Secure by default: hybrid encryption (AES-256-CBC + RSA-2048) protects the transport payload.
+- Part of the Webfiable service: learn more at [webfiable.com](https://webfiable.com).
+Webfiable Info is built with security at its core, ensuring that your website’s data is protected at every stage:
+## Security
+* **Hybrid Encryption**: Combines AES and RSA encryption to safeguard your data. The plugin uses AES-256 to encrypt the collected data, and then securely transmits the AES key by encrypting it with RSA-2048.
+* **Initialization Vector (IV)**: Each data transmission uses a unique Initialization Vector (IV) to ensure that even identical data produces different ciphertexts, enhancing security.
+* **RSA Key Management**: The RSA encryption ensures that only the Webfiable service can decrypt the transmitted data, using a private key that remains secure on the Webfiable infrastructure.
+- Hybrid Encryption: inventory is encrypted with AES-256-CBC; the AES key is encrypted with RSA-2048.
+- Fresh IV per response: each response uses a new IV so ciphertext is always unique.
+- Public endpoint, private content: the `/webfiable` endpoint may be accessed publicly, but the payload can only be decrypted by Webfiable.
+- Rate limiting: basic per-IP limiting reduces abuse.
+== Why It Is Secure ==
+## Installation & Setup
+. **Advanced Encryption Techniques**: Webfiable Info employs AES-256 for data encryption, a standard widely recognized for its strength and security. The AES key is then encrypted with RSA-2048, ensuring that even if the data is intercepted, it cannot be decrypted without the corresponding private RSA key, which is securely stored by Webfiable.
+. Install the plugin (zip upload or from source).
+. Activate it in WordPress.
+. Go to Settings -> Webfiable Info.
+. Enter the report recipient email and check the consent box.
+. Enable the `/webfiable` endpoint and click Save settings.
+. The plugin verifies the endpoint and completes registration. If verification fails, a notice explains what to fix and the endpoint is safely disabled.
+. **Data Integrity**: The use of a unique IV for each transmission guarantees that your data remains confidential and secure, preventing any potential attackers from predicting or replicating encrypted data streams.
+## FAQ
+. **Confidentiality by Design**: The plugin is designed to collect only the necessary information for security analysis, ensuring that your website's sensitive data is handled with the utmost care and never exposed.
+### Do I need a Webfiable subscription?
+Not during white-march (early access). The plugin registers your site automatically and the service is free to use. When the service launches publicly, a subscription may be required. We will provide clear notice and a smooth path to upgrade. See updates at [webfiable.com](https://webfiable.com).
+== Installation ==
+### How is my data secured?
+Data is encrypted on your site before transport using AES-256-CBC. The AES key is encrypted with RSA-2048 so only Webfiable can decrypt the payload.
+. Download the `webfiable-info.zip` file to your computer.
+. Log in to your WordPress admin dashboard.
+. Go to `Plugins > Add New`.
+. Click the `Upload Plugin` button at the top of the page.
+. Click `Choose File` and select the `webfiable-info.zip` file you downloaded.
+. Click `Install Now`.
+. Once the installation is complete, click `Activate Plugin`.
+### What information is collected?
+Minimal inventory only: site URL, WordPress version, installed plugins and themes (name, slug, version, short description), a site identifier, consent timestamp, and the email you provide for reports. No user content or credentials.
+== Frequently Asked Questions ==
+### What happens if I disable consent?
+Your preference is saved immediately, and the `/webfiable` endpoint is turned off. You can re-enable consent and the endpoint at any time from Settings.
+= Do I need a Webfiable subscription to use this plugin? =
+### Why might registration fail?
+The plugin verifies the endpoint before registering. If your server blocks loopback requests, permalinks are misconfigured, or the PHP OpenSSL extension is missing, verification may fail. Fix the issue and click "Save settings" again  the plugin will retry.
+Yes, an active Webfiable subscription is required for the plugin to function. The plugin sends encrypted data to the Webfiable service, where it is analyzed as part of your subscription.
+## Contributing
+Issues and PRs are welcome. Please keep changes focused and consistent with the existing code style.
+= How does the plugin ensure my data is secure? =
+## License
+GPLv3 or later. See the [LICENSE](https://www.gnu.org/licenses/gpl-3.0.html).
-The plugin uses a hybrid encryption method, combining AES-256 and RSA-2048, to securely encrypt and transmit your website's data. This ensures that only the Webfiable service can decrypt and analyze the information.
-= What information does this plugin collect? =
-The plugin collects information about your installed plugins, themes, and the WordPress version. This data is used by the Webfiable service to assess your website's security posture and provide recommendations.
-== Changelog ==
-= 1.4 =
-* Initial release with enhanced security features, including AES-256 encryption and RSA-2048 for key transmission.
-== Upgrade Notice ==
-= 1.4 =
-Initial release.
-== License ==
-This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.

webfiable-info/tags/2.0.0/readme.txt

-                      r3365319
+                      r3380779
 === Webfiable Info ===
 Contributors: webfiable
+Tags: security, monitoring, WordPress security
+Requires at least: 5.0
+Tested up to: 6.7
+Stable tag: 1.4.1
+Tags: security, monitoring, hardening, inventory, endpoint
+Requires at least: 4.7
+Tested up to: 6.8
+Requires PHP: 7.4
+Stable tag: 2.0.0
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 Webfiable is a monitoring plugin that provides insights into your site's health and security posture. Requires a free Webfiable subscription.
+Webfiable Info connects your WordPress site to the Webfiable security service (https://webfiable.com) to monitor configuration health and receive actionable recommendations. The service is publicly available in white march (early access) and is free to use - no separate sign-up required.
 == Description ==
 **Ensure your website's security posture and configuration health with monitoring and recommendations. Requires an active Webfiable subscription (currently free).**
+**Improve your site's security posture and configuration health with monitoring and recommendations.**
+The Webfiable Info plugin is a component of the Webfiable security service, designed to help you maintain a robust security posture for your WordPress website. By securely gathering information about your site's plugins, themes, and WordPress version, the plugin enables the Webfiable service to perform in-depth analysis and provide weekly recommendations tailored to your specific configuration.
+Webfiable Info is the on-site companion for the Webfiable security service (https://webfiable.com). It securely gathers information about your site's WordPress version, plugins, themes, and basic site metadata and registers your site with Webfiable so you can receive ongoing reports via email. You stay in control: consent is explicit, and the public endpoint is opt-in and verified on save.
+During the white march period, there is no separate signup or billing - the plugin registers your site automatically from the settings screen and you can use the service for free. A subscription may be required in the future; we will notify administrators well in advance.
 == Features ==
+* **Simple and Reliable Design**: Built with simplicity in mind, this plugin minimizes the risk of issues arising on your website and reduces the need for frequent updates, contributing to a stable and secure environment.
+* **Lightweight and Efficient**: The plugin is designed to be very lightweight, executing its tasks within seconds, and running no more than once per day, ensuring no impact on your website's performance.
+* **Secure Data Transmission**: Utilizes advanced hybrid encryption (AES + RSA) to securely transmit data to the Webfiable service.
+* **Proactive Security Monitoring**: Enables continuous monitoring of your site’s security posture and configuration health.
+* **Part of the Webfiable Service**: Requires an active Webfiable subscription (currently free).
+* **One-click registration**: Enter a report recipient email, grant consent, and enable the endpoint; Webfiable Info verifies the endpoint and registers the site automatically.
+* **Opt-in endpoint**: The public `/webfiable` endpoint is disabled by default and verified when enabled. If verification or registration fails, the plugin safely disables it.
+* **Consent-aware behavior**: Turning off consent simply saves your choice and disables the endpoint; you can re-enable later.
+* **Lightweight by design**: No heavy background jobs; the endpoint serves inventory on demand and runs in milliseconds.
+* **Secure by default**: Uses hybrid encryption (AES-256 + RSA-2048) to transport data.
+* **Part of the Webfiable service**: Currently in white march (early access) and free to use; a subscription may be required in the future. Learn more at https://webfiable.com.
 == Security Features ==
 Webfiable Info is built with security at its core, ensuring that your website’s data is protected at every stage:
+Webfiable Info is built with security at its core, ensuring that your website's data is protected at every stage:
+* **Hybrid Encryption**: Combines AES and RSA encryption to safeguard your data. The plugin uses AES-256 to encrypt the collected data, and then securely transmits the AES key by encrypting it with RSA-2048.
+* **Initialization Vector (IV)**: Each data transmission uses a unique Initialization Vector (IV) to ensure that even identical data produces different ciphertexts, enhancing security.
+* **RSA Key Management**: The RSA encryption ensures that only the Webfiable service can decrypt the transmitted data, using a private key that remains secure on the Webfiable infrastructure.
+* **Hybrid Encryption**: Combines AES and RSA. The inventory is encrypted with AES-256-CBC; the AES key is encrypted with RSA-2048.
+* **Fresh IV per response**: Each response uses a new IV so ciphertext is always unique.
+* **Public endpoint, private content**: The `/webfiable` endpoint can be accessed by anyone, but the payload is encrypted for Webfiable only.
+* **Rate limiting**: Basic per-IP rate limiting reduces abuse.
 == Why It Is Secure ==
+. **Advanced Encryption Techniques**: Webfiable Info employs AES-256 for data encryption, a standard widely recognized for its strength and security. The AES key is then encrypted with RSA-2048, ensuring that even if the data is intercepted, it cannot be decrypted without the corresponding private RSA key, which is securely stored by Webfiable.
+. **Data Integrity**: The use of a unique IV for each transmission guarantees that your data remains confidential and secure, preventing any potential attackers from predicting or replicating encrypted data streams.
+. **Confidentiality by Design**: The plugin is designed to collect only the necessary information for security analysis, ensuring that your website's sensitive data is handled with the utmost care and never exposed.
+. **Strong transport**: AES-256 for data, RSA-2048 for the key - only Webfiable can decrypt.
+. **Unique IVs**: Each response is unique even for identical content.
+. **Minimal inventory**: Only software inventory and basic metadata needed for analysis; no credentials or content are collected.
 == Installation ==
 …
 . Once the installation is complete, click `Activate Plugin`.
+After activation:
+. Go to `Settings -> Webfiable Info`.
+. Enter the report recipient email and check the consent box.
+. Enable the `/webfiable` endpoint and click `Save settings`.
+. The plugin verifies the endpoint and completes registration. If verification fails, the endpoint will be disabled and a notice explains what to fix.
 == Frequently Asked Questions ==
 = Do I need a Webfiable subscription to use this plugin? =
+= Do I need a Webfiable subscription? =
 Yes, an active Webfiable subscription is required for the plugin to function. The plugin sends encrypted data to the Webfiable service, where it is analyzed as part of your subscription.
+Not during the white march (early access). The plugin registers your site automatically from the settings screen and you can use the service for free. A subscription may be required in the future. We will provide clear notice and a smooth upgrade path. See https://webfiable.com for updates.
 = How does the plugin ensure my data is secure? =
+= How is my data secured? =
 The plugin uses a hybrid encryption method, combining AES-256 and RSA-2048, to securely encrypt and transmit your website's data. This ensures that only the Webfiable service can decrypt and analyze the information.
+Data is encrypted on your site before transport using AES-256-CBC. The AES key is encrypted with RSA-2048 so only Webfiable can decrypt the payload.
 = What information does this plugin collect? =
+= What information is collected? =
+The plugin collects information about your installed plugins, themes, and the WordPress version. This data is used by the Webfiable service to assess your website's security posture and provide recommendations.
+Minimal inventory only: site URL, WordPress version, installed plugins and themes (name, slug, version, short description), a site identifier, consent timestamp, and the email you provide for reports. No user content or credentials.
+= What happens if I disable consent? =
+Your preference is saved immediately, and the `/webfiable` endpoint is turned off. You can re-enable consent and the endpoint at any time from Settings.
+= Why did registration fail? =
+The plugin enables and verifies the endpoint before registering. If your server blocks loopback requests, permalinks are misconfigured, or the OpenSSL PHP extension is missing, verification may fail. Fix the issue and click `Save settings` again - the plugin will retry.
 == Changelog ==
+= 2.0.0 =
+* New settings page under Settings -> Webfiable Info.
+* Opt-in `/webfiable` endpoint with on-save verification.
+* Automatic customer registration after successful verification.
+* Consent gating that saves your choice and disables the endpoint when consent is off.
+* Improved notices and lightweight, reliable design.
 = 1.4 =
 * Initial release with enhanced security features, including AES-256 encryption and RSA-2048 for key transmission.
+* Initial release with AES-256/RSA-2048 hybrid encryption.
 == Upgrade Notice ==
 = 1.4 =
 Initial release.
+= 2.0.0 =
+Visit Settings -> Webfiable Info to enter a report email, grant consent, and enable the endpoint. The plugin will verify and complete registration automatically.
 == License ==
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.

webfiable-info/tags/2.0.0/webfiable-info.php

-                      r3365319
+                      r3380779
 /**
  * Plugin Name: Webfiable Info
  * Plugin URI: https://webfiable.com/webfiable-info
+ * Plugin URI: https://wordpress.org/plugins/webfiable-info/
  * Description: Ensure your website's security posture and configuration health with monitoring and recommendations.
  * Version: 1.4.1
+ * Version: 2.0.0
  * Author: Webfiable Team
  * Author URI: https://webfiable.com
 …
  */
-// Prevent direct access.
 if ( ! defined( 'ABSPATH' ) ) {
     exit;
+}
+// RSA public key (provided by the user).
+define(
+    'WEBFIABLE_RSA_PUBLIC_KEY',
+    '-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8y6jWyyz5yJzdj1kdDJ
+KDU54+MryJYTBHogyq8m+557Q8gciul2cAZexdhC6EkIzI/hxwNi/t6fcLiK0hdC
+nVaP6B/xkZPuURW/cjtKbCBXo0CLTMNnJSxhECI4Xq5l5koiThdhSvDlqsuMWy
+xCUUlbvU9Vg+MmiaEiRtZT7Nd5/NSqftqqdiVH0Q6sUd2OEFYPwnDI5615ALLH+h
+XeaQhTu053Tpqcw6cMNbqOCc9Gk6esoM69oNHtXR2tKxxzWldwb0+mRRypUiPLUn
+/n/9w5jnPrNsYGu1PVLXb+wlspPyZCSItq4zkzkFPYKvQ7u+U2UY28dHqSeHJhGd
+FQIDAQAB
+-----END PUBLIC KEY-----'
+);
+/** Paths */
+define( 'WEBFIABLE_PLUGIN_FILE', __FILE__ );
+define( 'WEBFIABLE_PLUGIN_BASENAME', plugin_basename( __FILE__ ) );
+define( 'WEBFIABLE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
+define( 'WEBFIABLE_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
+/**
+ * Registers the custom rewrite rule for the `webfiable` endpoint.
+ *
+ * Hooked to `init`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_register_route() {
+    add_rewrite_rule( '^webfiable$', 'index.php?webfiable_route=1', 'top' );
+}
+add_action( 'init', 'webfiable_register_route' );
+/** Load modules (order matters: constants → i18n → options → admin/routing/endpoint) */
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/constants.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/i18n.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/options.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/admin.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/routing.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/endpoint.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/registration.php';
+/**
+ * Adds the `webfiable_route` query var so WordPress recognizes the endpoint.
+ *
+ * Hooked to `query_vars`.
+ *
+ * @since 1.4
+ * @param string[] $vars List of public query vars.
+ * @return string[] Modified list of query vars.
+ */
+function webfiable_add_query_vars( $vars ) {
+    $vars[] = 'webfiable_route';
+    return $vars;
+}
+add_filter( 'query_vars', 'webfiable_add_query_vars' );
+/**
+ * Handles the request to the `webfiable` endpoint and outputs an encrypted JSON payload.
+ *
+ * Hooked to `template_redirect`.
+ *
+ * Collects WP version, installed plugins and themes, builds a payload, encrypts it
+ * with a random AES-256-CBC key/IV, encrypts that key with the RSA public key,
+ * and returns base64-encoded values.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_template_redirect() {
+    if ( get_query_var( 'webfiable_route' ) ) {
+        // Get all installed plugins.
+        $installed_plugins = get_plugins();
+        $plugins_info      = array();
+        foreach ( $installed_plugins as $plugin_slug => $plugin_data ) {
+            $plugins_info[] = array(
+                'name'        => $plugin_data['Name'],
+                'slug'        => dirname( $plugin_slug ),
+                'version'     => $plugin_data['Version'],
+                'description' => wp_strip_all_tags( $plugin_data['Description'] ),  // Remove HTML tags from description.
+            );
+        }
+        // Get all installed themes.
+        $installed_themes = wp_get_themes();
+        $themes_info      = array();
+        foreach ( $installed_themes as $theme_slug => $theme_data ) {
+            $themes_info[] = array(
+                'name'        => $theme_data->get( 'Name' ),
+                'slug'        => $theme_data->get_stylesheet(),
+                'version'     => $theme_data->get( 'Version' ),
+                'description' => wp_strip_all_tags( $theme_data->get( 'Description' ) ),  // Remove HTML tags from description.
+            );
+        }
+        // Get the WordPress version.
+        $wordpress_version = get_bloginfo( 'version' );
+        // Merge all info into one array.
+        $all_info = array(
+            'wordpress_version' => $wordpress_version,
+            'plugins'           => $plugins_info,
+            'themes'            => $themes_info,
+        );
+        // Convert to JSON.
+        $json_data = wp_json_encode( $all_info );
+        // Generate a 256-bit AES key.
+        $aes_key = openssl_random_pseudo_bytes( 32 );
+        // Encrypt the JSON data with the AES key.
+        $encrypted_data = openssl_encrypt( $json_data, 'AES-256-CBC', $aes_key, OPENSSL_RAW_DATA, $iv = openssl_random_pseudo_bytes( 16 ) );
+        // Encrypt the AES key with the RSA public key.
+        openssl_public_encrypt( $aes_key, $encrypted_key, WEBFIABLE_RSA_PUBLIC_KEY );
+        // Return both the encrypted AES key and the encrypted JSON data.
+        // We base64-encode binary values to transport them safely in JSON.
+        // phpcs:disable WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode -- Transport encoding, not obfuscation.
+        $encoded_key  = base64_encode( $encrypted_key );
+        $encoded_iv   = base64_encode( $iv );
+        $encoded_data = base64_encode( $encrypted_data );
+        // phpcs:enable WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+        $response = array(
+            'encrypted_key' => $encoded_key,
+            'iv'            => $encoded_iv,
+            'data'          => $encoded_data,
+        );
+        // Send JSON response.
+        wp_send_json( $response );
+        exit;
+    }
+}
+add_action( 'template_redirect', 'webfiable_template_redirect' );
+/**
+ * Flushes rewrite rules on plugin activation so the custom endpoint works immediately.
+ *
+ * Calls our route registrar and then flushes the rules. This should only run on activation,
+ * never on every request (for performance reasons).
+ *
+ * Hooked via `register_activation_hook()`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_flush_rewrite_rules() {
+    webfiable_register_route();
+    flush_rewrite_rules();
+}
+register_activation_hook( __FILE__, 'webfiable_flush_rewrite_rules' );
+/**
+ * Flushes rewrite rules on plugin deactivation to remove the custom endpoint.
+ *
+ * Hooked via `register_deactivation_hook()`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_deactivate() {
+    flush_rewrite_rules();
+}
+/** Register activation/deactivation hooks provided by routing.php */
+register_activation_hook( __FILE__, 'webfiable_activate' );
 register_deactivation_hook( __FILE__, 'webfiable_deactivate' );

webfiable-info/trunk/README.md

-                      r3365319
+                      r3380779
+=== Webfiable Info ===
+Contributors: webfiable
+Tags: security, monitoring, WordPress security
+Requires at least: 5.0
+Tested up to: 6.7
+Stable tag: 1.4
+License: GPLv3 or later
+License URI: https://www.gnu.org/licenses/gpl-3.0.html
+# Webfiable Info
 Webfiable is a monitoring plugin that provides insights into your site's health and security posture. Requires a free Webfiable subscription.
+> A lightweight, privacy-respecting companion plugin that connects your WordPress site to the [Webfiable](https://webfiable.com) security service for configuration monitoring and actionable recommendations.
+== Description ==
+- Status: Publicly available in white-march (early access)
+- License: GPLv3 or later
+- WordPress: 5.0+
+- PHP: 7.4+
+**Ensure your website's security posture and configuration health with monitoring and recommendations. Requires an active Webfiable subscription (currently free).**
+## Overview
 The Webfiable Info plugin is a component of the Webfiable security service, designed to help you maintain a robust security posture for your WordPress website. By securely gathering information about your site's plugins, themes, and WordPress version, the plugin enables the Webfiable service to perform in-depth analysis and provide weekly recommendations tailored to your specific configuration.
+Webfiable Info securely gathers a minimal software inventory (WordPress version, installed plugins and themes, and basic site metadata) and registers your site with [Webfiable](https://webfiable.com). You receive the first full report and ongoing summaries via email.
+== Features ==
+During the white-march period there is no separate sign-up or billingthe plugin registers your site from the settings screen and the service is free to use. A subscription may be required after general availability; administrators will be notified well in advance.
+* **Simple and Reliable Design**: Built with simplicity in mind, this plugin minimizes the risk of issues arising on your website and reduces the need for frequent updates, contributing to a stable and secure environment.
+* **Lightweight and Efficient**: The plugin is designed to be very lightweight, executing its tasks within seconds, and running no more than once per day, ensuring no impact on your website's performance.
+* **Secure Data Transmission**: Utilizes advanced hybrid encryption (AES + RSA) to securely transmit data to the Webfiable service.
+* **Proactive Security Monitoring**: Enables continuous monitoring of your site’s security posture and configuration health.
+* **Part of the Webfiable Service**: Requires an active Webfiable subscription (currently free).
+## Features
+== Security Features ==
+- One-click registration: enter a report email, grant consent, and enable the endpoint. The plugin verifies the endpoint and completes registration automatically.
+- Opt-in endpoint: the public `/webfiable` endpoint is disabled by default and verified when enabled. If verification or registration fails, the plugin safely disables it.
+- Consent-aware behavior: turning off consent simply saves your choice and disables the endpoint; you can re-enable later.
+- Lightweight by design: no heavy background jobs; the endpoint serves inventory on demand and runs in milliseconds.
+- Secure by default: hybrid encryption (AES-256-CBC + RSA-2048) protects the transport payload.
+- Part of the Webfiable service: learn more at [webfiable.com](https://webfiable.com).
+Webfiable Info is built with security at its core, ensuring that your website’s data is protected at every stage:
+## Security
+* **Hybrid Encryption**: Combines AES and RSA encryption to safeguard your data. The plugin uses AES-256 to encrypt the collected data, and then securely transmits the AES key by encrypting it with RSA-2048.
+* **Initialization Vector (IV)**: Each data transmission uses a unique Initialization Vector (IV) to ensure that even identical data produces different ciphertexts, enhancing security.
+* **RSA Key Management**: The RSA encryption ensures that only the Webfiable service can decrypt the transmitted data, using a private key that remains secure on the Webfiable infrastructure.
+- Hybrid Encryption: inventory is encrypted with AES-256-CBC; the AES key is encrypted with RSA-2048.
+- Fresh IV per response: each response uses a new IV so ciphertext is always unique.
+- Public endpoint, private content: the `/webfiable` endpoint may be accessed publicly, but the payload can only be decrypted by Webfiable.
+- Rate limiting: basic per-IP limiting reduces abuse.
+== Why It Is Secure ==
+## Installation & Setup
+. **Advanced Encryption Techniques**: Webfiable Info employs AES-256 for data encryption, a standard widely recognized for its strength and security. The AES key is then encrypted with RSA-2048, ensuring that even if the data is intercepted, it cannot be decrypted without the corresponding private RSA key, which is securely stored by Webfiable.
+. Install the plugin (zip upload or from source).
+. Activate it in WordPress.
+. Go to Settings -> Webfiable Info.
+. Enter the report recipient email and check the consent box.
+. Enable the `/webfiable` endpoint and click Save settings.
+. The plugin verifies the endpoint and completes registration. If verification fails, a notice explains what to fix and the endpoint is safely disabled.
+. **Data Integrity**: The use of a unique IV for each transmission guarantees that your data remains confidential and secure, preventing any potential attackers from predicting or replicating encrypted data streams.
+## FAQ
+. **Confidentiality by Design**: The plugin is designed to collect only the necessary information for security analysis, ensuring that your website's sensitive data is handled with the utmost care and never exposed.
+### Do I need a Webfiable subscription?
+Not during white-march (early access). The plugin registers your site automatically and the service is free to use. When the service launches publicly, a subscription may be required. We will provide clear notice and a smooth path to upgrade. See updates at [webfiable.com](https://webfiable.com).
+== Installation ==
+### How is my data secured?
+Data is encrypted on your site before transport using AES-256-CBC. The AES key is encrypted with RSA-2048 so only Webfiable can decrypt the payload.
+. Download the `webfiable-info.zip` file to your computer.
+. Log in to your WordPress admin dashboard.
+. Go to `Plugins > Add New`.
+. Click the `Upload Plugin` button at the top of the page.
+. Click `Choose File` and select the `webfiable-info.zip` file you downloaded.
+. Click `Install Now`.
+. Once the installation is complete, click `Activate Plugin`.
+### What information is collected?
+Minimal inventory only: site URL, WordPress version, installed plugins and themes (name, slug, version, short description), a site identifier, consent timestamp, and the email you provide for reports. No user content or credentials.
+== Frequently Asked Questions ==
+### What happens if I disable consent?
+Your preference is saved immediately, and the `/webfiable` endpoint is turned off. You can re-enable consent and the endpoint at any time from Settings.
+= Do I need a Webfiable subscription to use this plugin? =
+### Why might registration fail?
+The plugin verifies the endpoint before registering. If your server blocks loopback requests, permalinks are misconfigured, or the PHP OpenSSL extension is missing, verification may fail. Fix the issue and click "Save settings" again  the plugin will retry.
+Yes, an active Webfiable subscription is required for the plugin to function. The plugin sends encrypted data to the Webfiable service, where it is analyzed as part of your subscription.
+## Contributing
+Issues and PRs are welcome. Please keep changes focused and consistent with the existing code style.
+= How does the plugin ensure my data is secure? =
+## License
+GPLv3 or later. See the [LICENSE](https://www.gnu.org/licenses/gpl-3.0.html).
-The plugin uses a hybrid encryption method, combining AES-256 and RSA-2048, to securely encrypt and transmit your website's data. This ensures that only the Webfiable service can decrypt and analyze the information.
-= What information does this plugin collect? =
-The plugin collects information about your installed plugins, themes, and the WordPress version. This data is used by the Webfiable service to assess your website's security posture and provide recommendations.
-== Changelog ==
-= 1.4 =
-* Initial release with enhanced security features, including AES-256 encryption and RSA-2048 for key transmission.
-== Upgrade Notice ==
-= 1.4 =
-Initial release.
-== License ==
-This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.

webfiable-info/trunk/readme.txt

-                      r3365319
+                      r3380779
 === Webfiable Info ===
 Contributors: webfiable
+Tags: security, monitoring, WordPress security
+Requires at least: 5.0
+Tested up to: 6.7
+Stable tag: 1.4.1
+Tags: security, monitoring, hardening, inventory, endpoint
+Requires at least: 4.7
+Tested up to: 6.8
+Requires PHP: 7.4
+Stable tag: 2.0.0
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 Webfiable is a monitoring plugin that provides insights into your site's health and security posture. Requires a free Webfiable subscription.
+Webfiable Info connects your WordPress site to the Webfiable security service (https://webfiable.com) to monitor configuration health and receive actionable recommendations. The service is publicly available in white march (early access) and is free to use - no separate sign-up required.
 == Description ==
 **Ensure your website's security posture and configuration health with monitoring and recommendations. Requires an active Webfiable subscription (currently free).**
+**Improve your site's security posture and configuration health with monitoring and recommendations.**
+The Webfiable Info plugin is a component of the Webfiable security service, designed to help you maintain a robust security posture for your WordPress website. By securely gathering information about your site's plugins, themes, and WordPress version, the plugin enables the Webfiable service to perform in-depth analysis and provide weekly recommendations tailored to your specific configuration.
+Webfiable Info is the on-site companion for the Webfiable security service (https://webfiable.com). It securely gathers information about your site's WordPress version, plugins, themes, and basic site metadata and registers your site with Webfiable so you can receive ongoing reports via email. You stay in control: consent is explicit, and the public endpoint is opt-in and verified on save.
+During the white march period, there is no separate signup or billing - the plugin registers your site automatically from the settings screen and you can use the service for free. A subscription may be required in the future; we will notify administrators well in advance.
 == Features ==
+* **Simple and Reliable Design**: Built with simplicity in mind, this plugin minimizes the risk of issues arising on your website and reduces the need for frequent updates, contributing to a stable and secure environment.
+* **Lightweight and Efficient**: The plugin is designed to be very lightweight, executing its tasks within seconds, and running no more than once per day, ensuring no impact on your website's performance.
+* **Secure Data Transmission**: Utilizes advanced hybrid encryption (AES + RSA) to securely transmit data to the Webfiable service.
+* **Proactive Security Monitoring**: Enables continuous monitoring of your site’s security posture and configuration health.
+* **Part of the Webfiable Service**: Requires an active Webfiable subscription (currently free).
+* **One-click registration**: Enter a report recipient email, grant consent, and enable the endpoint; Webfiable Info verifies the endpoint and registers the site automatically.
+* **Opt-in endpoint**: The public `/webfiable` endpoint is disabled by default and verified when enabled. If verification or registration fails, the plugin safely disables it.
+* **Consent-aware behavior**: Turning off consent simply saves your choice and disables the endpoint; you can re-enable later.
+* **Lightweight by design**: No heavy background jobs; the endpoint serves inventory on demand and runs in milliseconds.
+* **Secure by default**: Uses hybrid encryption (AES-256 + RSA-2048) to transport data.
+* **Part of the Webfiable service**: Currently in white march (early access) and free to use; a subscription may be required in the future. Learn more at https://webfiable.com.
 == Security Features ==
 Webfiable Info is built with security at its core, ensuring that your website’s data is protected at every stage:
+Webfiable Info is built with security at its core, ensuring that your website's data is protected at every stage:
+* **Hybrid Encryption**: Combines AES and RSA encryption to safeguard your data. The plugin uses AES-256 to encrypt the collected data, and then securely transmits the AES key by encrypting it with RSA-2048.
+* **Initialization Vector (IV)**: Each data transmission uses a unique Initialization Vector (IV) to ensure that even identical data produces different ciphertexts, enhancing security.
+* **RSA Key Management**: The RSA encryption ensures that only the Webfiable service can decrypt the transmitted data, using a private key that remains secure on the Webfiable infrastructure.
+* **Hybrid Encryption**: Combines AES and RSA. The inventory is encrypted with AES-256-CBC; the AES key is encrypted with RSA-2048.
+* **Fresh IV per response**: Each response uses a new IV so ciphertext is always unique.
+* **Public endpoint, private content**: The `/webfiable` endpoint can be accessed by anyone, but the payload is encrypted for Webfiable only.
+* **Rate limiting**: Basic per-IP rate limiting reduces abuse.
 == Why It Is Secure ==
+. **Advanced Encryption Techniques**: Webfiable Info employs AES-256 for data encryption, a standard widely recognized for its strength and security. The AES key is then encrypted with RSA-2048, ensuring that even if the data is intercepted, it cannot be decrypted without the corresponding private RSA key, which is securely stored by Webfiable.
+. **Data Integrity**: The use of a unique IV for each transmission guarantees that your data remains confidential and secure, preventing any potential attackers from predicting or replicating encrypted data streams.
+. **Confidentiality by Design**: The plugin is designed to collect only the necessary information for security analysis, ensuring that your website's sensitive data is handled with the utmost care and never exposed.
+. **Strong transport**: AES-256 for data, RSA-2048 for the key - only Webfiable can decrypt.
+. **Unique IVs**: Each response is unique even for identical content.
+. **Minimal inventory**: Only software inventory and basic metadata needed for analysis; no credentials or content are collected.
 == Installation ==
 …
 . Once the installation is complete, click `Activate Plugin`.
+After activation:
+. Go to `Settings -> Webfiable Info`.
+. Enter the report recipient email and check the consent box.
+. Enable the `/webfiable` endpoint and click `Save settings`.
+. The plugin verifies the endpoint and completes registration. If verification fails, the endpoint will be disabled and a notice explains what to fix.
 == Frequently Asked Questions ==
 = Do I need a Webfiable subscription to use this plugin? =
+= Do I need a Webfiable subscription? =
 Yes, an active Webfiable subscription is required for the plugin to function. The plugin sends encrypted data to the Webfiable service, where it is analyzed as part of your subscription.
+Not during the white march (early access). The plugin registers your site automatically from the settings screen and you can use the service for free. A subscription may be required in the future. We will provide clear notice and a smooth upgrade path. See https://webfiable.com for updates.
 = How does the plugin ensure my data is secure? =
+= How is my data secured? =
 The plugin uses a hybrid encryption method, combining AES-256 and RSA-2048, to securely encrypt and transmit your website's data. This ensures that only the Webfiable service can decrypt and analyze the information.
+Data is encrypted on your site before transport using AES-256-CBC. The AES key is encrypted with RSA-2048 so only Webfiable can decrypt the payload.
 = What information does this plugin collect? =
+= What information is collected? =
+The plugin collects information about your installed plugins, themes, and the WordPress version. This data is used by the Webfiable service to assess your website's security posture and provide recommendations.
+Minimal inventory only: site URL, WordPress version, installed plugins and themes (name, slug, version, short description), a site identifier, consent timestamp, and the email you provide for reports. No user content or credentials.
+= What happens if I disable consent? =
+Your preference is saved immediately, and the `/webfiable` endpoint is turned off. You can re-enable consent and the endpoint at any time from Settings.
+= Why did registration fail? =
+The plugin enables and verifies the endpoint before registering. If your server blocks loopback requests, permalinks are misconfigured, or the OpenSSL PHP extension is missing, verification may fail. Fix the issue and click `Save settings` again - the plugin will retry.
 == Changelog ==
+= 2.0.0 =
+* New settings page under Settings -> Webfiable Info.
+* Opt-in `/webfiable` endpoint with on-save verification.
+* Automatic customer registration after successful verification.
+* Consent gating that saves your choice and disables the endpoint when consent is off.
+* Improved notices and lightweight, reliable design.
 = 1.4 =
 * Initial release with enhanced security features, including AES-256 encryption and RSA-2048 for key transmission.
+* Initial release with AES-256/RSA-2048 hybrid encryption.
 == Upgrade Notice ==
 = 1.4 =
 Initial release.
+= 2.0.0 =
+Visit Settings -> Webfiable Info to enter a report email, grant consent, and enable the endpoint. The plugin will verify and complete registration automatically.
 == License ==
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.

webfiable-info/trunk/webfiable-info.php

-                      r3365319
+                      r3380779
 /**
  * Plugin Name: Webfiable Info
  * Plugin URI: https://webfiable.com/webfiable-info
+ * Plugin URI: https://wordpress.org/plugins/webfiable-info/
  * Description: Ensure your website's security posture and configuration health with monitoring and recommendations.
  * Version: 1.4.1
+ * Version: 2.0.0
  * Author: Webfiable Team
  * Author URI: https://webfiable.com
 …
  */
-// Prevent direct access.
 if ( ! defined( 'ABSPATH' ) ) {
     exit;
+}
+// RSA public key (provided by the user).
+define(
+    'WEBFIABLE_RSA_PUBLIC_KEY',
+    '-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8y6jWyyz5yJzdj1kdDJ
+KDU54+MryJYTBHogyq8m+557Q8gciul2cAZexdhC6EkIzI/hxwNi/t6fcLiK0hdC
+nVaP6B/xkZPuURW/cjtKbCBXo0CLTMNnJSxhECI4Xq5l5koiThdhSvDlqsuMWy
+xCUUlbvU9Vg+MmiaEiRtZT7Nd5/NSqftqqdiVH0Q6sUd2OEFYPwnDI5615ALLH+h
+XeaQhTu053Tpqcw6cMNbqOCc9Gk6esoM69oNHtXR2tKxxzWldwb0+mRRypUiPLUn
+/n/9w5jnPrNsYGu1PVLXb+wlspPyZCSItq4zkzkFPYKvQ7u+U2UY28dHqSeHJhGd
+FQIDAQAB
+-----END PUBLIC KEY-----'
+);
+/** Paths */
+define( 'WEBFIABLE_PLUGIN_FILE', __FILE__ );
+define( 'WEBFIABLE_PLUGIN_BASENAME', plugin_basename( __FILE__ ) );
+define( 'WEBFIABLE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
+define( 'WEBFIABLE_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
+/**
+ * Registers the custom rewrite rule for the `webfiable` endpoint.
+ *
+ * Hooked to `init`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_register_route() {
+    add_rewrite_rule( '^webfiable$', 'index.php?webfiable_route=1', 'top' );
+}
+add_action( 'init', 'webfiable_register_route' );
+/** Load modules (order matters: constants → i18n → options → admin/routing/endpoint) */
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/constants.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/i18n.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/options.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/admin.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/routing.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/endpoint.php';
+require_once WEBFIABLE_PLUGIN_DIR . 'includes/registration.php';
+/**
+ * Adds the `webfiable_route` query var so WordPress recognizes the endpoint.
+ *
+ * Hooked to `query_vars`.
+ *
+ * @since 1.4
+ * @param string[] $vars List of public query vars.
+ * @return string[] Modified list of query vars.
+ */
+function webfiable_add_query_vars( $vars ) {
+    $vars[] = 'webfiable_route';
+    return $vars;
+}
+add_filter( 'query_vars', 'webfiable_add_query_vars' );
+/**
+ * Handles the request to the `webfiable` endpoint and outputs an encrypted JSON payload.
+ *
+ * Hooked to `template_redirect`.
+ *
+ * Collects WP version, installed plugins and themes, builds a payload, encrypts it
+ * with a random AES-256-CBC key/IV, encrypts that key with the RSA public key,
+ * and returns base64-encoded values.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_template_redirect() {
+    if ( get_query_var( 'webfiable_route' ) ) {
+        // Get all installed plugins.
+        $installed_plugins = get_plugins();
+        $plugins_info      = array();
+        foreach ( $installed_plugins as $plugin_slug => $plugin_data ) {
+            $plugins_info[] = array(
+                'name'        => $plugin_data['Name'],
+                'slug'        => dirname( $plugin_slug ),
+                'version'     => $plugin_data['Version'],
+                'description' => wp_strip_all_tags( $plugin_data['Description'] ),  // Remove HTML tags from description.
+            );
+        }
+        // Get all installed themes.
+        $installed_themes = wp_get_themes();
+        $themes_info      = array();
+        foreach ( $installed_themes as $theme_slug => $theme_data ) {
+            $themes_info[] = array(
+                'name'        => $theme_data->get( 'Name' ),
+                'slug'        => $theme_data->get_stylesheet(),
+                'version'     => $theme_data->get( 'Version' ),
+                'description' => wp_strip_all_tags( $theme_data->get( 'Description' ) ),  // Remove HTML tags from description.
+            );
+        }
+        // Get the WordPress version.
+        $wordpress_version = get_bloginfo( 'version' );
+        // Merge all info into one array.
+        $all_info = array(
+            'wordpress_version' => $wordpress_version,
+            'plugins'           => $plugins_info,
+            'themes'            => $themes_info,
+        );
+        // Convert to JSON.
+        $json_data = wp_json_encode( $all_info );
+        // Generate a 256-bit AES key.
+        $aes_key = openssl_random_pseudo_bytes( 32 );
+        // Encrypt the JSON data with the AES key.
+        $encrypted_data = openssl_encrypt( $json_data, 'AES-256-CBC', $aes_key, OPENSSL_RAW_DATA, $iv = openssl_random_pseudo_bytes( 16 ) );
+        // Encrypt the AES key with the RSA public key.
+        openssl_public_encrypt( $aes_key, $encrypted_key, WEBFIABLE_RSA_PUBLIC_KEY );
+        // Return both the encrypted AES key and the encrypted JSON data.
+        // We base64-encode binary values to transport them safely in JSON.
+        // phpcs:disable WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode -- Transport encoding, not obfuscation.
+        $encoded_key  = base64_encode( $encrypted_key );
+        $encoded_iv   = base64_encode( $iv );
+        $encoded_data = base64_encode( $encrypted_data );
+        // phpcs:enable WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+        $response = array(
+            'encrypted_key' => $encoded_key,
+            'iv'            => $encoded_iv,
+            'data'          => $encoded_data,
+        );
+        // Send JSON response.
+        wp_send_json( $response );
+        exit;
+    }
+}
+add_action( 'template_redirect', 'webfiable_template_redirect' );
+/**
+ * Flushes rewrite rules on plugin activation so the custom endpoint works immediately.
+ *
+ * Calls our route registrar and then flushes the rules. This should only run on activation,
+ * never on every request (for performance reasons).
+ *
+ * Hooked via `register_activation_hook()`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_flush_rewrite_rules() {
+    webfiable_register_route();
+    flush_rewrite_rules();
+}
+register_activation_hook( __FILE__, 'webfiable_flush_rewrite_rules' );
+/**
+ * Flushes rewrite rules on plugin deactivation to remove the custom endpoint.
+ *
+ * Hooked via `register_deactivation_hook()`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_deactivate() {
+    flush_rewrite_rules();
+}
+/** Register activation/deactivation hooks provided by routing.php */
+register_activation_hook( __FILE__, 'webfiable_activate' );
 register_deactivation_hook( __FILE__, 'webfiable_deactivate' );

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: