# Security Policy

## Supported versions

This repository currently supports plugin version **1.7.0**.

## Reporting a vulnerability

If you believe you have found a security vulnerability, please report it privately.

Include:
- WordPress version, PHP version, and whether the site is multisite
- Exact steps to reproduce
- Proof-of-concept details (screenshots/logs)
- Any relevant server/WAF logs if available

Avoid publishing the details publicly until a fix is available.

## Security design notes

BrenWP Client Safe Mode is designed around:
- Capability checks for all privileged actions
- Nonce protection for state-changing actions
- Conservative sanitization on input and escaping on output
- Disabling high-risk file modification paths when configured
- Optional global hardening switch to disable the built-in Plugin/Theme editors (recommended)
- Optional capability hard-blocking for update/install actions while in Safe Mode (opt-in)
- Optional capability hard-blocking for built-in Plugin/Theme editors and user-management actions while in Safe Mode (opt-in)
- Optional blocking of Site Editor / Widgets screens while in Safe Mode (opt-in)
- Optional, bounded activity logging without storing IP addresses (and redacting likely secrets)
- Activity log writes use a short-lived lock to reduce lost updates under concurrent requests (defense-in-depth)
- Optional profile email/password lock for restricted roles (self-service hardening)

### Targeted restrictions (user selection)

In addition to role-based restrictions, the plugin can optionally apply the same client restrictions to a single selected user account (useful when the client’s account does not map cleanly to a role).

Safety guards:

- Administrators are never restricted by these client restrictions.
- On multisite, super-admins are also excluded.


## Operational hardening

- Plugin options are stored with autoload disabled where supported, to reduce the size of WordPress’s autoloaded `alloptions` cache.
- Storage self-healing is throttled to run at most twice per day per site (unless options are missing), to avoid adding overhead to every request.
- All state-changing admin actions require POST + a WordPress nonce, and are guarded by capability checks.


## Hardening hooks

- Site owners can prevent the plugin from creating the `bren_client` role by returning `false` from the `brenwp_csm_create_client_role` filter.
- The default `bren_client` capabilities can be adjusted via `brenwp_csm_client_role_caps`.


## Threat model and assumptions

This plugin is intended to reduce risk from accidental or low-sophistication administrative actions (e.g., clients installing plugins, editing theme files, or accessing sensitive maintenance screens).

Out of scope:
- Server-side compromise, malicious PHP uploaded through other vectors, or vulnerabilities in third-party plugins/themes.
- Replacement for server/WAF hardening, least-privilege user management, and regular patching.

Assumptions:
- WordPress core is not modified in a way that bypasses standard nonce and capability protections.
- Site owners enforce least privilege and do not grant restricted roles broad administrative capabilities.

## Additional hardening notes

- **Application Passwords** can be disabled for restricted roles and/or Safe Mode users via settings (reduces REST API credential surface).
- **Admin notices hiding** (optional) is implemented via CSS and excludes the plugin settings screen to avoid masking operational feedback.
- **Settings import/export** uses strict whitelist normalization and server-side sanitization; unknown keys are ignored.