=== CellarWeb Privacy and Security Options === Contributors: rhellewellgmailcom Donate link: http://cellarweb.com/ Tags: site security safety hardening Version: 2.08 Stable tag: 2.08 Requires at least: 4.9.6 Tested up to: 5.8 Requires PHP: 5.4 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Private functions for all CellarWeb sites. == Description == Secure your WP site with these common security settings. Includes several security and anti-hacking features, plus an alternative login screen. Disables certain functions/processes that are potential security issues. Modifies htaccess file with security settings. == Installation == 1. Upload the plugin files to the `/wp-content/plugins/cellarweb-private-functions` directory. 1. Activate the plugin through the 'Plugins' screen in WordPress 1. Use the Settings->CellarWeb Private Functions screen to configure the plugin (if any) == Frequently Asked Questions == = What is this? = Some general purpose functions for WordPress sites, including some security-related features to block hacking attempts. = Like what? = There's lots of options that can be selected, grouped into five sections: = General Settings = - changes the 'Howdy' to 'Welcome'. Because we think that 'Howdy' is for an Old West site. - Adds the 'referer' to a CF7 form field. Great to figure out where your comments came from. - Adds a copyright to the footer. (Right now it's ours, but future versions will allow you to enter your own footer text.) - Remove the WP logo from the Admin bar. - Sets up a [current_year] shortcode you can use anywhere. - Allows use of shortcodes in widgets. - Adds a favicon to generated page 'head' section. You supply the favicon file. - Adds social sharing buttons centered at the bottom or all posts/pages. = PHP Settings = - Changes 'max upload size' to 256MB. - Changes 'max post size' to 128M. - Changes 'max execution time' to 300ms. These settings may be ignored by some hosting platforms. = General Security Settings = - Disable XMLRPC as a possible hack attack vector. - Removes the WP version from the generated page. - Disables code editor in all theme/plugins admin screens. - Forces disable of all error reporting by plugins or themes. - Checks for a user called 'admin' (a common hack attack vector). - Disables ability to query by author ID (a common hack attack vector). = Login-Related Security Settings = - Changes failed login message to more generic error (instead of 'bad user' or 'bad password'. - Use a custom login page that you provide. - Disable the 'Remember Me' checkbox on the login page. - Redirect to home page after login/logout. - Put login/logout links on menu bars. = htaccess Security Settings = - Disables directory listings. - Protects the wp-config.php file from direct access. - Adds directives to block direct access to the wp-comments-post.php file (a common attack vector for comment spam bots). - Shows the current contents of your htaccess file. = Wow! That's a lot of settings! = Yep. But they are ones that we commonly use in all of our managed WP sites, so putting them into one plugin was easier than doing it manually on every site. = What if I want an additional setting? = Just add a message in the plugin's support area. We'll consider it. = Do you have other security-related plugins? = Yep! One of our favorites will block all comment spam. It's very effective. We put it on one site that was getting a lot of comment spam, and now there is none. Not one. It's called "Block Comment Spam Bots", and can be found in the WP plugin repository. And there's a link to it (and other plugins we've done) on this plugin's Settings/Information page. == Screenshots == 1. There is no screenshot. But there could be. == Changelog == = 2.08 (2 Mar 2020) = * changed when the htaccess is updates; now happens after theme_setup so that the switch_to_locale function is not called before it was available. This also fixes the problem of the 'updated htaccess' admin message appearing at the wrong time (as in on other screens). = 2.07 (13 Feb 2020) = * another instance of the switch_to_locale function check was removed = 2.06 (12 Feb 2020) = * corrected incorrect version of main file (didn't have the 2.05 fix) = 2.05 (28 Jan 2020) = * removed call to switch_to_locale; causing errors on later PHP versions. = 2.04 = * internal version, not released = 2.03 (10 Jan 2020) = * Further tweaks to htaccess changing module * Updated readme and program versions to match = 2.02 (8 Jan 2020)= * Fixed invalid htaccess 'option' parameter. * Attempted fix of 'htaccess changed' admin message appearing too late. = 2.01 (3 Jan 2020)= * Fixed minor typo in Information page about the CF7 shortcodes. * Added to the FAQ a list of the features of this plugin. = 2.00 (2 Jan 2020)= * Initial release of public version. * Removed code for privately hosted auto-updates. * Added option to protect against directly accessing the wp-comments-post.php via .htaccess directives. * Shows the current contents of the htaccess file for your review. * Ensured all array element names are quoted strings, rather than unquoted. Reduces PHP Warning errors about undefined constants; ensures compatibility with future PHP versions. * Removed debugging code and unneeded comments. * Changed variables, css styles, and function prefix to "CWPS" to match plugin name. * Removed FontAwesome CSS loading; replacement icons are included in the plugin. * Properly enqueued the CSS file per WP standards. * Some minor CSS fixes. * added uninstall process to remove plugin's options from wp-options table * Added additional information to the settings/information screen. * minor code documentation corrections (spelling, mostly) = All versions below were privately released. Public version / initial release is Version 2.00 = = 1.55 = * Changed all array element names (the part in the brackets) to be strings, rather than 'assumed' strings. The use of 'assumed' strings was causing a PHP Warning about undefined constants. PHP ignores that, although that may cause a fatal error in PHP 8x (whenever that gets released). And the PHP Warnings were cluttering up the error.log file. = 1.54 = * fixed the settings screen relating to the CF7 referer field; the correct field to put in the contact form is '[hidden referer-page default:get]' . = 1.53 = * Versions 1.4 - 1.52 were testing versions, not released * Some minor typos fixed * Added versioning to the settings.css file to ensure proper loading = 1.4 = * Minor code changes; tweaking how CSS loaded. = 1.3 = * Minor change to html inserted as footer (now a paragraph tag, instead of a div); allows it to be centered more often. = 1.2 = * Initial private release. Not available via WP plugin area yet. * Prior versions were for internal testing only. * Additional features are planned. == Upgrade Notice == = 2.08 (2 Mar 2020) = * changed when the htaccess is updates; now happens after theme_setup so that the switch_to_locale function is not called before it was available. This also fixes the problem of the 'updated htaccess' admin message appearing at the wrong time (as in on other screens). = 2.07 (13 Feb 2020) = * another instance of the switch_to_locale function check was removed = 2.06 (12 Feb 2020) = * corrected incorrect version of main file (didn't have the 2.05 fix) = 2.05 (28 Jan 2020) = * removed call to switch_to_locale; causing errors on later PHP versions. = 2.04 = * internal version, not released = 2.03 (10 Jan 2020) = * Further tweaks to htaccess changing module * Updated readme versions to match = 2.02 (8 Jan 2020)= * Fixed invalid htaccess 'option' parameter. * Attempted fix of 'htaccess changed' admin message appearing too late. = 2.01 (3 Jan 2020)= * Fixed minor typo in Information page about the CF7 shortcodes. * Added to the FAQ a list of the features of this plugin. = 2.00 (2 Jan 2020)= * Initial release of public version. * Removed code for privately hosted auto-updates. * Added option to protect against directly accessing the wp-comments-post.php via .htaccess directives. * Shows the current contents of the htaccess file for your review. * Ensured all array element names are quoted strings, rather than unquoted. Reduces PHP Warning errors about undefined constants; ensures compatibility with future PHP versions. * Removed debugging code and unneeded comments. * Changed variables, css styles, and function prefix to "CWPS" to match plugin name. * Removed FontAwesome CSS loading; replacement icons are included in the plugin. * Properly enqueued the CSS file per WP standards. * Some minor CSS fixes. * added uninstall process to remove plugin's options from wp-options table * Added additional information to the settings/information screen. * minor code documentation corrections (spelling, mostly) = All versions below were privately released. Public version / initial release is Version 2.00 = = 1.54 = * fixed the settings screen relating to the CF7 referer field; the correct field to put in the contact form is '[hidden referer-page default:get]' . = 1.53 = * Versions 1.4 - 1.52 were testing versions, not released * Some minor typos fixed * Added versioning to the settings.css file to ensure proper loading = 1.4 = * Minor code changes; tweaking how CSS loaded. = 1.3 = * Minor change to html inserted as footer (now a paragraph tag, instead of a div); allows it to be centered more often. = 1.2 = * Initial private release. Not available via WP plugin area yet. * Prior versions were for internal testing only. * Additional features are planned.