Codeko · phinojosa-codeko · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025
diff --git a/index.php b/index.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: POLA-CDK - WP Security
  * Description: Improves security of WordPress
- * Version: 1.0.2
+ * Version: 1.1.0
  * Author: Pola Network
  * Author URI: https://github.com/Codeko/wp-security
  */
@@ -11,11 +11,56 @@
     exit;
 }
 
-add_action( 'init', 'wp_security_github_plugin_updater' );
+const WPSP_HTACCESS_MARKER = "WpSecurityPlugin";
+const WPSP_HTACCESS_BLOCKS = array(
+    "<ifModule mod_headers.c>\nHeader set X-Frame-Options SAMEORIGIN\n</ifModule>",
+    "RewriteEngine On\nRewriteCond %{REQUEST_URI} ^/wp-cron.php\nRewriteRule ^(.*)$ - [L,R=404]",
+    "RewriteEngine On\nRewriteCond %{REQUEST_URI} ^/.git\nRewriteRule ^(.*)$ - [L,R=404]",
+    "RewriteEngine On\nRewriteCond %{REQUEST_URI} ^/readme.html\nRewriteRule ^(.*)$ - [L,R=404]",
+    "RewriteEngine On\nRewriteCond %{REQUEST_URI} ^/xmlrpc.php\nRewriteRule ^(.*)$ - [L,R=404]",
+);
 
-function wp_security_github_plugin_updater() {
+
+function wp_security_plugin_activation()
+{
+    if (!is_admin()) {
+        return;
+    }
+    wp_security_execute_on_plugin_update();
+}
+register_activation_hook(__FILE__, 'wp_security_plugin_activation');
+
+function wp_security_plugin_loaded()
+{
+    if (is_admin()) {
+        $previous_version = get_option('wp-security-plugin-version', 0);
+        if ($previous_version != wp_security_get_plugin_version()) {
+            wp_security_execute_on_plugin_update();
+        }
+    }
+    wp_security_secure_cookie();
+    wp_security_remove_feed_after_load();
+}
+add_action('plugins_loaded', 'wp_security_plugin_loaded');
+
+function wp_security_plugin_deactivate()
+{
+    wp_security_add_htaccess_rules(["# WP Security plugin is deactivated", "# this block can be safely removed"]);
+}
+
+add_action("deactivate_plugin", "wp_security_plugin_deactivate", 10, 1);
+
+
+function wp_security_execute_on_plugin_update()
+{
+    update_option('wp-security-plugin-version', wp_security_get_plugin_version());
+    wp_security_add_htaccess_rules();
+}
+
+function wp_security_github_plugin_updater()
+{
     include_once('updater.php');
-    define( 'WP_GITHUB_FORCE_UPDATE', true );
+    define('WP_GITHUB_FORCE_UPDATE', true);
 
     if (is_admin()) { // note the use of is_admin() to double check that this is happening in the admin
         $config = array(
@@ -33,21 +78,55 @@ function wp_security_github_plugin_updater() {
         new WP_GitHub_Updater($config);
     }
 }
+add_action('init', 'wp_security_github_plugin_updater');
+
 
-function wp_security_custom_author_url(){
+function wp_security_custom_author_url()
+{
     return home_url('/');
 }
 add_filter('author_link', 'wp_security_custom_author_url');
 
-function wp_security_disable_feed(){
+function wp_security_secure_cookie()
+{
+    @ini_set('session.cookie_httponly', true);
+    @ini_set('session.cookie_secure', true);
+    @ini_set('session.use_only_cookies', true);
+    @ini_set('session.use_strict_mode', 1);
+}
+
+function wp_security_login_error_message( $message ) {
+    if ( strpos( $message, "ERROR:" ) !== false ) {
+        $message = "Incorrect username or password.";
+    }
+    return $message;
+}
+add_filter( 'login_errors', 'wp_security_login_error_message' );
+
+function wp_security_hide_users_list( $errors ) {
+
+    $path = ltrim( $GLOBALS['wp']->query_vars['rest_route'], '/' );
+
+    if ( strpos( $path, 'wp/v2/users' ) !== false ) {
+    return new WP_Error( 'rest_no_route', "No route was found matching the URL and request method.", array( 'status' => 404 ) );
+    }
+
+    return $errors;
+}
+add_filter( 'rest_authentication_errors','wp_security_hide_users_list');
+
+
+function wp_security_disable_feed()
+{
     global $wp_query;
     $wp_query->set_404();
     status_header(404);
     nocache_headers();
     exit;
 }
 
-function wp_security_remove_feed_after_load(){
+function wp_security_remove_feed_after_load()
+{
     add_action('do_feed', 'wp_security_disable_feed', 1);
     add_action('do_feed_rdf', 'wp_security_disable_feed', 1);
     add_action('do_feed_rss', 'wp_security_disable_feed', 1);
@@ -59,45 +138,86 @@ function wp_security_remove_feed_after_load(){
     remove_action('wp_head', 'feed_links', 2);
 }
 
-add_action('plugins_loaded', 'wp_security_remove_feed_after_load');
-
-add_filter( 'xmlrpc_methods', 'wp_security_sar_block_xmlrpc_attacks' );
-
 /**
  * Unset XML-RPC Methods.
  *
  * @param array $methods Array of current XML-RPC methods.
  */
-function wp_security_sar_block_xmlrpc_attacks( $methods ) {
-	unset( $methods['pingback.ping'] );
-	unset( $methods['pingback.extensions.getPingbacks'] );
-	return $methods;
+function wp_security_sar_block_xmlrpc_attacks($methods)
+{
+    unset($methods['pingback.ping']);
+    unset($methods['pingback.extensions.getPingbacks']);
+    return $methods;
 }
+add_filter('xmlrpc_methods', 'wp_security_sar_block_xmlrpc_attacks');
+
+/**
+ * Add rules to HTACCESS file
+ */
+function wp_security_add_htaccess_rules($rules = null)
+{
+    if (!$rules) {
+        $rules = WPSP_HTACCESS_BLOCKS;
+    }
+    $htaccess_path = ABSPATH . '.htaccess';
+    if (file_exists($htaccess_path)) {
+        insert_with_markers($htaccess_path, WPSP_HTACCESS_MARKER, $rules);
+    }
+}
+
+function wp_security_get_plugin_version()
+{
+    $plugin_data = get_plugin_data(__FILE__);
+    return $plugin_data['Version'];
+}
+
+function  wp_security_admin_notice() {
+    file_get_contents(site_url());
+    $server_header = "";
+    foreach ($http_response_header as $key => $value) {
+        if (substr(strtolower($value), 0, 7) == "server:") {
+            $server_header = $value;
+        }
+    }
+    if (strlen($server_header) > 14) {
+        ?>
+        <div class="notice notice-info is-dismissible">
+            <p><b>POLA-CDK - WP Security information:</b></p>
+            <p><?php _e('The "Server" HTTP header is'); ?>
+            <strong><?php echo $server_header; ?></strong>.
+            <?php _e('It may be providing version information. This can be useful for brute-force attacks. You may want to review it.'); ?></p>
+        </div>
+        <?php
+    }
+}
+add_action('admin_notices', 'wp_security_admin_notice');
 
 /**
  * Check WP version.
  */
-if ( version_compare( get_bloginfo( 'version' ), '4.4', '>=' ) ) {
-
-	add_action( 'wp', 'wp_security_sar_remove_x_pingback_header_44', 9999 );
-
-	/**
-	 * Remove X-Pingback from Header for WP 4.4+.
-	 */
-	function wp_security_sar_remove_x_pingback_header_44() {
-		header_remove( 'X-Pingback' );
-	}
-} elseif ( version_compare( get_bloginfo( 'version' ), '4.4', '<' ) ) {
-
-	add_filter( 'wp_headers', 'wp_security_sar_remove_x_pingback_header' );
-
-	/**
-	 * Remove X-Pingback from Header for older WP versions.
-	 *
-	 * @param array $headers Array with current headers.
-	 */
-	function wp_security_sar_remove_x_pingback_header( $headers ) {
-		unset( $headers['X-Pingback'] );
-		return $headers;
-	}
+if (version_compare(get_bloginfo('version'), '4.4', '>=')) {
+
+    add_action('wp', 'wp_security_sar_remove_x_pingback_header_44', 9999);
+
+    /**
+     * Remove X-Pingback from Header for WP 4.4+.
+     */
+    function wp_security_sar_remove_x_pingback_header_44()
+    {
+        header_remove('X-Pingback');
+    }
+} elseif (version_compare(get_bloginfo('version'), '4.4', '<')) {
+
+    add_filter('wp_headers', 'wp_security_sar_remove_x_pingback_header');
+
+    /**
+     * Remove X-Pingback from Header for older WP versions.
+     *
+     * @param array $headers Array with current headers.
+     */
+    function wp_security_sar_remove_x_pingback_header($headers)
+    {
+        unset($headers['X-Pingback']);
+        return $headers;
+    }
 }