v2.3.3

Author: JulioPotier

assets/admin/css/secupress-common.css

@@ -1102,9 +1102,6 @@ label.secupress-setting-row-title {
 .fieldtype-radios p {
 	line-height: 2.3em;
 }
-.secupress-setting-row em {
-	padding-left: 5px;
-}
 
 /**
  * === Existing

assets/admin/css/secupress-common.min.css

@@ -358,8 +358,8 @@ li.secupress-current:nth-last-child(1) .secupress-step-name {
 }
 
 .secupress-button#secupress-button-scan-speed{
-    height: 38px;
-    left: -3px;
+    height: 39px;
+    left: -4px;
     padding: 0;
     top: 0px;
 	width: 23px;

assets/admin/css/secupress-scanner.css

@@ -175,12 +175,28 @@ jQuery( document ).ready( function( $ ) {
 		};
 
 		// Check all checkboxes.
+		$( '.secupress-sgh-actions .secupress-toggle-check' ).on( 'click', function( e ) {
+			var $group     = $( '#secupress-tests' ),
+				allChecked = 0 === $group.find( '.secupress-toggle-check' ).filter( ':visible:enabled' ).not( ':checked' ).not( '#secupress-toggle-check-all' ).length;
+			// Toggle global "check all" checkbox.
+			var el = $( '#secupress-toggle-check-all' );
+			if ( el.length )
+				$( '#secupress-toggle-check-all' ).prop( 'checked', allChecked );
+		} );
+
+
 		$( '.secupress-sg-content .secupress-row-check' ).on( 'click', function( e ) {
 			var $group     = $( this ).closest( '.secupress-scans-group' ),
 				allChecked = 0 === $group.find( '.secupress-row-check' ).filter( ':visible:enabled' ).not( ':checked' ).length;
 
 			// Toggle "check all" checkboxes.
 			$group.find( '.secupress-toggle-check' ).prop( 'checked', allChecked );
+			var $group2     = $( '#secupress-tests' ),
+				allChecked2 = 0 === $group2.find( '.secupress-toggle-check' ).filter( ':visible:enabled' ).not( ':checked' ).not( '#secupress-toggle-check-all' ).length;
+			// Toggle global "check all" checkbox.
+			var el = $( '#secupress-toggle-check-all' );
+			if ( el.length )
+				$( '#secupress-toggle-check-all' ).prop( 'checked', allChecked2 );
 		} )
 		// If nothing is checked, change the "Fix all checked issues" button into "Ignore this step".
 		.on( 'change.secupress', function( e ) {
@@ -210,6 +226,14 @@ jQuery( document ).ready( function( $ ) {
 				$buttons.addClass( 'hidden' );
 				$buttons.next().removeClass( 'hidden' );
 			}
+			var $group     = $( '#secupress-tests' ),
+				allChecked = 0 === $group.find( '.secupress-toggle-check' ).filter( ':visible:enabled' ).not( ':checked' ).not( '#secupress-toggle-check-all' ).length;
+			// Toggle global "check all" checkbox.
+			var el = $( '#secupress-toggle-check-all' );
+			if ( el.length )
+				$( '#secupress-toggle-check-all' ).prop( 'checked', allChecked );
+
+
 		} )
 		.first().trigger( 'change.secupress' );
 
@@ -218,30 +242,35 @@ jQuery( document ).ready( function( $ ) {
 				$wrap          = $this.closest( '.secupress-scans-group' ),
 				controlChecked = $this.prop( 'checked' ),
 				toggle         = e.shiftKey || $this.data( 'wp-toggle' );
+				
+			if ( 'secupress-toggle-check-all' === $this.attr('id') ) {
+				$('[id^="secupress-toggle-check-"]:not(#secupress-toggle-check-all)')
+				.trigger('click');
+			} else {
+				$wrap.children( '.secupress-sg-header' ).find( '.secupress-toggle-check' )
+					.prop( 'checked', function() {
+						var $this = $( this );
 
-			$wrap.children( '.secupress-sg-header' ).find( '.secupress-toggle-check' )
-				.prop( 'checked', function() {
-					var $this = $( this );
-
-					if ( $this.is( ':hidden,:disabled' ) ) {
-						return false;
-					}
+						if ( $this.is( ':hidden,:disabled' ) ) {
+							return false;
+						}
 
-					if ( toggle ) {
-						return ! $this.prop( 'checked' );
-					}
+						if ( toggle ) {
+							return ! $this.prop( 'checked' );
+						}
 
-					return controlChecked;
-				} );
+						return controlChecked;
+					} );
 
-			$wrap.children( '.secupress-sg-content' ).find( '.secupress-row-check' )
-				.prop( 'checked', function() {
-					if ( toggle ) {
-						return false;
-					}
+				$wrap.children( '.secupress-sg-content' ).find( '.secupress-row-check' )
+					.prop( 'checked', function() {
+						if ( toggle ) {
+							return false;
+						}
 
-					return controlChecked;
-				} );
+						return controlChecked;
+					} );
+			}
 		} );
 
 	} )(window, document, $);

assets/admin/css/secupress-scanner.min.css

@@ -1,7 +1,7 @@
 <?php
 defined( 'ABSPATH' ) or die( 'Something went wrong.' );
 
-define( 'SECUPRESS_VERSION'                   , '2.3.1' );
+define( 'SECUPRESS_VERSION'                   , '2.3.3' );
 define( 'SECUPRESS_MAJOR_VERSION'             , '2.3' );
 define( 'SECUPRESS_UPDATE_API_KEY'            , 'aHR0cHM6Ly9zZWN1cHJlc3MubWUv' );
 define( 'SECUPRESS_PATH'                      , realpath( dirname( SECUPRESS_FILE ) ) . DIRECTORY_SEPARATOR );

assets/admin/js/secupress-scanner.js

@@ -117,7 +117,26 @@
 </div>
 
 <div id="secupress-tests" class="secupress-tests">
+	<?php if ( secupress_is_pro() ) { ?>
+	<div class="secupress-scans-group secupress-group-all">
+		<div class="secupress-sg-header secupress-flex secupress-flex-spaced">
+
+			<div class="secupress-sgh-name">
+				<i class="secupress-icon-gear" aria-hidden="true"></i>
+				<p class="secupress-sgh-title">&nbsp;</p>
+			</div>
+
+			<div class="secupress-sgh-actions secupress-flex">
+				<label class="text hide-if-no-js" for="secupress-toggle-check-all">
+					<span class="label-before-text"><?php _e( 'Toggle check all', 'secupress' ); ?></span>
+					<input type="checkbox" id="secupress-toggle-check-all" class="secupress-checkbox secupress-toggle-check" checked="checked"/>
+					<span class="label-text"></span>
+				</label>
+			</div>
+		</div>
+	</div>
 	<?php
+	}
 	$modules = secupress_get_modules();
 
 	foreach ( $secupress_tests as $module_name => $class_name_parts ) {

assets/admin/js/secupress-scanner.min.js

@@ -285,7 +285,7 @@
 									</span>
 									<span class="text"><?php _e( 'I did the job, continue', 'secupress' ); ?></span>
 								</a>
-							<?php } elseif ( ! $needs_pro ) { ?>
+							<?php } elseif ( $needs_pro ) { ?>
 								<a href="<?php echo esc_url( secupress_admin_url( 'get-pro' ) ); ?>" class="secupress-button secupress-button-tertiary secupress-button-getpro shadow" target="_blank" title="<?php esc_attr_e( 'Open in a new window.', 'secupress' ); ?>">
 									<span class="icon">
 										<i class="secupress-icon-secupress-simple bold" aria-hidden="true"></i>

defines.php

@@ -4,9 +4,8 @@
  *
  * @package WP-Background-Processing
  */
-if ( class_exists( 'WP_Async_Request' ) ) {
-	return;
-}
+if ( ! class_exists( 'WP_Async_Request' ) ) :
+
 /**
  * Abstract WP_Async_Request class.
  *
@@ -202,3 +201,5 @@ protected function maybe_wp_die( $return = null ) {
 	 */
 	abstract protected function handle();
 }
+
+endif;

free/admin/scanner-step-2.php

@@ -4,9 +4,8 @@
  *
  * @package WP-Background-Processing
  */
-if ( class_exists( 'WP_Background_Process' ) ) {
-	return;
-}
+if ( ! class_exists( 'WP_Background_Process' ) ) :
+
 /**
  * Abstract WP_Background_Process class.
  *
@@ -998,3 +997,5 @@ private function get_chain_id_arg_name() {
 		return $chain_id_arg_name;
 	}
 }
+
+endif;

free/admin/scanner-step-3.php

@@ -75,7 +75,7 @@ public static function get_messages( $message_id = null ) {
 			103 => _n_noop( 'Sorry, the following theme could not be deleted: %s.', 'Sorry, the following themes could not be deleted: %s.', 'secupress' ),
 			/** Translators: %s is the theme name. */
 			104 => sprintf( __( 'You have a big network, %s must work on some data before being able to perform this scan.', 'secupress' ), '<strong>' . SECUPRESS_PLUGIN_NAME . '</strong>' ),
-			110 => __( 'Your installation may contain old or closed plugins. The PRO version will be more accurate.', 'secupress' ),
+			110 => sprintf( __( 'Your installation may contain old or closed plugins. The %sPRO version%s will be more accurate.', 'secupress' ), '<a href="' . secupress_admin_url( 'get-pro' ) . '">', '</a>' ),
 			// "bad"
 			/** Translators: 1 is a number, 2 is a theme name (or a list of theme names). */
 			200 => _n_noop( '<strong>%1$d theme</strong> is no longer in the WordPress repository: %2$s.', '<strong>%1$d themes</strong> are no longer in the WordPress repository: %2$s.', 'secupress' ),

free/classes/admin/class-secupress-admin-wp-async-request.php

@@ -86,7 +86,7 @@ public static function get_messages( $message_id = null ) {
 			104 => __( 'No plugins selected for deactivation.', 'secupress' ),
 			105 => _n_noop( 'Selected plugin has been deactivated (but some are still there).', 'All selected plugins have been deactivated (but some are still there).', 'secupress' ),
 			106 => _n_noop( 'Sorry, the following plugin could not be deactivated: %s.', 'Sorry, the following plugins could not be deactivated: %s.', 'secupress' ),
-			107 => __( 'Your installation may contain vulnerable plugins. The PRO version will be more accurate.', 'secupress' ),
+			107 => sprintf( __( 'Your installation may contain vulnerable plugins. The %sPRO version%s will be more accurate.', 'secupress' ), '<a href="' . secupress_admin_url( 'get-pro' ) . '">', '</a>' ),
 			// "bad"
 			/** Translators: 1 is a number, 2 is a plugin name (or a list of plugin names). */
 			200 => _n_noop( '<strong>%1$d plugin</strong> is known to be vulnerable: %2$s.', '<strong>%1$d plugins</strong> are known to be vulnerable: %2$s.', 'secupress' ),

free/classes/admin/class-secupress-admin-wp-background-process.php

@@ -103,8 +103,13 @@ public function scan() {
 
 		$messages = secupress_login_errors_disclose_get_messages( false );
 		$messages = '	' . implode( "<br />\n	", $messages ) . "<br />\n";
+		$wp_error = new WP_Error();
+		$wp_error->add( 'invalid_username', $messages );
 		/** This filter is documented in wp-login.php */
-		$messages = apply_filters( 'login_errors', $messages );
+		$messages = reset( apply_filters( 'login_errors', $wp_error ) );
+		while ( ! is_string( $messages ) ) {
+			$messages = reset( $messages );
+		}
 
 		$pattern = secupress_login_errors_disclose_get_messages();
 		$pattern = '@\s(' . implode( '|', $pattern ) . ')<br />\n@';

free/classes/scanners/class-secupress-scan-bad-old-themes.php

@@ -1 +1 @@
-AND\%201\=,information\_schema,UNION\%20SELECT,UNION\%20ALL\%20SELECT,ev\'\.\/\*\*\/\'al(,wp\-config\.php,\%\%30\%30,GLOBALS\[,\.ini,REQUEST\[,etc\/passwd,base64\_,javascript\:,\.\.\/,127\.0\.0\.1,input_file,temp00,70bex,configbak,dompdf,filenetworks,jahat,kcrew,keywordspy,mobiquo,nessus,racrew,locus7,bitrix,msoffice,child_terminate,concat,allow_url_fopen,allow_url_include,auto_prepend_file,blexbot,browsersploit,c99,disable_function,document_root,elastix,encodeuricom,fclose,fgets,fputs,fread,fsbuff,fsockopen,gethostbyname,grablogin,hmei7,open_basedir,passthru,popen,proc_open,quickbrute,safe_mode,shell_exec,sux0r,xertive,<script,fopen,.php.inc,mosconfig,mkdir,rmdir,chdir,ckfinder,fullclick,fckeditor,timthumb,absolute_dir,absolute_path,root_dir,root_path,basedir,basepath,loopback,\%00,0x00,\%0d\%0a
+AND\%201\=,information\_schema,UNION\%20SELECT,UNION\%20ALL\%20SELECT,ev\'\.\/\*\*\/\'al(,wp\-config\.php,\%\%30\%30,GLOBALS\[,\.ini,REQUEST\[,etc\/passwd,base64\_,javascript\:,\.\.\/,127\.0\.0\.1,input_file,temp00,70bex,configbak,dompdf,filenetworks,jahat,kcrew,keywordspy,mobiquo,nessus,racrew,locus7,bitrix,msoffice,child_terminate,concat,allow_url_fopen,allow_url_include,auto_prepend_file,blexbot,browsersploit,disable_function,document_root,elastix,encodeuricom,fclose,fgets,fputs,fread,fsbuff,fsockopen,gethostbyname,grablogin,hmei7,open_basedir,passthru,popen,proc_open,quickbrute,safe_mode,shell_exec,sux0r,xertive,<script,fopen,.php.inc,mosconfig,mkdir,rmdir,chdir,ckfinder,fullclick,fckeditor,timthumb,absolute_dir,absolute_path,root_dir,root_path,basedir,basepath,loopback,\%00,0x00,\%0d\%0a

free/classes/scanners/class-secupress-scan-bad-vuln-plugins.php

@@ -1279,6 +1279,7 @@ function secupress_feature_is_pro( $feature ) {
 		'bbq-headers_bad-referer-list'              => 1,
 		'bbq-headers_block-ai'                      => 1,
 		'blacklist-logins_user-creation-protection' => 1,
+		'blacklist-logins_bad-email-domains'        => 1,
 		'bbq-url-content_block-functions'           => 1,
 	];
 

free/classes/scanners/class-secupress-scan-login-errors-disclose.php

@@ -7,7 +7,7 @@
 
 $this->add_field( array(
 	'title'             => __( 'Anti-Phishing User Protection', 'secupress' ),
-	'description'       => __( 'Adds a unique digit code to the user‘s profile, which is included in every email from this website, ensuring authenticity and safeguarding against phishing.', 'secupress' ),
+	'description'       => __( 'Adds a digit code to the user‘s profile, which is included in every email from this website, ensuring authenticity and safeguarding against phishing.', 'secupress' ),
 	'label'             => __( 'Yes, users can set a anti-phishing code in their profile', 'secupress' ),
 	'name'              => $this->get_field_name( 'activated' ),
 	'type'              => 'checkbox',

free/data/bad_url_contents.data

@@ -12,6 +12,7 @@
 add_filter( 'authenticate', 'secupress_replace_login_errors_disclose', 21 );
 add_filter( 'registration_errors', 'secupress_replace_login_errors_disclose', 1 );
 add_filter( 'user_profile_update_errors', 'secupress_replace_login_errors_disclose', 1 );
+add_filter( 'login_errors', 'secupress_replace_login_errors_disclose', 1 );
 /**
  * Replace all login errors with a more generic message.
  *

free/functions/common.php

@@ -21,7 +21,7 @@ function secupress_blackhole_activate_write_robotstxt() {
 	$filesystem = secupress_get_filesystem();
 	$filename   = ABSPATH . 'robots.txt';
 
-	if ( ! file_exists( $filename ) ) { // We do not create it, the hook it enough
+	if ( ! file_exists( $filename ) ) { // We do not create it, the hook is enough
 		return;
 	}
 	$contents   = $filesystem->get_contents( $filename );
@@ -45,11 +45,10 @@ function secupress_blackhole_deactivate_write_robotstxt() {
 		return;
 	}
 	$contents   = $filesystem->get_contents( $filename );
-	$contents   = secupress_blackhole_robotstxt_content( $contents, true );
 	$dirname    = secupress_get_hashed_folder_name( basename( __FILE__, '.php' ) );
 
 	if ( false !== strpos( $contents, "User-agent: *\nDisallow: $dirname\n" ) ) {
-		$contents  = str_replace( "User-agent: *\nDisallow: $dirname\n", "User-agent: *\n", $output );
+		$contents  = str_replace( "User-agent: *\nDisallow: $dirname\n", "User-agent: *\n", $contents );
 		$filesystem->put_contents( $filename, $contents );
 	}
 }

free/modules/antispam/settings/antiphishing.php

@@ -175,6 +175,7 @@ function secupress_logins_blacklist_settings_callback( $modulenow, $settings, $a
 	// (De)Activation.
 	if ( false !== $activate ) {
 		$settings['blacklist-logins_admin']  = (int) ! empty( $settings['blacklist-logins_admin'] );
+		$settings['blacklist-logins_lexicomatisation']  = (int) ! empty( $settings['blacklist-logins_lexicomatisation'] );
 		secupress_manage_submodule( $modulenow, 'blacklist-logins', ! empty( $activate['blacklist-logins_activated'] ) );
 	}
 	return $settings;

free/modules/discloses/plugins/login-errors-disclose.php

@@ -524,13 +524,16 @@ function secupress_usernames_security_name_filter( $name ) {
 	global $secupress_new_login;
 	static $_name;
 
+	if ( ! secupress_get_module_option( 'blacklist-logins_lexicomatisation', 0, 'users-login' ) ) {
+		return $name;
+	}
 	$user_test = get_user_by( 'login', $name );
 	if ( $secupress_new_login || is_a( $user_test, 'WP_User' ) ) {
 		if ( ! $_name ) {
 			$_name = secupress_usernames_lexicomatisation();
 		}
 		$name = $_name;
-		if ( 'pre_user_nicename' == current_filter() && $secupress_new_login ) {
+		if ( 'pre_user_nicename' === current_filter() && $secupress_new_login ) {
 			$name = sanitize_key( $name );
 		}
 	}

free/modules/sensitive-data/plugins/blackhole.php

@@ -80,6 +80,7 @@
 	'label_for'         => $this->get_field_name( 'bad-email-domains' ),
 	'description'       => __( 'Domain that does not exist, does not really send emails (MX Record), known to be a temporary/trash service or email addresses used by hackers will be blocked.', 'secupress' ),
 	'plugin_activation' => true,
+	'disabled'          => ! secupress_is_pro(),
 	'type'              => 'checkbox',
 	'value'             => (int) secupress_is_submodule_active( 'users-login', 'bad-email-domains' ),
 	'label'             => __( 'Yes, prevent users to be created with a bad email domain', 'secupress' ),
@@ -123,6 +124,19 @@
 						]
 ) );
 
+$this->add_field( array(
+	'title'             => sprintf( __( 'Rename the users nickname', 'secupress' ), 'admin' ),
+	'description'       => __( 'Any new user or updated user who has their nickname as the same as their login will be renamed', 'secupress' ),
+	'label_for'         => $this->get_field_name( 'lexicomatisation' ),
+	'type'              => 'checkbox',
+	'depends'           => $this->get_field_name( 'activated' ),
+	'default'           => false,
+	'label'             => sprintf( __( 'Yes, prevent user‘s login to be the same as their display name', 'secupress' ), secupress_tag_me( 'admin', 'strong' ) ),
+	'helpers'           => [
+							[ 'type' => 'description',  'description' => sprintf( __( 'New nickname will look like this: "%s"', 'secupress' ), secupress_tag_me( secupress_usernames_lexicomatisation(), 'em' ) ), ],
+						]
+) );
+
 $woomobileurl = __( 'https://woocommerce.com/mobile/', 'secupress' );
 $this->add_field( array(
 	'title'             => __( 'Forbid User Enumeration', 'secupress' ),