Merge pull request #28 from erikyo/dev

0.4.3

.wp-env.json

@@ -2,9 +2,9 @@
   "phpVersion": "7.4",
   "core": "WordPress/WordPress",
   "plugins": [
+	".",
 	"https://downloads.wordpress.org/plugin/contact-form-7.zip",
-	"https://downloads.wordpress.org/plugin/flamingo.zip",
-	"."
+	"https://downloads.wordpress.org/plugin/flamingo.zip"
   ],
   "config": {
 	"WP_DEBUG": true,

admin/admin-customizations.php

@@ -398,7 +398,7 @@ public function cf7a_options_init() {
 			'cf7a_honeypot'
 		);
 
-		/* DNS Blacklist server list */
+		/* honeypot input name */
 		add_settings_field(
 			'honeypot_input_names',
 			__( 'Name for the honeypots inputs[*]', 'cf7-antispam' ),
@@ -433,6 +433,32 @@ public function cf7a_options_init() {
 			'cf7a_honeyform'
 		);
 
+		/* Identity Protection */
+		add_settings_section(
+			'cf7a_identity_protection',
+			__( 'Identity Protection', 'cf7-antispam' ),
+			array( $this, 'cf7a_print_identity_protection' ),
+			'cf7a-settings'
+		);
+
+		/* Enable identity_protection */
+		add_settings_field(
+			'identity_protection_user',
+			__( 'Enforce user protection', 'cf7-antispam' ),
+			array( $this, 'cf7a_identity_protection_user_callback' ),
+			'cf7a-settings',
+			'cf7a_identity_protection'
+		);
+
+		/* identity_protection position */
+		add_settings_field(
+			'identity_protection_wp',
+			__( 'Enforce Wordpress protection', 'cf7-antispam' ),
+			array( $this, 'cf7a_identity_protection_wp_callback' ),
+			'cf7a-settings',
+			'cf7a_identity_protection'
+		);
+
 		/* Section b8 */
 		add_settings_section(
 			'cf7a_b8',
@@ -763,6 +789,11 @@ public function cf7a_print_honeyform() {
 		printf( '<p>%s</p>', esc_html__( "I'm actually going to propose the honey-form for the first time! Instead of serving the bot a form with trap fields we directly serve it a form that is entirely a trap", 'cf7-antispam' ) );
 	}
 
+	/** It prints the user protection info text */
+	public function cf7a_print_identity_protection() {
+		printf( '<p>%s</p>', esc_html__( "After monitoring and analysing some bots, I noticed that it is necessary to block the way bots collect (user) data from the website, otherwise protecting the form may have no effect. This also blocks some registrations, spam comments and other attacks", 'cf7-antispam' ) );
+	}
+
 	/** It prints the b8 info text */
 	public function cf7a_print_b8() {
 		printf( '<p>%s</p>', esc_html__( 'Tells you whether a text is spam or not, using statistical text analysis of the text message', 'cf7-antispam' ) );
@@ -934,7 +965,7 @@ public function cf7a_sanitize_options( $input ) {
 
 		/* auto-unban delay */
 		$schedule = wp_get_schedules();
-		if ( ! empty( $input['unban_after'] ) && in_array( $input['unban_after'], array_keys( $schedule ) ) ) {
+		if ( ! empty( $input['unban_after'] ) && in_array( $input['unban_after'], array_keys( $schedule ), true ) ) {
 			if ( $this->options['unban_after'] !== $input['unban_after'] ) {
 				$new_input['unban_after'] = $input['unban_after'];
 				/* delete previous scheduled events */
@@ -1006,6 +1037,10 @@ public function cf7a_sanitize_options( $input ) {
 		$new_input['check_honeyform']    = isset( $input['check_honeyform'] ) ? 1 : 0;
 		$new_input['honeyform_position'] = ! empty( $input['honeyform_position'] ) ? sanitize_title( $input['honeyform_position'] ) : 'wp_body_open';
 
+		/* honeyform */
+		$new_input['identity_protection_user'] = isset( $input['identity_protection_user'] ) ? 1 : 0;
+		$new_input['identity_protection_wp'] = isset( $input['identity_protection_wp'] ) ? 1 : 0;
+
 		/* b8 */
 		$new_input['enable_b8']    = isset( $input['enable_b8'] ) ? 1 : 0;
 		$threshold                 = floatval( $input['b8_threshold'] );
@@ -1190,7 +1225,7 @@ public function cf7a_geoip_key_callback() {
 			'<input type="text" id="geoip_dbkey" name="cf7a_options[geoip_dbkey]" %s %s/>',
 			empty( $this->options['geoip_dbkey'] ) ? '' : 'value="' . esc_attr( $this->options['geoip_dbkey'] ) . '"',
 			// phpcs:ignore WordPress.Security.EscapeOutput
-			empty( CF7ANTISPAM_GEOIP_KEY ) ? '' : 'disabled placeholder="KEY provided"'
+			empty( CF7ANTISPAM_GEOIP_KEY ) ? '' : 'disabled placeholder="' . esc_html__( 'KEY provided' ) . '"'
 		);
 	}
 
@@ -1362,6 +1397,22 @@ public function cf7a_honeyform_position_callback() {
 		);
 	}
 
+	/** It creates a checkbox with the id of "cf7a_identity_protection_user_callback" */
+	public function cf7a_identity_protection_user_callback() {
+		printf(
+			'<input type="checkbox" id="identity_protection_user" name="cf7a_options[identity_protection_user]" %s />',
+			! empty( $this->options['identity_protection_user'] ) ? 'checked="true"' : ''
+		);
+	}
+
+	/** It creates a checkbox with the id of "cf7a_identity_protection_user_callback" */
+	public function cf7a_identity_protection_wp_callback() {
+		printf(
+			'<input type="checkbox" id="identity_protection_wp" name="cf7a_options[identity_protection_wp]" %s />',
+			! empty( $this->options['identity_protection_wp'] ) ? 'checked="true"' : ''
+		);
+	}
+
 	/** It creates a checkbox with the id of "cf7a_enable_b8_callback" */
 	public function cf7a_enable_b8_callback() {
 		printf(

cf7-antispam.php

@@ -5,7 +5,7 @@
  * Author: Codekraft
  * Text Domain: cf7-antispam
  * Domain Path: /languages/
- * Version: 0.4.2
+ * Version: 0.4.3
  *
  * @package cf7-antispam
  */
@@ -18,7 +18,7 @@
 /* CONSTANTS */
 define( 'CF7ANTISPAM_NAME', 'cf7-antispam' );
 
-define( 'CF7ANTISPAM_VERSION', '0.4.2' );
+define( 'CF7ANTISPAM_VERSION', '0.4.3' );
 
 define( 'CF7ANTISPAM_PLUGIN', __FILE__ );
 

includes/cf7a-activator.php

@@ -55,6 +55,8 @@ public static function init_vars() {
 			'check_refer'                  => true,
 			'check_honeypot'               => true,
 			'check_honeyform'              => false,
+			'identity_protection_user'     => false,
+			'identity_protection_wp'       => false,
 			'enable_geoip_download'        => false,
 			'geoip_dbkey'                  => false,
 			'check_language'               => false,

includes/cf7a-core.php

@@ -305,6 +305,18 @@ private function load_frontend() {
 				$this->loader->add_filter( 'the_content', $plugin_frontend, 'cf7a_honeyform', 99 );
 			}
 
+			/* Checking if the user has selected the option to protect the user's identity. If they have, it will call the function
+			to protect the user's identity. */
+			if ( isset( $this->options['identity_protection_user'] ) && intval( $this->options['identity_protection_user'] ) === 1 ) {
+				$plugin_frontend->cf7a_protect_user();
+			}
+
+			/* It removes the WordPress version from the header, removes the REST API link from the header,
+			removes headers that disposes information */
+			if ( isset( $this->options['identity_protection_wp'] ) && intval( $this->options['identity_protection_wp'] ) === 1 ) {
+				$this->loader->add_filter( 'wp_headers', $plugin_frontend, 'cf7a_protect_wp', 999 );
+			}
+
 			/* It adds a CSS style to the page that hides the honeypot field */
 			if (
 				( isset( $this->options['check_honeypot'] ) && 1 === intval( $this->options['check_honeypot'] ) ) || ( isset( $this->options['check_honeyform'] ) && 1 === intval( $this->options['check_honeyform'] ) )

includes/cf7a-frontend.php

@@ -57,7 +57,8 @@ public function cf7a_honeypot_add( $form_elements ) {
 		try {
 			$html = new DOMDocument( '1.0', 'UTF-8' );
 			libxml_use_internal_errors( true );
-			$html->loadHTML( $form_elements, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD );
+			// mb_convert_encoding is needed for non-latin font sets / LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD avoids auto-fixes for corrupted html code
+			$html->loadHTML( mb_convert_encoding( $form_elements, 'HTML-ENTITIES', 'UTF-8' ), LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD );
 			$xpath  = new DOMXpath( $html );
 			$inputs = $xpath->query( '//input' );
 
@@ -73,6 +74,16 @@ public function cf7a_honeypot_add( $form_elements ) {
 		$options     = get_option( 'cf7a_options', array() );
 		$input_names = get_honeypot_input_names( $options['honeypot_input_names'] );
 		$input_class = sanitize_html_class( $this->options['cf7a_customizations_class'] );
+		/**
+		 * Controls the maximum number of honeypots.
+		 *
+		 * @example add_filter( 'cf7a_additional_max_honeypots', function() {return 42});
+		 *
+		 * @returns int $max_replacements - replacement count number
+		 *
+		 * @since 0.4.3
+		 */
+		$max_replacements = intval( apply_filters( 'cf7a_additional_max_honeypots', 5 ) );
 
 		/* get the inputs data */
 		if ( $inputs && $inputs->length > 0 ) {
@@ -101,7 +112,7 @@ public function cf7a_honeypot_add( $form_elements ) {
 					/* duplicate the inputs into honeypots */
 					$parent->insertBefore( $clone, $sibling );
 
-					if ( $i > 0 ) {
+					if ( $i > $max_replacements ) {
 						return $html->saveHTML();
 					}
 				}
@@ -324,6 +335,65 @@ public function cf7a_append_on_submit( $fields ) {
 		);
 	}
 
+	/**
+	 * It disables the XML-RPC protocol and the REST API endpoints for users
+	 *
+	 */
+	public function cf7a_protect_user() {
+		/* disables the XML-RPC */
+		add_filter( 'xmlrpc_enabled', '__return_false' );
+
+		/**
+		 * Remove Rest user endpoints
+		 * @return array $endpoints the value of the variable $endpoints.
+		 */
+		if (!is_user_logged_in()) add_filter('rest_endpoints', function($endpoints) {
+			if ( isset( $endpoints['/wp/v2/users'] ) ) {
+				unset( $endpoints['/wp/v2/users'] );
+			}
+			if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
+				unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
+			}
+			return $endpoints;
+		});
+	}
+
+	/**
+	 * It removes the WordPress version from the header, removes the REST API link from the header, removes the X-Pingback
+	 * header, removes the X-Powered-By header, and adds a random server header
+	 *
+	 * @param array $headers The headers array that is passed to the function.
+	 *
+	 * @return array The headers are being returned.
+	 */
+	public function cf7a_protect_wp($headers) {
+
+		/* removes version number (WordPress/WooCommerce) */
+		remove_action( 'wp_head', 'wp_generator' );
+		remove_action('wp_head', 'woo_version');
+
+		remove_action( 'wp_head', 'rest_output_link_wp_head');
+		remove_action( 'template_redirect', 'rest_output_link_header', 20);
+
+		unset( $headers['X-Pingback'] );
+		unset( $headers['X-Powered-By'] );
+
+		if ( empty( $headers['X-Frame-Options'] )) {
+			$headers['X-Frame-Options'] = 'SAMEORIGIN';
+		}
+		if ( empty( $headers['X-Content-Type-Options'] )) {
+			$headers['X-Content-Type-Options'] = 'nosniff';
+		}
+		if ( empty( $headers['X-XSS-Protection'] )) {
+			$headers['X-XSS-Protection'] = '1; mode=block';
+		}
+		if ( empty( $headers['Strict-Transport-Security'] )) {
+			$headers['Strict-Transport-Security'] = 'max-age=31536000';
+		}
+
+		return $headers;
+	}
+
 	/**
 	 * Register the JavaScript for the admin area.
 	 *

package.json

@@ -2,7 +2,7 @@
   "name": "cf7-antispam",
   "author": "Erik Golinelli",
   "license": "GPL-2.0-only",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "AntiSpam for Contact Form 7",
   "files": [
     "admin/*",