-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathREADME.txt
More file actions
100 lines (69 loc) · 5.07 KB
/
README.txt
File metadata and controls
100 lines (69 loc) · 5.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
=== One Patch Security ===
Contributors: Mike Kelley, One Patch Security
Tags: security, wordpress security, lightweight, configurable, lightweight security
Requires at least: 5.6
Tested up to: 6.8
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
Lightweight, configurable plugin that patches WordPress core vulnerabilities and lets you toggle essential security features.
== Description ==
**One Patch Security** is a WordPress plugin designed to enhance the security of your WordPress site by patching some of the application-layer vulnerabilities that come out-of-the-box with WordPress. Each feature can be toggled on or off via the settings page, allowing you to customize the plugin to your needs. If you're not sure what settings you need, we offer a free CLI testing tool, available on [GitHub](https://github.com/mygithub), that will help you.
This plugin is **lightweight** and **easy to configure**, making it perfect for WordPress users who want to secure their site without adding unnecessary bloat. It focuses on patching security holes in the WordPress core itself, ensuring your site is protected against common vulnerabilities.
== Features ==
= Version 1.0.0 =
- **Remove WordPress Version Meta**: Hides the WordPress version from metadata to prevent information disclosure.
- **Prevent User Enumeration**:
- Blocks user enumeration via the `author` query parameter.
- Redirects author archive pages to the homepage.
- **Restrict REST API Access**:
- Blocks non-logged-in users from accessing the REST API.
- Disables specific REST endpoints (e.g., `/wp/v2/users`, `/wp/v2/plugins`).
- **Custom Login Error Message**: Replaces default login error messages with a generic message to prevent username enumeration.
- **Disable XML-RPC**:
- Disables XML-RPC functionality to prevent remote access.
- Removes the `pingback.ping` method from the XML-RPC API.
- **Force Secure Cookies**: Ensures cookies are only sent over HTTPS when the site is accessed via SSL.
= Roadmap for Version 2.0.0 =
- **Disallow File Editing in Dashboard**: Prevent theme and plugin file editing from the WordPress dashboard.
- **Disallow File Modifications**: Disable the ability to install or update plugins and themes via the dashboard.
- **Prevent PHP Execution in `/uploads`**: Block PHP file execution in the `/uploads` directory.
- **Disable RSS and Atom Feeds**: Optionally disable RSS and Atom feeds to reduce the attack surface.
- **Disable Application Passwords**: Optionally disable the use of application passwords for REST API authentication.
- **Various Housekeeping Updates**
== Installation ==
1. **Download the Plugin**:
- Download the plugin ZIP file from the repository or WordPress plugin directory.
2. **Upload the Plugin**:
- Go to **Plugins > Add New > Upload Plugin** in your WordPress admin dashboard.
- Upload the ZIP file and click **Install Now**.
3. **Activate the Plugin**:
- After installation, click **Activate Plugin**.
4. **Configure Settings**:
- Go to **Settings > OnePatch Security** to enable or disable specific security features.
== Usage ==
Once activated, navigate to the Security page under Settings in the WordPress admin dashboard. Here you can enable whatever features your site needs. If you're not sure what settings you need, we offer a free CLI testing tool that will help you. Available on [GitHub](https://github.com/mygithub).
== Frequently Asked Questions ==
= Is this plugin lightweight? =
Yes, One Patch Security is designed to be lightweight and efficient, ensuring it doesn't slow down your site.
= Can I customize the security features? =
Absolutely! Each feature can be toggled on or off via the settings page, allowing you to tailor the plugin to your site's specific needs.
= Does this plugin patch WordPress core vulnerabilities? =
Yes, One Patch Security focuses on patching security holes in the WordPress core application itself, providing an additional layer of protection.
== Changelog ==
= 1.0.0 =
- Initial release with core security features.
== Upgrade Notice ==
= 1.0.0 =
Initial release of One Patch Security. Install now to start securing your WordPress site!
== Contributing ==
Contributions are welcome! If you'd like to contribute to the development of One Patch Security, please follow these steps:
1. Fork the repository.
2. Create a new branch for your feature or bug fix.
3. Submit a pull request with a detailed description of your changes.
== License ==
This plugin is licensed under the **GNU General Public License v2 or later**.
== Support ==
For support, feature requests, or bug reports, please open an issue on the [GitHub repository](https://github.com/your-repo/one-patch-security).
== About ==
One Patch Security is developed and maintained by **[One Patch Security](https://onepatchsecurity.com)**, a company specializing in WordPress security. In addition to this plugin, One Patch Security offers **security audits** and **code review as a service** to help you secure your WordPress site. Visit [https://onepatchsecurity.com](https://onepatchsecurity.com) for more information.