Merge branch 'develop' into trunk

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
+## [7.5.0] - 2023-12-14
+**Note:** this release changes the default behavior for new installs in regards to IP detection. This shouldn't impact existing installs but there are two filters that can be used to change this behavior. See the [readme](https://github.com/10up/restricted-site-access#how-secure-is-this-plug-in) for full details.
+
+### Fixed
+- Update code snippet in the readme (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul) via [#291](https://github.com/10up/restricted-site-access/pull/291)).
+
+### Security
+- For new installs, ensure we only trust the `REMOTE_ADDR` HTTP header by default. Existing installs will still utilize the old list of approved headers but can modify this (and are recommended to) by using the `rsa_trusted_headers` filter (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc), [@dustinrue](https://github.com/dustinrue), [@mikhail-net](https://github.com/mikhail-net), [Darius Sveikauskas](https://patchstack.com/) via [#290](https://github.com/10up/restricted-site-access/pull/290)).
+- Bump `axios` from 0.25.0 to 1.6.2 and `@wordpress/scripts` from 23.7.2 to 26.19.0 (props [@dependabot](https://github.com/apps/dependabot), [@dkotter](https://github.com/dkotter) via [#293](https://github.com/10up/restricted-site-access/pull/293)).
+
 ## [7.4.1] - 2023-11-14
 ### Added
 - GitHub Action summary report for Cypress end-to-end tests (props [@jayedul](https://github.com/jayedul), [@Sidsector9](https://github.com/Sidsector9) via [#258](https://github.com/10up/restricted-site-access/pull/258)).
@@ -326,6 +336,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Initial public release
 
 [Unreleased]: https://github.com/10up/restricted-site-access/compare/trunk...develop
+[7.5.0]: https://github.com/10up/restricted-site-access/compare/7.4.1...7.5.0
 [7.4.1]: https://github.com/10up/restricted-site-access/compare/7.4.0...7.4.1
 [7.4.0]: https://github.com/10up/restricted-site-access/compare/7.3.5...7.4.0
 [7.3.5]: https://github.com/10up/restricted-site-access/compare/7.3.4...7.3.5

CREDITS.md

@@ -10,7 +10,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Grant Mangham (@vancoder)](https://github.com/vancoder), [@jmata-loop](https://github.com/jmata-loop), [Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Mika Epstein (@Ipstenu)](https://github.com/Ipstenu), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Prasath Nadarajah (@nprasath002)](https://github.com/nprasath002), [Mathieu Viet (@imath)](https://github.com/imath), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Peter Tasker (@ptasker)](https://github.com/ptasker), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Echo (@ChaosExAnima)](https://github.com/ChaosExAnima), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Nate Allen (@nate-allen)](https://github.com/nate-allen), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [@JayWood](https://github.com/JayWood), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Paul Schreiber (@paulschreiber)](https://github.com/paulschreiber), [Nick Lobeck (@eightam)](https://github.com/eightam), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Mikel King (@mikelking)](https://github.com/mikelking), [Max Lyuchin (@cadic)](https://github.com/cadic), [Crisoforo Gaspar Hernández (@mitogh)](https://github.com/mitogh), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Wayne K. Walrath (@wkw)](https://github.com/wkw), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Chuck Scott (@n8dnx)](https://github.com/n8dnx), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Pablo Amato (@pabamato)](https://github.com/pabamato), [Pedro Mendonça (@pedro-mendonca)](https://github.com/pedro-mendonca), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Stephanie Walters (@PypWalters)](https://github.com/PypWalters), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Marc-Alexandre Montpas (@marcS0H)](https://github.com/marcS0H), [Daniel Ruf (@DanielRuf)](https://github.com/DanielRuf), [David E. Smith (@dsXLII)](https://github.com/dsXLII), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Dhanendran Rajagopal (@dhanendran)](https://github.com/dhanendran), [Pablo Javier Marti (@pablojmarti)](https://github.com/pablojmarti), [Shahzaib Mushtaq (@shahzaib10up)](https://github.com/shahzaib10up), [Barry Ceelen (@barryceelen)](https://github.com/barryceelen), [Kirtan Gajjar (@kirtangajjar)](https://github.com/kirtangajjar), [Mikel King (@mikelking)](https://github.com/mikelking), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Jayedul K. (@jayedul)](https://github.com/jayedul), [@mikegibbons4](https://profiles.wordpress.org/mikegibbons4/), [Miguel A. Estrada (@mae829)](https://github.com/mae829), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya).
+[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Grant Mangham (@vancoder)](https://github.com/vancoder), [@jmata-loop](https://github.com/jmata-loop), [Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Mika Epstein (@Ipstenu)](https://github.com/Ipstenu), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Prasath Nadarajah (@nprasath002)](https://github.com/nprasath002), [Mathieu Viet (@imath)](https://github.com/imath), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Peter Tasker (@ptasker)](https://github.com/ptasker), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Echo (@ChaosExAnima)](https://github.com/ChaosExAnima), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Nate Allen (@nate-allen)](https://github.com/nate-allen), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [@JayWood](https://github.com/JayWood), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Paul Schreiber (@paulschreiber)](https://github.com/paulschreiber), [Nick Lobeck (@eightam)](https://github.com/eightam), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Mikel King (@mikelking)](https://github.com/mikelking), [Max Lyuchin (@cadic)](https://github.com/cadic), [Crisoforo Gaspar Hernández (@mitogh)](https://github.com/mitogh), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Wayne K. Walrath (@wkw)](https://github.com/wkw), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Chuck Scott (@n8dnx)](https://github.com/n8dnx), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Pablo Amato (@pabamato)](https://github.com/pabamato), [Pedro Mendonça (@pedro-mendonca)](https://github.com/pedro-mendonca), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Stephanie Walters (@PypWalters)](https://github.com/PypWalters), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Marc-Alexandre Montpas (@marcS0H)](https://github.com/marcS0H), [Daniel Ruf (@DanielRuf)](https://github.com/DanielRuf), [David E. Smith (@dsXLII)](https://github.com/dsXLII), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Dhanendran Rajagopal (@dhanendran)](https://github.com/dhanendran), [Pablo Javier Marti (@pablojmarti)](https://github.com/pablojmarti), [Shahzaib Mushtaq (@shahzaib10up)](https://github.com/shahzaib10up), [Barry Ceelen (@barryceelen)](https://github.com/barryceelen), [Kirtan Gajjar (@kirtangajjar)](https://github.com/kirtangajjar), [Mikel King (@mikelking)](https://github.com/mikelking), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Jayedul K. (@jayedul)](https://github.com/jayedul), [@mikegibbons4](https://profiles.wordpress.org/mikegibbons4/), [Miguel A. Estrada (@mae829)](https://github.com/mae829), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya), [Dustin Rue (@dustinrue)](https://github.com/dustinrue), [Mika (@mikhail-net)](https://github.com/mikhail-net), [Darius Sveikauskas](https://patchstack.com/).
 
 ## Libraries
 

README.md

@@ -74,21 +74,19 @@ function my_rsa_feed_override( $is_restricted, $wp ) {
 
 ### How secure is this plug-in?
 
-Visitors that are not logged in or allowed by IP address will not be able to browse your site (though be cautious of page caching plugin incompatibilities, mentioned above). Restricted Site Access does not block access to your, so direct links to files in your media and uploads folder (for instance) are not blocked. It is also important to remember that IP addresses can be spoofed. Because Restricted Site Access runs as a plug-in, it is subject to any other vulnerabilities present on your site.
+Visitors that are not logged in or allowed by IP address will not be able to browse your site (though be cautious of page caching plugin incompatibilities, mentioned above). Restricted Site Access does not block access to your "real" files, so direct links to files in your media and uploads folder (for instance) are not blocked. It is also important to remember that IP addresses can be spoofed. Because Restricted Site Access runs as a plug-in, it is subject to any other vulnerabilities present on your site.
 
 Restricted Site Access is not meant to be a top secret data safe, but simply a reliable and convenient way to handle unwanted visitors.
 
-In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. By default, these filters will not change existing behavior. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
-
-If your site is not running behind a proxy, we recommend doing the following:
+In 7.3.2, two new filters were added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. For any sites that were using Restricted Site Access prior to version 7.5.0, a handful of HTTP headers are trusted by default. To change this, utilize the `rsa_trusted_headers` filter to modify the HTTP headers you want to trust. If your site is not running behind a proxy, we recommend doing the following:
 
 ```php
 add_filter( 'rsa_trusted_headers', '__return_empty_array' );
 ```
 
-This will then only use the `REMOTE_ADDR` HTTP header to determine the IP address of the visitor. This header can't be spoofed, so this will increase security.
+This will then only use the `REMOTE_ADDR` HTTP header to determine the IP address of the visitor. This header can't be spoofed, so this will increase security. Note that this is now the default for all new installs since version 7.5.0.
 
-If your site is running behind a proxy (like a CDN), you can't rely on the `REMOTE_ADDR` HTTP header, as this will contain the IP address of the proxy, not the user. If your proxy uses static IP addresses, we recommend using the `rsa_trusted_proxies` filter to set those trusted IP addresses:
+If your site is running behind a proxy (like a CDN), you usually can't rely on the `REMOTE_ADDR` HTTP header, as this will contain the IP address of the proxy, not the user. If your proxy uses static IP addresses, we recommend using the `rsa_trusted_proxies` filter to set those trusted IP addresses:
 
 ```php
 add_filter( 'rsa_trusted_proxies', 'my_rsa_trusted_proxies' );