Merge branch 'develop' into trunk

.github/workflows/cypress.yml

@@ -21,7 +21,7 @@ jobs:
         core:
           - {name: 'WP latest', version: 'latest'}
           - {name: 'WP trunk', version: 'WordPress/WordPress#master'}
-          - {name: 'WP minimum', version: 'WordPress/WordPress#4.6'}
+          - {name: 'WP minimum', version: 'WordPress/WordPress#5.7'}
 
     steps:
     - name: Checkout

.github/workflows/php-compatibility.yml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   php-compatibility:
-    name: PHP minimum 5.6
+    name: PHP minimum 7.4
 
     runs-on: ubuntu-latest
 
@@ -22,12 +22,12 @@ jobs:
       - name: Set PHP version
         uses: shivammathur/setup-php@v2
         with:
-          php-version: '7.3'
+          php-version: '7.4'
           tools: composer:v2
           coverage: none
 
       - name: Install dependencies
         run: composer install
 
       - name: Run PHP Compatibility
-        run: vendor/bin/phpcs . --standard=PHPCompatibilityWP --ignore=vendor --extensions=php --runtime-set testVersion 5.6-
+        run: vendor/bin/phpcs . --standard=PHPCompatibilityWP --ignore=vendor --extensions=php --runtime-set testVersion 7.4-

.github/workflows/phpunit.yml

@@ -24,7 +24,7 @@ jobs:
     - name: Set PHP version
       uses: shivammathur/setup-php@v2
       with:
-        php-version: '7.3'
+        php-version: '7.4'
         coverage: none
         tools: composer:v1
 

CHANGELOG.md

@@ -2,7 +2,20 @@
 
 All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/).  Moving forward, this project will (more strictly) adhere to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased]
+## [Unreleased] - TBD
+
+## [7.3.2] - 2022-08-29
+
+### Added
+- New filter - `rsa_get_client_ip_address_filter_flags` to modify the range of accepted IP addresses (props [@dsXLII](https://github.com/dsXLII), [@dinhtungdu](https://github.com/dinhtungdu), [@Sidsector9](https://github.com/Sidsector9) via [#113](https://github.com/10up/restricted-site-access/pull/113)).
+
+### Changed
+- Avoid disjointed plugin settings (props [@helen](https://github.com/helen), [@peterwilsoncc](https://github.com/peterwilsoncc), [@Sidsector9](https://github.com/Sidsector9) via [#200](https://github.com/10up/restricted-site-access/pull/200)).
+- Bump minimum WordPress version from 5.0 to 5.7 (props [@vikrampm1](https://github.com/vikrampm1), [@Sidsector9](https://github.com/Sidsector9), [@faisal-alvi](https://github.com/faisal-alvi) via [#207](https://github.com/10up/restricted-site-access/pull/207)).
+- Bump minimum PHP version from 5.6 to 7.4 (props [@vikrampm1](https://github.com/vikrampm1), [@Sidsector9](https://github.com/Sidsector9), [@faisal-alvi](https://github.com/faisal-alvi) via [#207](https://github.com/10up/restricted-site-access/pull/207)).
+
+### Security
+- New filters - `rsa_trusted_proxies` and `rsa_trusted_headers` have been added to help prevent IP spoofing attacks (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc), [@marcS0H](https://github.com/marcS0H), [@DanielRuf](https://github.com/DanielRuf), [@Sidsector9](https://github.com/Sidsector9) via [#198](https://github.com/10up/restricted-site-access/pull/198)).
 
 ## [7.3.1] - 2022-06-30
 ### Added
@@ -230,6 +243,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Initial public release
 
 [Unreleased]: https://github.com/10up/restricted-site-access/compare/trunk...develop
+[7.3.2]: https://github.com/10up/restricted-site-access/compare/7.3.1...7.3.2
 [7.3.1]: https://github.com/10up/restricted-site-access/compare/7.3.0...7.3.1
 [7.3.0]: https://github.com/10up/restricted-site-access/compare/7.2.0...7.3.0
 [7.2.0]: https://github.com/10up/restricted-site-access/compare/7.1.0...7.2.0

CREDITS.md

@@ -10,7 +10,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Grant Mangham (@vancoder)](https://github.com/vancoder), [@jmata-loop](https://github.com/jmata-loop), [Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Mika Epstein (@Ipstenu)](https://github.com/Ipstenu), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Prasath Nadarajah (@nprasath002)](https://github.com/nprasath002), [Mathieu Viet (@imath)](https://github.com/imath), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Peter Tasker (@ptasker)](https://github.com/ptasker), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Echo (@ChaosExAnima)](https://github.com/ChaosExAnima), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Nate Allen (@nate-allen)](https://github.com/nate-allen), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [@JayWood](https://github.com/JayWood), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Paul Schreiber (@paulschreiber)](https://github.com/paulschreiber), [Nick Lobeck (@eightam)](https://github.com/eightam), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Mikel King (@mikelking)](https://github.com/mikelking), [Max Lyuchin (@cadic)](https://github.com/cadic), [Crisoforo Gaspar Hernández (@mitogh)](https://github.com/mitogh), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Wayne K. Walrath (@wkw)](https://github.com/wkw), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Chuck Scott (@n8dnx)](https://github.com/n8dnx), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Pablo Amato (@pabamato)](https://github.com/pabamato), [Pedro Mendonça (@pedro-mendonca)](https://github.com/pedro-mendonca), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Stephanie Walters (@PypWalters)](https://github.com/PypWalters), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh).
+[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Grant Mangham (@vancoder)](https://github.com/vancoder), [@jmata-loop](https://github.com/jmata-loop), [Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Mika Epstein (@Ipstenu)](https://github.com/Ipstenu), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Prasath Nadarajah (@nprasath002)](https://github.com/nprasath002), [Mathieu Viet (@imath)](https://github.com/imath), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Peter Tasker (@ptasker)](https://github.com/ptasker), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Echo (@ChaosExAnima)](https://github.com/ChaosExAnima), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Nate Allen (@nate-allen)](https://github.com/nate-allen), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [@JayWood](https://github.com/JayWood), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Paul Schreiber (@paulschreiber)](https://github.com/paulschreiber), [Nick Lobeck (@eightam)](https://github.com/eightam), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Mikel King (@mikelking)](https://github.com/mikelking), [Max Lyuchin (@cadic)](https://github.com/cadic), [Crisoforo Gaspar Hernández (@mitogh)](https://github.com/mitogh), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Justin Kopepasah (@kopepasah)](https://github.com/kopepasah), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Wayne K. Walrath (@wkw)](https://github.com/wkw), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Chuck Scott (@n8dnx)](https://github.com/n8dnx), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Pablo Amato (@pabamato)](https://github.com/pabamato), [Pedro Mendonça (@pedro-mendonca)](https://github.com/pedro-mendonca), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Stephanie Walters (@PypWalters)](https://github.com/PypWalters), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Marc-Alexandre Montpas (@marcS0H)](https://github.com/marcS0H), [Daniel Ruf (@DanielRuf)](https://github.com/DanielRuf), [David E. Smith (@dsXLII)](https://github.com/dsXLII).
 
 ## Libraries
 

README.md

@@ -75,6 +75,51 @@ Visitors that are not logged in or allowed by IP address will not be able to bro
 
 Restricted Site Access is not meant to be a top secret data safe, but simply a reliable and convenient way to handle unwanted visitors.
 
+In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. By default, these filters will not change existing behavior. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
+
+If your site is not running behind a proxy, we recommend doing the following:
+
+```php
+add_filter( 'rsa_trusted_headers', '__return_empty_array' );
+```
+
+This will then only use the `REMOTE_ADDR` HTTP header to determine the IP address of the visitor. This header can't be spoofed, so this will increase security.
+
+If your site is running behind a proxy (like a CDN), you can't rely on the `REMOTE_ADDR` HTTP header, as this will contain the IP address of the proxy, not the user. If your proxy uses static IP addresses, we recommend using the `rsa_trusted_proxies` filter to set those trusted IP addresses:
+
+```php
+add_filter( 'rsa_trusted_proxies', 'my_rsa_trusted_proxies' );
+
+function my_rsa_trusted_proxies( $trusted_proxies = array() ) {
+  // Set one or more trusted proxy IP addresses.
+  $proxy_ips       = array(
+    '10.0.0.0/24',
+    '10.0.0.0/32',
+  );
+  $trusted_proxies = array_merge( $trusted_proxies, $proxy_ips );
+
+  return array_unique( $trusted_proxies );
+}
+```
+
+And then use the `rsa_trusted_headers` filter to set which HTTP headers you want to trust. Consult with your proxy provider to determine which header(s) they use to hold the original client IP:
+
+```php
+add_filter( 'rsa_trusted_headers', 'my_rsa_trusted_headers' );
+
+function my_rsa_trusted_headers( $trusted_headers = array() ) {
+  // Set one or more trusted HTTP headers.
+  $headers = array(
+    'HTTP_X_FORWARDED',
+    'HTTP_FORWARDED',
+  );
+
+  return $headers;
+}
+```
+
+If your proxy does not use static IP addresses, you can still utilize the `rsa_trusted_headers` filter to change which HTTP headers you want to trust.
+
 ### I received a warning about page caching. What does it mean?
 
 Page caching plugins often hook into WordPress to quickly serve the last cached output of a page before we can check to see if a visitor’s access should be restricted. Not all page caching plugins behave the same way, but several solutions - including external solutions we might not detect - can cause restricted pages to be publicly served regardless of your settings.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "restricted-site-access",
-  "version": "7.3.1",
+  "version": "7.3.2",
   "description": "Limit access to visitors who are logged in or allowed by IP addresses. Includes many options for handling blocked visitors.",
   "homepage": "https://github.com/10up/restricted-site-access#readme",
   "license": "GPL-2.0-or-later",

readme.txt

@@ -2,10 +2,10 @@
 Contributors:      10up, jakemgold, rcbth, thinkoomph, tlovett1, jeffpaul, nomnom99
 Donate link:       https://10up.com/plugins/restricted-site-access-wordpress/
 Tags:              privacy, restricted, restrict, privacy, limited, permissions, security, block
-Requires at least: 5.0
+Requires at least: 5.7
 Tested up to:      6.0
-Stable tag:        7.3.1
-Requires PHP:      5.6
+Stable tag:        7.3.2
+Requires PHP:      7.4
 License:           GPLv2 or later
 License URI:       http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -64,6 +64,51 @@ Visitors that are not logged in or allowed by IP address will not be able to bro
 
 Restricted Site Access is not meant to be a top secret data safe, but simply a reliable and convenient way to handle unwanted visitors.
 
+In 7.3.2, two new filters have been added that can be utilized to help prevent IP spoofing attacks. The first filter allows you to set up a list of approved proxy IP addresses and the second allows you to set up a list of approved HTTP headers. By default, these filters will not change existing behavior. It is recommended to review these filters and utilize them appropriately for your site to secure things further.
+
+If your site is not running behind a proxy, we recommend doing the following:
+
+`
+add_filter( 'rsa_trusted_headers', '__return_empty_array' );
+`
+
+This will then only use the `REMOTE_ADDR` HTTP header to determine the IP address of the visitor. This header can't be spoofed, so this will increase security.
+
+If your site is running behind a proxy (like a CDN), you can't rely on the `REMOTE_ADDR` HTTP header, as this will contain the IP address of the proxy, not the user. If your proxy uses static IP addresses, we recommend using the `rsa_trusted_proxies` filter to set those trusted IP addresses:
+
+`
+add_filter( 'rsa_trusted_proxies', 'my_rsa_trusted_proxies' );
+
+function my_rsa_trusted_proxies( $trusted_proxies = array() ) {
+  // Set one or more trusted proxy IP addresses.
+  $proxy_ips       = array(
+    '10.0.0.0/24',
+    '10.0.0.0/32',
+  );
+  $trusted_proxies = array_merge( $trusted_proxies, $proxy_ips );
+
+  return array_unique( $trusted_proxies );
+}
+`
+
+And then use the `rsa_trusted_headers` filter to set which HTTP headers you want to trust. Consult with your proxy provider to determine which header(s) they use to hold the original client IP:
+
+`
+add_filter( 'rsa_trusted_headers', 'my_rsa_trusted_headers' );
+
+function my_rsa_trusted_headers( $trusted_headers = array() ) {
+  // Set one or more trusted HTTP headers.
+  $headers = array(
+    'HTTP_X_FORWARDED',
+    'HTTP_FORWARDED',
+  );
+
+  return $headers;
+}
+`
+
+If your proxy does not use static IP addresses, you can still utilize the `rsa_trusted_headers` filter to change which HTTP headers you want to trust.
+
 = I received a warning about page caching. What does it mean? =
 
 Page caching plugins often hook into WordPress to quickly serve the last cached output of a page before we can check to see if a visitor’s access should be restricted. Not all page caching plugins behave the same way, but several solutions - including external solutions we might not detect - can cause restricted pages to be publicly served regardless of your settings.
@@ -153,6 +198,13 @@ Please note that setting `RSA_FORCE_RESTRICTION` will override `RSA_FORBID_RESTR
 
 == Changelog ==
 
+= 7.3.2 - 2022-08-29 =
+* **Added:** New filter - `rsa_get_client_ip_address_filter_flags` to modify the range of accepted IP addresses.
+* **Changed:** Avoid disjointed plugin settings (props [@helen](https://github.com/helen), [@peterwilsoncc](https://github.com/peterwilsoncc), [@Sidsector9](https://github.com/Sidsector9)).
+* **Changed:** Bump minimum WordPress version from 5.0 to 5.7 (props [@vikrampm1](https://github.com/vikrampm1), [@Sidsector9](https://github.com/Sidsector9), [@faisal-alvi](https://github.com/faisal-alvi)).
+* **Changed:** Bump minimum PHP version from 5.6 to 7.4 (props [@vikrampm1](https://github.com/vikrampm1), [@Sidsector9](https://github.com/Sidsector9), [@faisal-alvi](https://github.com/faisal-alvi)).
+* **Security:** New filters - `rsa_trusted_proxies` and `rsa_trusted_headers` have been added to help prevent IP spoofing attacks.
+
 = 7.3.1 - 2022-06-30 =
 * **Added:** PHP8 compatibility check GitHub Action (props [@Sidsector9](https://github.com/Sidsector9), [dkotter](https://github.com/dkotter)).
 * **Added:** Dependency security scanning GitHub Action (props [@jeffpaul](https://github.com/jeffpaul)).
@@ -315,13 +367,9 @@ __Note: There is currently an edge case bug affecting IP whitelisting. This bug
 
 == Upgrade Notice ==
 
-= 5.1 =
-Drops support for versions of WordPress prior to 3.5.
-
-= 4.0 =
-This update improves performance, refines the user interface, and adds support for showing restricted visitors a specific page. Please be advised that this udpate is specifically designed for WordPress 3.2+, and like WordPress 3.2, <strong>no longer supports PHP < 5.2.4</strong>.
-
-== Upgrade Notice ==
+= 7.3.2 =
+Drops support for versions of WordPress prior to 5.7.
+Drops support for versions of PHP prior to 7.4.
 
 = 6.2.1 =
 IMPORTANT MULTISITE FUNCTIONALITY CHANGE: User access is now checked against their role on a given site in multisite. To restore previous behavior, use the new restricted_site_access_user_can_access filter.
@@ -331,3 +379,9 @@ IMPORTANT MULTISITE FUNCTIONALITY CHANGE: User access is now checked against the
 
 = 6.1.0 =
 * Important: version 6.1 improves testing visitors for allowed IP addresses ("Unrestricted IP addresses"). We recommend testing IP based restrictions after updating.
+
+= 5.1 =
+Drops support for versions of WordPress prior to 3.5.
+
+= 4.0 =
+This update improves performance, refines the user interface, and adds support for showing restricted visitors a specific page. Please be advised that this udpate is specifically designed for WordPress 3.2+, and like WordPress 3.2, <strong>no longer supports PHP < 5.2.4</strong>.