-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathitineris-prevent-user-enumeration.php
76 lines (67 loc) · 2.24 KB
/
itineris-prevent-user-enumeration.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<?php
/**
* Plugin Name: Itineris Prevent WP User Enumeration
* Plugin URI: https://github.com/ItinerisLtd/itineris-prevent-wp-user-enumeration
* Description: Disable WordPress XML-RPC via actions and filters.
* Version: 0.2.2
* Author: Itineris Limited
* Author URI: https://itineris.co.uk
* License: GPL-2.0-or-later
* License URI: http://www.gnu.org/licenses/gpl-2.0.txt
*/
declare(strict_types=1);
// If this file is called directly, abort.
if (! defined('WPINC')) {
die;
}
// Make login errors generic.
add_filter('login_errors', function (string $errors): string {
if (isset($GLOBALS['errors']) && $GLOBALS['errors'] instanceof WP_Error) {
$error_codes = $GLOBALS['errors']->get_error_codes();
if (! in_array('invalid_username', $error_codes, true) && ! in_array('incorrect_password', $error_codes, true)) {
return $errors;
}
} else {
$errors_to_check = [
'The username or password you entered is incorrect',
'lostpassword',
];
$has_valid_error = (bool) array_filter(
$errors_to_check,
fn (string $error): bool => ! str_contains($errors, $error),
);
if ($has_valid_error) {
return $errors;
}
}
return __('Something was wrong.', 'itineris-prevent-wp-user-enumeration');
});
// Disable /?author=ID.
add_action('wp', function (): void {
/** @var WP_Query */
$wp_query = $GLOBALS['wp_query'];
$query_vars = $wp_query->query_vars;
if (empty($query_vars) || empty($query_vars['author'])) {
return;
}
$wp_query->set_404();
status_header(404);
nocache_headers();
});
// Remove user-related REST endpoints.
add_filter('rest_endpoints', function (array $endpoints): array {
if (is_admin() || current_user_can('list_users')) {
return $endpoints;
}
return array_filter(
$endpoints,
fn(string $endpoint): bool => (0 === preg_match('/^\/wp\/v2\/users/', $endpoint)),
ARRAY_FILTER_USE_KEY,
);
});
// Remove user info from oEmbed data.
add_filter('oembed_response_data', function (array $data): array {
unset($data['author_name']);
unset($data['author_url']);
return $data;
});