brianhansonxyz/homeproz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: Add Google reCAPTCHA v2 to login and lost password forms

Browse Source
This commit is contained in:
Hanson.xyz Dev
2025-11-28 17:24:36 -06:00
parent abbd3502e8
commit f754f1f6e1
3 changed files with 64 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
contract/Contracts/WordPress-Website/_scratch/site_analysis/IMPLEMENTATION-PLAN.md
+33 -3
View File
@@ -808,21 +808,51 @@ This implementation plan is a draft for review. Please confirm:
- Site icon/favicon managed via WordPress Customizer (Appearance > Customize > Site Identity)
- Theme color set to #0A0A0A (background dark) for mobile browser chrome
### Phase 6: Performance & Security - COMPLETED (Partial)
### Phase 6: Performance & Security - COMPLETED
- [x] WebP image conversion via "Converter for Media" plugin
- [x] Nginx rewrite rules for serving WebP to supported browsers
- [x] Server dependencies documented in DEPENDENCIES.md
- [x] AIOS (All In One WP Security) plugin installed and configured
- [ ] Caching plugin - SKIPPED (not requested)
- [ ] Security plugin - SKIPPED (not requested)
- [ ] Backups plugin - SKIPPED (not requested)
**Technical Details:**
**WebP Conversion:**
- Plugin: Converter for Media v6.3.2
- Conversion method: PHP GD/Imagick (both available, WebP supported)
- WebP files stored in: `/wp-content/uploads-webpc/`
- Nginx serves WebP when browser sends `Accept: image/webp` header
- No external APIs or services used (fully local processing)
**Security (AIOS) Configuration:**
- Plugin: All In One WP Security v5.4.4
- Login lockdown: 10 attempts in 5 minutes = 30 min lockout (max 60 min)
- Instant lockout usernames: admin, administrator, test
- Generic login error messages enabled
- Email notifications on lockout enabled
- Login honeypot enabled
- Registration honeypot enabled
- Comment spam bot blocking enabled
- User enumeration prevention enabled
- Unauthorized REST API requests blocked
- File editing disabled in admin
- WP generator meta removed
- Default WP file access prevented (readme.html, license.txt, etc.)
- Debug log file access blocked
- Directory index views disabled
- Clickjacking protection (X-Frame-Options)
- 404 logging enabled
- Basic firewall enabled
- XML-RPC pingback disabled
**NOT enabled (conservative approach):**
- Renamed login page (can break plugins/bookmarks)
- Cookie-based brute force prevention (can lock out legitimate users)
- Forced logout after X minutes
- CAPTCHA on forms (can hurt UX)
- 5G/6G firewall rules (Sucuri WAF will handle this)
- File change detection scanning (resource intensive)
- IP blacklisting (Sucuri WAF will handle this)
**Files Created:**
- /var/www/html/DEPENDENCIES.md (server dependency documentation)