Bom dia! More security upgrades have made it onto Planet 4. As well as the option to enable Cloudflare Turnstile to keep comments sections clean, bug fixes and more improvements. Let’s explore:
Survey 📋
It’s survey time! We’d like to hear from you 🫵
When opening this very Handbook, you’ll receive a small pop-up where we ask if you were able to find what you were looking for. Please do answer it. We’re looking for your honest opinions.
Thank you for taking part in shaping the P4 Handbook!
Features 🛠️
PLANET-7937 Integrate Cloudflare Turnstile to Comments form section 🔑
As the comment section in some websites is generating a lot of traffic to Akismet, an additional anti-spam mitigation can be enabled in those cases. Cloudflare Turnstile is a good privacy-friendly option, as we already use the service.
This option has to be enabled, manually. Go to Dashboard > Settings > Discussion and scroll down a bit until you can find the Cloudflare Turnstile checkbox.

PLANET-7908 Weak Authentication Lockout Threshold
During testing, it was observed that multiple consecutive failed login attempts could be made without triggering account lockout, CAPTCHA challenges, rate-limiting, or additional authentication controls. So, a change has been made for better security on P4:
- Lock authentication for a certain IP after 5 failed attempts
- Clear failed attempt count after success
PLANET-7899 Add Sub-Resource Integrity check on 3rd-party scripts
During a review of the client-side source code, it has been highlighted that several cross-domain resources includes are missing integrity attributes. The absence of these attributes poses a significant security risk as any modifications to the included resources could potentially be propagated to all areas where it is included across the web applications.
Potential repercussions may include functionality errors, missing content, or even complete service disruption.
So, mitigation: All cross-domain included resources should be subject to a sub-resource integrity check. This can be facilitated in a number of ways. Either automatically with webpack-subresource-integrity (which can be installed with npm) or manually from what the CDN provides.
PLANET-7896 Prevent login screen user enumeration
In essence, the ability to enumerate valid WordPress user accounts serves as a stepping stone for more severe cyber attacks. Ultimately underscoring the importance of robust password policies, multi-factor authentication, and regular security audits to safeguard against such vulnerabilities.
So, mitigation: We override the default error messages using the login_errors
filter.
Bug Fixes 🐞
PLANET-7649 Fix lightbox not using largest image
- And now it does again!
🤕 Don’t let bugs run free! Make sure to report them here.
Heads-up 📡
PLANET-7390 Upgrade to Timber 2.0.x
PLANET-6530 New block: Secondary navigation menu
