Bom dia! More security upgrades have made it onto Planet 4. As well as the option to enable Cloudflare Turnstile to keep comments sections clean, bug fixes and more improvements. Let’s explore:

Survey 📋

It’s survey time! We’d like to hear from you 🫵
When opening this very Handbook, you’ll receive a small pop-up where we ask if you were able to find what you were looking for. Please do answer it. We’re looking for your honest opinions.

Thank you for taking part in shaping the P4 Handbook!

Features 🛠️

PLANET-7937  Integrate Cloudflare Turnstile to Comments form section 🔑

As the comment section in some websites is generating a lot of traffic to Akismet, an additional anti-spam mitigation can be enabled in those cases. Cloudflare Turnstile is a good privacy-friendly option, as we already use the service.

This option has to be enabled, manually. Go to Dashboard > Settings > Discussion and scroll down a bit until you can find the Cloudflare Turnstile checkbox.

The additional anti-spam mechanism option is off by default. Enable it in the Discussion Settings.

PLANET-7908  Weak Authentication Lockout Threshold

During testing, it was observed that multiple consecutive failed login attempts could be made without triggering account lockout, CAPTCHA challenges, rate-limiting, or additional authentication controls. So, a change has been made for better security on P4:

  • Lock authentication for a certain IP after 5 failed attempts
  • Clear failed attempt count after success

PLANET-7899  Add Sub-Resource Integrity check on 3rd-party scripts

During a review of the client-side source code, it has been highlighted that several cross-domain resources includes are missing integrity attributes. The absence of these attributes poses a significant security risk as any modifications to the included resources could potentially be propagated to all areas where it is included across the web applications.

Potential repercussions may include functionality errors, missing content, or even complete service disruption.

So, mitigation: All cross-domain included resources should be subject to a sub-resource integrity check. This can be facilitated in a number of ways. Either automatically with webpack-subresource-integrity (which can be installed with npm) or manually from what the CDN provides.

PLANET-7896  Prevent login screen user enumeration

In essence, the ability to enumerate valid WordPress user accounts serves as a stepping stone for more severe cyber attacks. Ultimately underscoring the importance of robust password policies, multi-factor authentication, and regular security audits to safeguard against such vulnerabilities.

So, mitigation: We override the default error messages using the login_errors filter.

Bug Fixes 🐞

PLANET-7649  Fix lightbox not using largest image
  • And now it does again!

🤕 Don’t let bugs run free! Make sure to report them here.

Heads-up 📡

PLANET-7390 Upgrade to Timber 2.0.x

PLANET-6530 New block: Secondary navigation menu

header
Questions? Remarks?

Make sure to reach out to the Planet 4 Community on Slack!

#p4-general on Slack