Changelog

Categories: Security, Feature, Fix, Perf, Admin, Deps.

[1.7.1] - 2026-06-15

Fix

• The Admin OTP verification page now displays as a clean, centered login card. It previously rendered with a broken layout and an on-screen error because it loaded the full admin dashboard chrome on a mid-login page.

[1.7.0] - 2026-06-15

Feature

• Admin Email OTP is now enabled by default, with code validity shortened to 5 minutes (was off / 10 minutes) — new installs get post-login email verification out of the box, provided a working SMTP transport is configured.

Admin

• Max Invalid Attempts is now a dropdown (3 / 5 / 10) instead of a free-text field. Shipped defaults: OTP enabled, code validity 300s, max attempts 5.

Fix

• Admin OTP verification form could not be displayed: it failed with a fatal error on every load, so an admin with OTP enabled could never enter their code. The verification form now renders correctly, including the "incorrect code" message on a wrong attempt.

[1.6.0] - 2026-06-15

Feature

• Admin Email OTP: after a correct password login, a 6-digit code is emailed to the admin's registered address before access is granted. Stolen credentials alone can no longer access the admin panel — the attacker would also need the admin's mailbox.
• Code is cryptographically random, stored SHA-256-hashed with a configurable TTL (default 10 min). After a configurable number of wrong attempts (default 3), the code is invalidated and the admin is logged out.
• Whitelisted IPs (General → IP Whitelist) can optionally bypass OTP, useful for trusted office networks.
• Admin users without a registered email address are logged in normally with a warning — no lock-out scenario.

Admin

• New config group Stores → Configuration → Wimakeit → Security → Admin Login OTP: enable toggle, code validity (seconds), max invalid attempts, whitelist bypass option.
• Security Checker gains two new items: Admin Email OTP enabled (WARN when off) and SMTP configured (WARN when OTP is active but no SMTP transport is detected).

[1.5.2] - 2026-06-12

Security

• ACL privilege separation: the Under Attack mode (stress enable/disable) and the Overview page now have dedicated ACL resources, so a sub-permission no longer implicitly grants the ability to arm or release stress mode.

Fix

• Search route double-block fixed: a bad-bot User-Agent on a search URL was blocked by the Bad Bot Guard and then again by the Search Guard, overwriting the response and double-counting the ban hit.
• "Blocked While Banned" hit counter now only increments against currently active bans, not expired rows.
• Log sanitizer applied consistently to the action= field and caught DB exception messages.

Admin

• Bad Bot Guard config group now has a unique sortOrder; removed the misleading "(UTC)" suffix from IP Bans grid date columns (the UI already renders them in the admin timezone).

[1.5.1] - 2026-06-12

Admin

• Security Overview page rebuilt with native Magento admin components: status pills (grid-severity-*), admin__page-section blocks, message notices, and data-grid tables instead of inline-styled custom HTML.
• Security Checker and Admin Login Log status badges now use native PASS/WARN/FAIL pills.

[1.5.0] - 2026-06-12

Feature

• IP Bans grid: replaced the static bans table with a full Magento UI component listing — per-column filters (IP, provenance, date ranges), sorting, pagination, column controls, bookmarks, and a mass Unban action (CSRF-safe via UI framework). Expired bans are now visible too, with an active/expired status column.
• Provenance column: shows the ban reason (search throttle, REST/GraphQL, admin brute force, honeypot, bad-bot category) as a filterable select.
• Blocked While Banned counter: a persistent hit count per ban row, incremented each time an already-banned IP is rejected — shows how hard a banned IP keeps hammering.

[1.4.0] - 2026-06-12

Feature

• Bad Bot Guard: site-wide predispatch guard across all frontend routes that bans bots by User-Agent. Four switchable categories: malicious scanners (sqlmap, nikto, nmap…), email/content harvesters (apache-badbots list, modernised), aggressive SEO scrapers (AhrefsBot, SemrushBot, MJ12bot…), AI crawlers (GPTBot, ClaudeBot, CCBot…). Each category is an independent admin toggle.
• Scanners are banned 24h immediately; other categories use the progressive TTL. Bans feed into the existing export pipeline and fail2ban log.
• Custom User-Agent substrings (one per line) on top of built-in categories.
• Dry-Run mode: logs matches (BAD-BOT-DRYRUN) without blocking — validate a list against real traffic before arming it.
• Verified search engines and whitelisted IPs are never banned regardless of User-Agent.

[1.3.2] - 2026-06-12

Fix

• Hotfix: setup:di:compile failed because Block classes redeclared a $formKey property already defined in Magento\Backend\Block\Template. Removed the redundant injection; the base class already provides getFormKey().

[1.3.1] - 2026-06-11

Security

• Log-injection / fail2ban spoofing fixed: CR/LF in a search query, user agent, or username was written verbatim into the fail2ban-parsed log, letting an attacker forge a log line and have fail2ban ban an arbitrary IP. All logged fields now pass through a sanitizer; query validation rejects control characters (HTTP 400).
• Array request params (?q[]=) handled: array values are now treated as empty instead of casting to the string "Array" and bypassing validation.
• CSRF hardening: the Under Attack enable/disable and IP Unban actions are now POST + form key instead of GET links.
• Email alert escaping: attacker-supplied username in the brute-force alert email is HTML-escaped.
• Honeypot abuse mitigated: embedded sub-resource requests (Sec-Fetch-Dest: image) no longer trigger a ban, preventing a third-party <img> tag from banning your visitors.

Perf

• No session start on the guard hot path: the trusted-client check no longer forces a session, avoiding a Redis session-write storm under flood and fixing breakage in the stateless GraphQL area.
• Reverse-DNS flood protection: a per-minute budget caps blocking DNS lookups so spoofed-crawler floods cannot tie up workers.
• AlertMailer is now lazy-loaded via Proxy so the mail stack is not instantiated on every guarded request.

Fix

• banned_until column changed to datetime (removes the year-2038 ceiling on ban expiry).
• GraphQL now returns 403 (not 429) for banned IPs, matching the semantics of the other guards.
• Admin login ban now triggers on the configured Nth failure (was N+1).
• Expired-ban purge moved to the daily maintenance cron (was the 5-minute export cron).

[1.3.0] - 2026-06-11

Feature

• GraphQL Guard: plugin on the GraphQL front controller (before query parsing and schema generation) — per-IP rate limit on all /graphql requests (default 60/60s), auto-ban on repeat offenders. Search-shaped products(search:) queries also feed the sitewide circuit breaker and are rejected during stress mode.
• Advanced search guarded: predispatch observer added on catalogsearch/advanced/result (same engine cost as standard search, obvious fallback target).
• Carding protection: /V1/guest-carts added to the REST API Guard default paths — bots loop on payment-information to test stolen card numbers. Default API limit raised to 20/60s so a legitimate guest checkout never trips it.
• IPv6 support: whitelist CIDR matching now handles IPv6 (binary comparison via inet_pton); verified-bot forward confirmation resolves AAAA records.
• Client IP resolution checker: detects the proxy/CDN misconfiguration trap where per-IP limits and bans would target the proxy itself instead of the real client.

[1.2.0] - 2026-06-11

Feature

• Admin Login Guard: every login attempt (success and failure) logged to a dedicated table, browsable under Wimakeit → Security → Admin Login Log. IPs exceeding the failure threshold (default 5 / 10 min) are auto-banned (progressive TTL) and blocked with HTTP 429 at predispatch. Alert email on ban. Whitelisted IPs are never banned.
• Block statistics: hourly aggregated counters shown on the Security Overview page — 24h bar chart and 7-day totals by reason (throttled, stress-blocked, banned, REST/GraphQL, honeypot, admin brute force, bad-bot…).
• Under Attack mode: one-click manual stress mode activation (1h) from the Overview page, before the automatic threshold trips; release button when active.

Admin

• Daily maintenance cron purges the login log and statistics older than 90 days.

[1.1.0] - 2026-06-11

Feature

• REST API Guard: throttles or fully blocks configured REST paths — defaults /V1/cmsPage and /V1/cmsBlock (recurring bot probing targets) — via a plugin on the webapi front controller, before routing, authentication, and deserialization.
• Auto-ban: repeat throttle offenders get persistent bans with progressive TTL (5 min → 1h → 24h), stored in wimakeit_security_ban (cache-first hot path).
• Ban exports (cron, every 5 min): var/wimakeit_security/banned_ips_nginx.conf, banned_ips_apache.conf, banned_ips.txt.
• Honeypot (off by default): invisible rel="nofollow" footer link to /wsecurity/trap; followers are banned 24h. Verified bots and whitelisted IPs are exempt.
• Security Checker: 13 checks covering admin usernames, 2FA, admin URL, secret keys, anonymous Web API access, template symlinks, production mode, cache types, HTTPS, HttpOnly cookies, search_query table bloat, exposed files, and guard status. Available in admin UI, CLI (wimakeit:security:check), and as a daily cron.
• CLI wimakeit:security:edge-config: ready-to-paste nginx/.htaccess snippets matching the current module configuration.

[1.0.0] - 2026-06-11

Feature

• Initial release — Search Guard designed after the 2026-06-10 botnet flood on catalogsearch/result.
• Predispatch guard on the native search results page and Wimakeit Search autocomplete.
• Per-IP rate limit (fixed window, cache-backed) with HTTP 429 and Retry-After.
• Sitewide circuit breaker (stress mode): above a global req/min threshold, only clients with a session-bound form_key cookie are served — stops distributed botnets at ~1 request/IP.
• Query validation (control characters, max length, max word count) with HTTP 400.
• IP whitelist (exact IP, wildcard, IPv4 CIDR).
• Verified search engine bot exemption (forward-confirmed reverse DNS, cached 24h).
• Dedicated parsable log var/log/wimakeit_security.log (fail2ban-ready).
• CRITICAL log entry and optional alert email on stress mode activation.