1.1.0, with verified WordPress 5.7 compatibility

README.md

@@ -1,8 +1,8 @@
-[![Software License](https://img.shields.io/badge/License-GPL%20v2-green.svg?style=flat-square)](LICENSE) [![PHP 7.2\+](https://img.shields.io/badge/PHP-7.2-blue?style=flat-square)](https://php.net) [![WordPress 5](https://img.shields.io/badge/WordPress-5.6-orange?style=flat-square)](https://wordpress.org)
+[![Software License](https://img.shields.io/badge/License-GPL%20v2-green.svg?style=flat-square)](LICENSE) [![PHP 7.2\+](https://img.shields.io/badge/PHP-7.2-blue?style=flat-square)](https://php.net) [![WordPress 5](https://img.shields.io/badge/WordPress-5.7-orange?style=flat-square)](https://wordpress.org)
 
 # Fail2WP
 
-Security plugin for WordPress with support for Fail2ban and Cloudflare. Tested with WordPress 5.6+.
+Security plugin for WordPress with support for Fail2ban and Cloudflare. Tested with WordPress 5.5+.
 
 ## Description
 
@@ -17,14 +17,21 @@ Basic security functionality includes:
 * Disabling login with username (require e-mail address)
 * Preventing user enumeration (?author=nnn)
 * Less detailed error messages on login failures
+* Minimum username length
+* Blocking specific usernames from being used to register new users
+* Requiring e-mail address matching for new user registrations
+* Warning about new user role setting
+* Blocking of portions or all of WordPress REST API
+* Disabling of RSS and Atom feeds
+* Removal of "Generator" information from HTML and feeds
 * Detection of Cloudflare IP addresses for logging of actual IP addresses
 
 The plugin also plays nicely with Fail2ban, which is an advanced way of blocking IP addresses dynamically upon suspicious behavior.
 
 ### Other notes
 
-* This plugin may work with earlier versions of WordPress
-* This plugin has been tested with `WordPress 5.5.3`, `5.6`, and `5.6.1` at the time of this writing
+* This plugin `may` work with earlier versions of WordPress
+* This plugin has been tested with `WordPress 5.5+` at the time of this writing
 * This plugin optionally makes use of `mb_` PHP functions
 * This plugin may create entries in your PHP error log (if active)
 * This plugin contains no Javascript
@@ -59,11 +66,24 @@ This is a hard question to answer. There are no known incompatibilities.
 
 ## Changelog
 
+### 1.1.0
+* Added minimum username length
+* Added blocking of specific usernames (user registration)
+* Added requiring e-mail address matching setting
+* Added warning about new user role setting
+* Added blocking of portions or all of WordPress REST API
+* Added setting to disable RSS and Atom feeds
+* Added setting to remove "Generator" information from HTML and feeds
+* Minor corrections and general improvements
+
 ### 1.0.0
 * Initial release
 
 ## Upgrade Notice
 
+### 1.1.0
+* Install the new version and walk through the settings.
+
 ### 1.0.0
 * Initial release
 
@@ -101,6 +121,8 @@ If there is something you feel to be missing from this plugin, or if you have fo
 
 This plugin can also be downloaded from [code.webbplatsen.net](https://code.webbplatsen.net/wordpress/fail2wp/) and [WordPress.org](https://wordpress.org/plugins/fail2wp/)
 
+More detailed documentation is available at [code.webbplatsen.net/documentation/fail2wp/](https://code.webbplatsen.net/documentation/fail2wp/)
+
 Kudos to [Vincent Le Moign and Webalys](https://webalys.com) and [Thomas Lutz](https://github.com/tholu)
 
 ### External references

fail2wp/fail2wp.conf

@@ -2,23 +2,37 @@
 before = common.conf
 after = fail2wp.local
 
-# This filter is intended to be used with fail2ban and the Fail2WP plugin.
+# This filter is intended to be used with Fail2ban and the Fail2WP plugin.
 #
 # This file should be placed in /etc/fail2ban/filter.d as fail2wp.conf
 #
 # I'm by no means a fail2ban filter expert, so I'm sure this could do with some
-# improvements. It has been tested with fail2ban 0.11.1 on Ubuntu 20.04.LTS.
+# improvements. It has been tested with Fail2ban 0.11.1 on Ubuntu 20.04.LTS.
+#
+# ADVANCED: You may, of course, split these into several different jails and
+#           triggers and give them different treatment in Fail2ban so that some
+#           of the log messages trigger one behavior in Fail2ban, and others
+#           are ignored or behave differently.
 #
 # Joaquim Homrighausen <[email protected]>
 #
 # The intended log messages to trigger fail2ban on are:
 #
+# @since 1.0.0
+#
 # Authentication failure for validuser from n.n.n.n port 443
 # Invalid email invalidemail from n.n.n.n port 443
 # Invalid user invaliduser from n.n.n.n port 443
 # User enumeration request from n.n.n.n port 443
 # Invalid credentials invalidlogin from n.n.n.n port 443
 #
+# @since 1.1.0
+#
+# Blocked REST API request from n.n.n.n port 443
+# Unauthenticated REST API request from n.n.n.n port 443
+#
+# Other messages:
+#
 # The Fail2WP plugin can further emit these messages (no action taken):
 #
 # Unknown error "nnn" during login from n.n.n.n port nnn
@@ -31,7 +45,8 @@ failregex = fail2wp(.*): Authentication failure for .* from <HOST> port .*$
             fail2wp(.*): Invalid user .* from <HOST> port .*$
             fail2wp(.*): Invalid email .* from <HOST> port .*$
             fail2wp(.*): Invalid credentials .* from <HOST> port .*$
-            fail2wp(.*): User enumeration request from <HOST> port .*$
+            fail2wp(.*): Blocked REST API request from from <HOST> port .*$
+            fail2wp(.*): Unauthenticated REST API request from <HOST> port .*$
 
 # Your entry for Fail2WP in jail.local should look like this:
 #