feat: CS Monitor — brute-force tracking, plugin updates, extended security audit

Failed login tracking (fail2ban equivalent):
- wp_login_failed hook increments rolling transients: 1h and 24h windows
- Critical issue if ≥10 failures/hour (active brute force), warning ≥3/hour
- Info if ≥10 in 24h with no acute spike

New security checks in computeIssues() + Site Health summary:
- Critical: "admin" username exists (prime credential-stuffing target)
- Critical: PHP < 8.2 is end-of-life (no security patches)
- Warning: PHP 8.2 approaching EOL December 2026
- Warning: XML-RPC enabled (system.multicall brute-force amplification)
- Warning: Default wp_ table prefix (harder to exploit with custom prefix)
- Warning: Plugins with pending updates (reads cached update_plugins transient — no HTTP calls)
- Info: readme.html / license.txt present (WP version fingerprinting)
- Info: Author enumeration risk (/?author=1 reveals usernames with pretty permalinks)

perf_get_plugin_update_info() reads get_site_transient('update_plugins') — zero
extra HTTP calls, uses WordPress's own update check cache

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Andrew Baker

assets/cs-perf-monitor.js

@@ -1012,6 +1012,77 @@
                 detail: 'Add define(\'DISALLOW_FILE_MODS\', true) to wp-config.php for hardened servers', plugin: '' });
         }
 
+        // "admin" username exists — prime brute-force target
+        if (health.admin_user_exists) {
+            issuesList.push({ sev: 'critical', tab: 'summary',
+                title: 'Username "admin" exists — prime brute-force target',
+                detail: 'Rename in Users → Profile. Transfer content first, then delete the old account.', plugin: '' });
+        }
+
+        // Default wp_ table prefix
+        if (health.db_prefix_default) {
+            issuesList.push({ sev: 'warning', tab: 'summary',
+                title: 'Default wp_ database prefix — easier to exploit in SQL injection',
+                detail: 'Change prefix if recently set up; requires a full DB backup on existing sites', plugin: '' });
+        }
+
+        // XML-RPC enabled
+        if (health.xmlrpc_enabled) {
+            issuesList.push({ sev: 'warning', tab: 'summary',
+                title: 'XML-RPC enabled — brute-force amplification vector',
+                detail: "system.multicall allows 100s of password attempts per request — disable via add_filter('xmlrpc_enabled','__return_false')", plugin: '' });
+        }
+
+        // readme.html / license.txt expose WP version
+        if (health.readme_exposed || health.license_exposed) {
+            var expFiles = [health.readme_exposed ? 'readme.html' : '', health.license_exposed ? 'license.txt' : ''].filter(Boolean).join(', ');
+            issuesList.push({ sev: 'info', tab: 'summary',
+                title: 'WP version disclosed via ' + expFiles,
+                detail: 'Delete these files or block via server config to prevent version fingerprinting', plugin: '' });
+        }
+
+        // PHP EOL
+        if (health.php_eol) {
+            issuesList.push({ sev: 'critical', tab: 'summary',
+                title: 'PHP ' + meta.php_version + ' is end-of-life — no security patches',
+                detail: 'Upgrade to PHP 8.3 or 8.4 — all PHP < 8.2 reached end-of-life', plugin: '' });
+        } else if (health.php_old) {
+            issuesList.push({ sev: 'warning', tab: 'summary',
+                title: 'PHP ' + meta.php_version + ' reaches end-of-life December 2026',
+                detail: 'Plan upgrade to PHP 8.3+ — approaching end of security support', plugin: '' });
+        }
+
+        // Failed logins — brute-force signal (analogous to fail2ban for SSH)
+        if (health.failed_logins_1h >= 10) {
+            issuesList.push({ sev: 'critical', tab: 'summary',
+                title: health.failed_logins_1h + ' failed logins in the last hour — active brute force',
+                detail: health.failed_logins_24h + ' in 24 h — block source IP in Cloudflare or enforce 2FA', plugin: '' });
+        } else if (health.failed_logins_1h >= 3) {
+            issuesList.push({ sev: 'warning', tab: 'summary',
+                title: health.failed_logins_1h + ' failed login attempts in the last hour',
+                detail: health.failed_logins_24h + ' in 24 h', plugin: '' });
+        } else if (health.failed_logins_24h >= 10) {
+            issuesList.push({ sev: 'info', tab: 'summary',
+                title: health.failed_logins_24h + ' failed login attempts in the last 24 hours',
+                detail: 'No acute spike, but sustained probing detected', plugin: '' });
+        }
+
+        // Author enumeration
+        if (health.author_enum_risk) {
+            issuesList.push({ sev: 'info', tab: 'summary',
+                title: 'Author enumeration — /?author=1 reveals WordPress usernames',
+                detail: "Add add_filter('redirect_canonical','__return_false') or disable author archives", plugin: '' });
+        }
+
+        // Plugins with pending updates
+        var pUpdates = health.plugins_with_updates || [];
+        if (pUpdates.length > 0) {
+            var pNames = pUpdates.slice(0, 3).map(function (p) { return p.slug + ' (' + p.current + ' → ' + p.new_version + ')'; }).join(', ');
+            issuesList.push({ sev: 'warning', tab: 'summary',
+                title: pUpdates.length + ' plugin' + (pUpdates.length > 1 ? 's have' : ' has') + ' pending updates',
+                detail: pNames + (pUpdates.length > 3 ? ' + ' + (pUpdates.length - 3) + ' more' : ''), plugin: '' });
+        }
+
         // Render-blocking scripts — in <head>, no defer/async
         var renderBlocking = (data.assets && data.assets.scripts || []).filter(function (s) {
             return s.src && !s.in_footer && s.strategy !== 'defer' && s.strategy !== 'async';
@@ -1479,6 +1550,52 @@
                 : health.cron_total + ' events scheduled, none overdue';
             html += hBadge(cronOk, cronWarn, 'WP-Cron', cronDetail);
 
+            // "admin" username
+            html += hBadge(!health.admin_user_exists, false,
+                '"admin" username',
+                health.admin_user_exists ? 'EXISTS — rename immediately' : 'Not in use');
+
+            // DB prefix
+            html += hBadge(!health.db_prefix_default, true,
+                'DB table prefix',
+                health.db_prefix_default ? 'Default wp_ prefix in use' : 'Custom prefix set');
+
+            // XML-RPC
+            html += hBadge(!health.xmlrpc_enabled, true,
+                'XML-RPC',
+                health.xmlrpc_enabled ? 'Enabled — disable if not needed' : 'Disabled');
+
+            // PHP version
+            var phpOk = !health.php_eol && !health.php_old;
+            var phpWarn = !health.php_eol && health.php_old;
+            html += hBadge(phpOk, phpWarn, 'PHP version', meta.php_version + (health.php_eol ? ' — EOL' : health.php_old ? ' — EOL Dec 2026' : ' — supported'));
+
+            // Failed logins
+            var fl1h = health.failed_logins_1h || 0;
+            var fl24h = health.failed_logins_24h || 0;
+            var flOk = fl1h < 3 && fl24h < 10;
+            var flWarn = fl1h >= 3 && fl1h < 10;
+            html += hBadge(flOk, flWarn,
+                'Failed logins',
+                fl1h + ' in 1 h · ' + fl24h + ' in 24 h' + (fl1h >= 10 ? ' — ACTIVE BRUTE FORCE' : ''));
+
+            // readme / license exposure
+            var exposed = [health.readme_exposed ? 'readme.html' : '', health.license_exposed ? 'license.txt' : ''].filter(Boolean);
+            html += hBadge(exposed.length === 0, true,
+                'Version disclosure',
+                exposed.length > 0 ? exposed.join(', ') + ' present' : 'No version files found');
+
+            // Author enumeration
+            html += hBadge(!health.author_enum_risk, true,
+                'Author enumeration',
+                health.author_enum_risk ? '/?author=1 may reveal usernames' : 'Protected or disabled');
+
+            // Plugin updates
+            var puLen = (health.plugins_with_updates || []).length;
+            html += hBadge(puLen === 0, puLen > 0,
+                'Plugin updates',
+                puLen === 0 ? 'All plugins up to date' : puLen + ' pending update' + (puLen > 1 ? 's' : ''));
+
             html += '</div>';
         }
 

cs-code-block.php

@@ -3,7 +3,7 @@
  * Plugin Name: CloudScale DevTools
  * Plugin URI: https://andrewbaker.ninja
  * Description: Developer toolkit with syntax-highlighted code blocks, SQL query tool, code migrator, site monitor, and login security (passkeys, TOTP, email 2FA, hide login URL).
- * Version: 1.8.78
+ * Version: 1.8.79
  * Author: Andrew Baker
  * Author URI: https://andrewbaker.ninja
  * License: GPL-2.0-or-later
@@ -38,7 +38,7 @@
  */
 class CloudScale_DevTools {
 
-    const VERSION      = '1.8.78';
+    const VERSION      = '1.8.79';
     const HLJS_VERSION = '11.11.1';
     const HLJS_CDN     = 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/';
     const TOOLS_SLUG   = 'cloudscale-devtools';
@@ -301,6 +301,9 @@ public static function init() {
         add_filter( 'network_site_url',    [ __CLASS__, 'login_custom_network_url' ], 10, 3 );
         add_filter( 'site_url',            [ __CLASS__, 'login_custom_site_url' ], 10, 4 );
 
+        // Security monitor — always track failed logins regardless of monitor toggle.
+        add_action( 'wp_login_failed', [ __CLASS__, 'perf_track_failed_login' ] );
+
         // Custom 404 page + hiscore leaderboard.
         add_action( 'template_redirect',                        [ __CLASS__, 'maybe_custom_404' ], 1 );
         add_action( 'rest_api_init',                            [ __CLASS__, 'register_hiscore_routes' ] );
@@ -3080,20 +3083,108 @@ private static function perf_build_health_data(): array {
         $wp_debug_display = defined( 'WP_DEBUG' ) && WP_DEBUG
             && ( ! defined( 'WP_DEBUG_DISPLAY' ) || WP_DEBUG_DISPLAY );
 
+        // ── Credential / account hygiene ─────────────────────────────────────
+        $admin_user_exists = (bool) username_exists( 'admin' );
+
+        // ── Database ──────────────────────────────────────────────────────────
+        $db_prefix_default = ( $wpdb->prefix === 'wp_' );
+
+        // ── XML-RPC ───────────────────────────────────────────────────────────
+        $xmlrpc_enabled = file_exists( ABSPATH . 'xmlrpc.php' )
+            && (bool) apply_filters( 'xmlrpc_enabled', true ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+
+        // ── File exposure ─────────────────────────────────────────────────────
+        $readme_exposed  = file_exists( ABSPATH . 'readme.html' );
+        $license_exposed = file_exists( ABSPATH . 'license.txt' );
+
+        // ── PHP version ───────────────────────────────────────────────────────
+        // April 2026: 8.0 EOL Nov 2023, 8.1 EOL Dec 2025, 8.2 EOL Dec 2026, 8.3+ current.
+        $php_eol = version_compare( PHP_VERSION, '8.2', '<' ); // EOL — no security patches
+        $php_old = ! $php_eol && version_compare( PHP_VERSION, '8.2', '==' ); // 8.2 EOL Dec 2026
+
+        // ── Failed logins (brute-force signal) ────────────────────────────────
+        $failed_logins_1h  = (int) get_transient( 'cs_devtools_failed_logins_1h' );
+        $failed_logins_24h = (int) get_transient( 'cs_devtools_failed_logins_24h' );
+
+        // ── Author enumeration ────────────────────────────────────────────────
+        // With pretty permalinks on, /?author=1 redirects to /author/username/.
+        // Flag if pretty permalinks are active and no known filter blocks it.
+        $author_enum_risk = ! empty( get_option( 'permalink_structure' ) )
+            && ! has_filter( 'redirect_canonical', '__return_false' )
+            && ! has_action( 'template_redirect', '__return_false' );
+
+        // ── Plugins with pending updates ──────────────────────────────────────
+        $plugins_with_updates = self::perf_get_plugin_update_info();
+
         return [
-            'autoload_kb'        => $autoload_kb,
-            'autoload_count'     => $autoload_count,
-            'large_autoloads'    => $large_autoloads,
-            'cron_total'         => $cron_total,
-            'cron_overdue'       => $cron_overdue,
-            'cron_overdue_list'  => $overdue_list,
-            'wp_debug_display'   => $wp_debug_display,
-            'disallow_file_edit' => defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT,
-            'disallow_file_mods' => defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS,
-            'site_https'         => strpos( home_url(), 'https://' ) === 0,
+            'autoload_kb'          => $autoload_kb,
+            'autoload_count'       => $autoload_count,
+            'large_autoloads'      => $large_autoloads,
+            'cron_total'           => $cron_total,
+            'cron_overdue'         => $cron_overdue,
+            'cron_overdue_list'    => $overdue_list,
+            'wp_debug_display'     => $wp_debug_display,
+            'disallow_file_edit'   => defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT,
+            'disallow_file_mods'   => defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS,
+            'site_https'           => strpos( home_url(), 'https://' ) === 0,
+            'admin_user_exists'    => $admin_user_exists,
+            'db_prefix_default'    => $db_prefix_default,
+            'xmlrpc_enabled'       => $xmlrpc_enabled,
+            'readme_exposed'       => $readme_exposed,
+            'license_exposed'      => $license_exposed,
+            'php_eol'              => $php_eol,
+            'php_old'              => $php_old,
+            'failed_logins_1h'     => $failed_logins_1h,
+            'failed_logins_24h'    => $failed_logins_24h,
+            'author_enum_risk'     => $author_enum_risk,
+            'plugins_with_updates' => $plugins_with_updates,
         ];
     }
 
+    /**
+     * Fired on wp_login_failed. Increments rolling failed-login counters stored
+     * as transients so the CS Monitor can surface brute-force signals.
+     *
+     * @param string $username The username that failed authentication.
+     * @return void
+     */
+    public static function perf_track_failed_login( string $username ): void {
+        // 1-hour rolling window.
+        $c1h = (int) get_transient( 'cs_devtools_failed_logins_1h' );
+        set_transient( 'cs_devtools_failed_logins_1h', $c1h + 1, HOUR_IN_SECONDS );
+        // 24-hour rolling window.
+        $c24h = (int) get_transient( 'cs_devtools_failed_logins_24h' );
+        set_transient( 'cs_devtools_failed_logins_24h', $c24h + 1, DAY_IN_SECONDS );
+    }
+
+    /**
+     * Returns plugins that have a pending update available, using the cached
+     * update_plugins site transient (populated by WP's own update check cron).
+     * Never makes a live HTTP call — reads from DB only.
+     *
+     * @return array  [ { slug, name, current, new_version } ]
+     */
+    private static function perf_get_plugin_update_info(): array {
+        $update_data = get_site_transient( 'update_plugins' );
+        if ( ! $update_data || empty( $update_data->response ) ) {
+            return [];
+        }
+        $results = [];
+        foreach ( $update_data->response as $plugin_file => $plugin_data ) {
+            $current_ver = $update_data->checked[ $plugin_file ] ?? '';
+            $slug        = $plugin_data->slug ?? basename( dirname( $plugin_file ) );
+            $results[]   = [
+                'plugin'      => $plugin_file,
+                'slug'        => $slug,
+                'current'     => $current_ver,
+                'new_version' => $plugin_data->new_version ?? '',
+            ];
+        }
+        // Sort by slug name.
+        usort( $results, fn( $a, $b ) => strcmp( $a['slug'], $b['slug'] ) );
+        return $results;
+    }
+
     /**
      * Processes $wpdb->queries into a structured array for the panel.
      *