# Security Guide - Rank Math API Manager Plugin ## 📋 Overview This guide covers security best practices, configuration recommendations, and security features for the Rank Math API Manager plugin. Follow these guidelines to ensure your WordPress site and API endpoints remain secure. ## 🛡️ Security Features ### Built-in Security Measures The Rank Math API Manager plugin implements several security measures: #### 1. Authentication & Authorization - **WordPress Application Passwords**: Secure authentication method - **User Capability Checks**: Validates `edit_posts` permissions - **Permission Validation**: Ensures users can modify content #### 2. Input Validation & Sanitization - **Text Field Sanitization**: Uses `sanitize_text_field()` - **URL Validation**: Uses `esc_url_raw()` for canonical URLs - **Post ID Validation**: Ensures posts exist before updates - **Parameter Validation**: Validates all input parameters #### 3. Data Protection - **No Sensitive Data Logging**: API credentials are never logged - **Secure Transmission**: Requires HTTPS for production use - **WordPress Nonce Validation**: Where applicable ## 🔐 Authentication Best Practices ### WordPress Application Passwords #### Setting Up Secure Application Passwords 1. **Create Dedicated User Account** ```bash # Create a dedicated API user with limited permissions # Go to Users → Add New # Username: api-user # Role: Author (has edit_posts capability) # Email: api@your-domain.com ``` 2. **Generate Application Password** ```bash # Go to Users → Profile → Application Passwords # Name: "Rank Math API Access" # Click "Add New Application Password" # Copy the generated password immediately ``` 3. **Store Credentials Securely** ```bash # Never store credentials in plain text # Use environment variables or secure configuration export WORDPRESS_API_USERNAME="api-user" export WORDPRESS_API_PASSWORD="your-application-password" ``` #### Credential Management ```bash # Example: Secure credential storage # .env file (add to .gitignore) WORDPRESS_API_USERNAME=api-user WORDPRESS_API_PASSWORD=your-application-password WORDPRESS_SITE_URL=https://your-site.com # Load in your application source .env ``` ### API Key Management (Future Feature) ```php // Future implementation for API key authentication add_action('rest_api_init', function() { register_rest_route('rank-math-api/v1', '/generate-api-key', [ 'methods' => 'POST', 'callback' => 'generate_api_key', 'permission_callback' => function() { return current_user_can('manage_options'); } ]); }); function generate_api_key() { $api_key = wp_generate_password(64, false); $user_id = get_current_user_id(); update_user_meta($user_id, 'rank_math_api_key', $api_key); return [ 'api_key' => $api_key, 'created_at' => current_time('mysql') ]; } ``` ## 🔒 Network Security ### HTTPS Configuration #### Force HTTPS for API Endpoints ```php // Add to wp-config.php or theme functions.php add_action('rest_api_init', function() { if (!is_ssl() && !is_admin()) { add_filter('rest_authentication_errors', function($result) { return new WP_Error('https_required', 'HTTPS is required for API access', ['status' => 403]); }); } }); ``` #### SSL Certificate Validation ```bash # Test SSL configuration curl -I https://your-site.com/wp-json/rank-math-api/v1/update-meta # Check SSL certificate openssl s_client -connect your-site.com:443 -servername your-site.com ``` ### CORS Configuration #### Default WordPress CORS The plugin uses WordPress's default CORS settings. For enhanced security: ```php // Custom CORS configuration add_action('rest_api_init', function() { add_filter('rest_pre_serve_request', function($served, $result, $request, $server) { // Allow only specific origins $allowed_origins = [ 'https://your-frontend-app.com', 'https://your-n8n-instance.com' ]; $origin = $_SERVER['HTTP_ORIGIN'] ?? ''; if (in_array($origin, $allowed_origins)) { header('Access-Control-Allow-Origin: ' . $origin); header('Access-Control-Allow-Methods: POST, OPTIONS'); header('Access-Control-Allow-Headers: Content-Type, Authorization'); header('Access-Control-Allow-Credentials: true'); } return $served; }, 10, 4); }); ``` ## 🚫 Rate Limiting ### Basic Rate Limiting Implementation ```php // Add rate limiting to API endpoints add_action('rest_api_init', function() { add_filter('rest_pre_dispatch', function($result, $server, $request) { if (strpos($request->get_route(), 'rank-math-api') !== false) { $ip = $_SERVER['REMOTE_ADDR']; $user_id = get_current_user_id(); $key = "rate_limit_{$user_id}_{$ip}"; $count = get_transient($key); $limit = 100; // requests per hour $window = 3600; // 1 hour if ($count && $count >= $limit) { return new WP_Error( 'rate_limit_exceeded', 'Rate limit exceeded. Please try again later.', ['status' => 429] ); } set_transient($key, ($count ? $count + 1 : 1), $window); } return $result; }, 10, 3); }); ``` ### Advanced Rate Limiting ```php // Advanced rate limiting with different tiers class RankMathAPIRateLimiter { private $limits = [ 'default' => ['requests' => 100, 'window' => 3600], 'premium' => ['requests' => 1000, 'window' => 3600], 'admin' => ['requests' => 10000, 'window' => 3600] ]; public function check_rate_limit($user_id, $ip) { $user_tier = $this->get_user_tier($user_id); $limit = $this->limits[$user_tier]; $key = "rate_limit_{$user_tier}_{$user_id}_{$ip}"; $count = get_transient($key); if ($count && $count >= $limit['requests']) { return false; } set_transient($key, ($count ? $count + 1 : 1), $limit['window']); return true; } private function get_user_tier($user_id) { if (user_can($user_id, 'manage_options')) { return 'admin'; } // Check for premium user status if (get_user_meta($user_id, 'premium_user', true)) { return 'premium'; } return 'default'; } } ``` ## 🔍 Input Validation & Sanitization ### Enhanced Input Validation ```php // Enhanced validation for API parameters add_action('rest_api_init', function() { add_filter('rest_pre_dispatch', function($result, $server, $request) { if (strpos($request->get_route(), 'rank-math-api') !== false) { $params = $request->get_params(); // Validate post_id if (isset($params['post_id'])) { if (!is_numeric($params['post_id']) || $params['post_id'] <= 0) { return new WP_Error('invalid_post_id', 'Invalid post ID', ['status' => 400]); } $post = get_post($params['post_id']); if (!$post || !in_array($post->post_type, ['post', 'product'])) { return new WP_Error('post_not_found', 'Post not found or invalid type', ['status' => 404]); } } // Validate SEO title length if (isset($params['rank_math_title'])) { if (strlen($params['rank_math_title']) > 60) { return new WP_Error('title_too_long', 'SEO title exceeds 60 characters', ['status' => 400]); } } // Validate SEO description length if (isset($params['rank_math_description'])) { if (strlen($params['rank_math_description']) > 160) { return new WP_Error('description_too_long', 'SEO description exceeds 160 characters', ['status' => 400]); } } // Validate canonical URL if (isset($params['rank_math_canonical_url'])) { if (!filter_var($params['rank_math_canonical_url'], FILTER_VALIDATE_URL)) { return new WP_Error('invalid_url', 'Invalid canonical URL', ['status' => 400]); } } } return $result; }, 10, 3); }); ``` ### Content Security ```php // Prevent XSS and injection attacks function sanitize_seo_data($data) { $sanitized = []; if (isset($data['rank_math_title'])) { $sanitized['rank_math_title'] = sanitize_text_field($data['rank_math_title']); } if (isset($data['rank_math_description'])) { $sanitized['rank_math_description'] = sanitize_textarea_field($data['rank_math_description']); } if (isset($data['rank_math_canonical_url'])) { $sanitized['rank_math_canonical_url'] = esc_url_raw($data['rank_math_canonical_url']); } if (isset($data['rank_math_focus_keyword'])) { $sanitized['rank_math_focus_keyword'] = sanitize_text_field($data['rank_math_focus_keyword']); } return $sanitized; } ``` ## 📊 Security Monitoring ### API Access Logging ```php // Log API access for security monitoring add_action('rest_api_init', function() { add_filter('rest_post_dispatch', function($response, $handler, $request) { if (strpos($request->get_route(), 'rank-math-api') !== false) { $log_entry = [ 'timestamp' => current_time('mysql'), 'ip' => $_SERVER['REMOTE_ADDR'], 'user_agent' => $_SERVER['HTTP_USER_AGENT'] ?? '', 'user_id' => get_current_user_id(), 'route' => $request->get_route(), 'method' => $request->get_method(), 'status' => $response->get_status(), 'params' => array_keys($request->get_params()) ]; // Log to WordPress debug log error_log('Rank Math API Access: ' . json_encode($log_entry)); // Store in database for analysis $logs = get_option('rank_math_api_logs', []); $logs[] = $log_entry; // Keep only last 1000 entries if (count($logs) > 1000) { $logs = array_slice($logs, -1000); } update_option('rank_math_api_logs', $logs); } return $response; }, 10, 3); }); ``` ### Security Event Monitoring ```php // Monitor for suspicious activity add_action('rest_api_init', function() { add_filter('rest_authentication_errors', function($result) { if ($result !== null) { // Log failed authentication attempts $log_entry = [ 'timestamp' => current_time('mysql'), 'ip' => $_SERVER['REMOTE_ADDR'], 'user_agent' => $_SERVER['HTTP_USER_AGENT'] ?? '', 'route' => $_SERVER['REQUEST_URI'] ?? '', 'error' => 'Authentication failed' ]; error_log('Rank Math API Security Event: ' . json_encode($log_entry)); // Alert on multiple failed attempts $failed_attempts = get_transient('failed_auth_' . $_SERVER['REMOTE_ADDR']); if ($failed_attempts && $failed_attempts > 10) { // Send alert email wp_mail( get_option('admin_email'), 'Security Alert: Multiple Failed API Authentication Attempts', 'Multiple failed authentication attempts detected from IP: ' . $_SERVER['REMOTE_ADDR'] ); } set_transient('failed_auth_' . $_SERVER['REMOTE_ADDR'], ($failed_attempts ? $failed_attempts + 1 : 1), 3600); } return $result; }); }); ``` ## 🔧 Security Configuration ### WordPress Security Settings #### Essential Security Plugins ```php // Recommended security plugins // 1. Wordfence Security // 2. Sucuri Security // 3. iThemes Security // 4. All In One WP Security & Firewall ``` #### wp-config.php Security ```php // Add to wp-config.php // Disable file editing define('DISALLOW_FILE_EDIT', true); // Increase memory limit define('WP_MEMORY_LIMIT', '256M'); // Enable debug logging define('WP_DEBUG', true); define('WP_DEBUG_LOG', true); define('WP_DEBUG_DISPLAY', false); // Secure database define('DB_CHARSET', 'utf8mb4'); define('DB_COLLATE', 'utf8mb4_unicode_ci'); // Force SSL for admin define('FORCE_SSL_ADMIN', true); ``` ### Server Security #### Apache Security Headers ```apache # Add to .htaccess Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options DENY Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" # Block access to sensitive files Order allow,deny Deny from all Order allow,deny Deny from all ``` #### Nginx Security Headers ```nginx # Add to nginx.conf add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"; # Block access to sensitive files location ~ /(wp-config\.php|\.htaccess) { deny all; } ``` ## 🚨 Incident Response ### Security Incident Checklist 1. **Immediate Response** - Disable API access if compromised - Change all Application Passwords - Review server logs for intrusion - Check for unauthorized changes 2. **Investigation** - Analyze access logs - Review API usage patterns - Check for data breaches - Identify attack vectors 3. **Recovery** - Restore from clean backup - Update all credentials - Implement additional security measures - Monitor for further attacks ### Security Contact Information ```php // Add security contact information add_action('admin_menu', function() { add_options_page( 'Security Settings', 'Security', 'manage_options', 'security-settings', function() { ?>

Security Settings

Emergency Contacts

Security Email: security@devora.no

Emergency Phone: [Your emergency number]

Security Checklist