Comments (17)
It seems that this kind of warnings are triggered only for files in subdirectories.
Correct, only non-WordPress core files in wp-admin
or wp-includes
. wp-content
is completely ignored because it's considered user data.
believe it would be very important to also check for unexpected files in the root folder, as it's a common place where hackers could store malicious files with filenames similar to genuine ones.
Although opinions may vary, it's a not uncommon use case to have non-WordPress core files in the root directory (e.g. env-config.php
, some standalone PHP script, etc.).
With this being said, I think it'd be reasonable to trigger a warning if WP-CLI detects any files matching wp-*
that aren't official WordPress core files. I wouldn't go so far as to error the check, as I'd think that'd be a backwards compatibility break, and potentially imperfect.
from checksum-command.
Most complex WordPress installs will have all sorts of custom stuff in the root folder. I don't think there's a reliable way to identify malicious additions in there.
from checksum-command.
Hi @danielbachhuber and @schlessera, thank you for your replies. I understand your concerns about backwards compatibility and the presence of custom stuff in the root folder, but in my opinion it would be important to have a way to also check files in the root folder. It would be sufficient to trigger a warning without failing the check, in the same way used for unexpected files in subdirectories.
By the way, it's true that most complex WordPress installs can have lot of custom stuff, but it's also true that complex WordPress installs are not the majority. I host a few hundreds WordPress websites and I would say that 99% of them have no (or very few) custom files in the root, so that it would be pretty straightforward to check for warnings.
What about an option (i.e. --fullcheck
, --rootcheck
or something) that also performs checks in the root folder?
from checksum-command.
I don't think there's a reliable way to identify malicious additions in there.
@schlessera How about Warning:
when files that begin with wp-*
but aren't official core files are present?
What about an option (i.e.
--fullcheck
,--rootcheck
or something) that also performs checks in the root folder?
I'd rather make a decision on this, than burden the end user with too many options.
from checksum-command.
Maybe warning about unknown *.php
files and *.html
files would be a good start. These can be executed through a client browser.
from checksum-command.
Hi guys,
thanks for your follow-up. For your information, I have performed some additional tests with different integrity check tools to see how they behave regarding detection of unexpected files in the root folder. Here are the results:
- Sucuri Security plugin detects unexpected files in root folder
- Wordfence Security plugin does not detect unexpected files in root folder
- Integrity Checker plugin detects unexpected files in root folder (this is from the same author of the WP-CLI package that extends checksum to plugins and themes).
from checksum-command.
Another idea worth investigating: Be rather rigid with checking everything, but allow users to provide a whitelist through wp-cli.yml
.
from checksum-command.
Hmm, that would allow malicious software to just replace the wp-cli.yml
file then...
from checksum-command.
Per Slack conversation today, we're going to start with:
Warn when files prefixed with 'wp-' are included in WordPress root
from checksum-command.
Thanks for the update. I see the "help-wanted" label on this issue. Maybe I can take charge of this and send a pull request?
from checksum-command.
Maybe I can take charge of this and send a pull request?
Sure — go for it!
from checksum-command.
A quick advice on the best approach to implement this: would it be fine if I modify the get_wp_core_files()
method so that it also returns the files prefixed with 'wp-' in the root folder? I could add a second iteration (for files in root folder filtered by prefix) and then merge the two arrays. What do you think?
from checksum-command.
@marcochiesi I'd suggest extracting the filtering criteria into a separate method, and then making changes to that method as needed.
Here's the filtering criteria I'd extract: https://github.com/wp-cli/checksum-command/blob/master/src/Checksum_Command.php#L152-L155
from checksum-command.
@schlessera I've noticed there's already a only_core_files_filter()
method which is currently used only for the checksum files here. What do you think about using (a slightly modified version of) that one for filtering both $core_checksums_files
and $core_files
with the same criteria?
from checksum-command.
@marcochiesi I'm not too keen on mixing the filtering here between commands, as they serve different purposes. Their requirements will change independently and might move in conflicting directions.
In the latest iteration, we've abstracted out the act of retrieving the files, and you can just override the actual filtering function to make use of it.
from checksum-command.
Thank you @schlessera
If I understand correctly, with the current version I should change this method so that it also includes the wp-*.php in the root folder. Correct?
from checksum-command.
@marcochiesi Yes, correct. I think that might already solve the entire issue here.
from checksum-command.
Related Issues (20)
- flags ancient files as "should not exist" but should flag as "deprecated, can be deleted" HOT 1
- `Could not retrieve the checksums` still visible with `--skip-plugins=<plugin-name>` HOT 5
- Add `--version` param to `wp plugin verify-checksums` HOT 2
- wp-cli core verify-checksums does not check extra themes HOT 2
- During plugin verify-checksum, failed plugins should be listed HOT 2
- --include-root does not work HOT 1
- Adding an exclusion option to `wp core verify-checksums` ? HOT 1
- Add `--exclude=<file>,<file>` argument to skip files HOT 6
- Can't save the output HOT 3
- verify-checksums does not list all added files HOT 9
- Plugin
- WordPress installation doesn't verify against checksums HOT 4
- Flag presence of unexpected files HOT 11
- Add an option to skip additional files check HOT 2
- Core verify-checksums command doesn't catch added files at ABSPATH directory HOT 3
- Flag to turn warnings into errors HOT 1
- Random messages: Could not retrieve the checksums for version x.y.z of plugin-name HOT 7
- Warning: Could not retrieve the checksums HOT 1
- Error: RuntimeException: Failed to get url when using `wp core verify-checksums` HOT 6
- Add --format argument to `wp core verify-checksums` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from checksum-command.