Warn when files prefixed with 'wp-' are included in WordPress root about checksum-command HOT 17 CLOSED

It seems that this kind of warnings are triggered only for files in subdirectories.

Correct, only non-WordPress core files in wp-admin or wp-includes. wp-content is completely ignored because it's considered user data.

believe it would be very important to also check for unexpected files in the root folder, as it's a common place where hackers could store malicious files with filenames similar to genuine ones.

Although opinions may vary, it's a not uncommon use case to have non-WordPress core files in the root directory (e.g. env-config.php, some standalone PHP script, etc.).

With this being said, I think it'd be reasonable to trigger a warning if WP-CLI detects any files matching wp-* that aren't official WordPress core files. I wouldn't go so far as to error the check, as I'd think that'd be a backwards compatibility break, and potentially imperfect.

from checksum-command.

Most complex WordPress installs will have all sorts of custom stuff in the root folder. I don't think there's a reliable way to identify malicious additions in there.

from checksum-command.

Hi @danielbachhuber and @schlessera, thank you for your replies. I understand your concerns about backwards compatibility and the presence of custom stuff in the root folder, but in my opinion it would be important to have a way to also check files in the root folder. It would be sufficient to trigger a warning without failing the check, in the same way used for unexpected files in subdirectories.

By the way, it's true that most complex WordPress installs can have lot of custom stuff, but it's also true that complex WordPress installs are not the majority. I host a few hundreds WordPress websites and I would say that 99% of them have no (or very few) custom files in the root, so that it would be pretty straightforward to check for warnings.

What about an option (i.e. --fullcheck, --rootcheck or something) that also performs checks in the root folder?

from checksum-command.

I don't think there's a reliable way to identify malicious additions in there.

@schlessera How about Warning: when files that begin with wp-* but aren't official core files are present?

What about an option (i.e. --fullcheck, --rootcheck or something) that also performs checks in the root folder?

I'd rather make a decision on this, than burden the end user with too many options.

from checksum-command.

Maybe warning about unknown *.php files and *.html files would be a good start. These can be executed through a client browser.

from checksum-command.

Hi guys,
thanks for your follow-up. For your information, I have performed some additional tests with different integrity check tools to see how they behave regarding detection of unexpected files in the root folder. Here are the results:

• Sucuri Security plugin detects unexpected files in root folder
• Wordfence Security plugin does not detect unexpected files in root folder
• Integrity Checker plugin detects unexpected files in root folder (this is from the same author of the WP-CLI package that extends checksum to plugins and themes).

from checksum-command.

Another idea worth investigating: Be rather rigid with checking everything, but allow users to provide a whitelist through wp-cli.yml.

from checksum-command.

Hmm, that would allow malicious software to just replace the wp-cli.yml file then...

from checksum-command.

Per Slack conversation today, we're going to start with:

Warn when files prefixed with 'wp-' are included in WordPress root

from checksum-command.

Thanks for the update. I see the "help-wanted" label on this issue. Maybe I can take charge of this and send a pull request?

from checksum-command.

Maybe I can take charge of this and send a pull request?

Sure — go for it!

from checksum-command.

A quick advice on the best approach to implement this: would it be fine if I modify the get_wp_core_files() method so that it also returns the files prefixed with 'wp-' in the root folder? I could add a second iteration (for files in root folder filtered by prefix) and then merge the two arrays. What do you think?

from checksum-command.

@marcochiesi I'd suggest extracting the filtering criteria into a separate method, and then making changes to that method as needed.

Here's the filtering criteria I'd extract: https://github.com/wp-cli/checksum-command/blob/master/src/Checksum_Command.php#L152-L155

from checksum-command.

@schlessera I've noticed there's already a only_core_files_filter() method which is currently used only for the checksum files here. What do you think about using (a slightly modified version of) that one for filtering both $core_checksums_files and $core_files with the same criteria?

from checksum-command.

@marcochiesi I'm not too keen on mixing the filtering here between commands, as they serve different purposes. Their requirements will change independently and might move in conflicting directions.

In the latest iteration, we've abstracted out the act of retrieving the files, and you can just override the actual filtering function to make use of it.

from checksum-command.

Thank you @schlessera
If I understand correctly, with the current version I should change this method so that it also includes the wp-*.php in the root folder. Correct?

from checksum-command.

@marcochiesi Yes, correct. I think that might already solve the entire issue here.

from checksum-command.