Comments (9)
@axos88 The root folder of a WordPress installation can include all sorts of custom files, like config or .env files, analytics verification files, error logs, ...
There's no way to know which files are legit and which ones are not.
That's why WP-CLI has special behavior for the root folder and only checks files that start with wp-
in that folder. If you write your foo.txt
into wp-admin/
or wp-includes/
, it should be detected.
from checksum-command.
Actually introducing the .wp-ignore
file would give way to implementing wp core verify-checksums --fix
.
from checksum-command.
Same behaviour on 2.4.0:
OS: Linux webfe.akosv.com 3.13.0-147-generic #196-Ubuntu SMP Wed May 2 15:51:34 UTC 2018 x86_64
Shell: /bin/bash
PHP binary: /usr/bin/php5
PHP version: 5.5.9-1ubuntu4.29
php.ini used: /etc/php5/cli/php.ini
WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir: phar://wp-cli.phar/vendor
WP_CLI phar path: /var/www/wordpress/<snip>
WP-CLI packages dir:
WP-CLI global config:
WP-CLI project config:
WP-CLI version: 2.4.0
from checksum-command.
@axos88 You run file creation as root
but wp core verify-checksums
as www-data
. IMHO wrong result of wp core verify-checksums is caused by permissions issue. Try with files created by www-data
.
from checksum-command.
Ha. Nice catch, didn't even think about that.
But it's not the issue (tested it), nor should it actually cause any issues (if it did, it would be another bug imho), as long as www-data can read those files. And if it can't then it should also say that there are files that cannot be read.
wp-foo.php
shows up though. WTF?
# sudo -u www-data touch foo.php
# sudo -u root touch wp-foo.php
# sudo -u www-data touch wp-foo2.php
# sudo -u www-data wp core verify-checksums
Warning: File should not exist: wp-foo2.php
Warning: File should not exist: wp-foo.php
Success: WordPress installation verifies against checksums.
from checksum-command.
I don't think this should be closed. These files should be listed as warnings, and not arbitrarily silently ignored. At maximum a switch should enable these files to be ignored. Even better a .wpignore
file could be added.
Our system was recently infected and trashed with all sorts of files. obviously not prefixed with wp-
. I didn't have any normal means to detect and remove files from the root directory.
I, as a system administrator will know which files are installed by myself, and know to ignore them, but definately want to know if anything else was added without my knowledge. The current behaviour does not allow this check.
from checksum-command.
And you are exactly on point: wp-cli should not make a decision wether a file is legit or not. It should list everything that it sees, and let the user make the decision who actually has the necessary knowledge to make the decision. Arbitrarily filtering out files that do not start with wp-
means wp-cli actually IS making that decision, and incorrectly.
from checksum-command.
I strongly support the --fix flag, it saves time to properly format the files in order to put them as an argument in rm .
from checksum-command.
Hi,
I'm having kind of the same issue. While I understand that the root directory is specific and only prefixed files are verified, however I have created some file in wp-content
and when I run the command they are not discovered by the verify-checksums
command.
Here's a screenshot (running on macOS Monterey 12.6, wp-cli at 2.6)
from checksum-command.
Related Issues (20)
- flags ancient files as "should not exist" but should flag as "deprecated, can be deleted" HOT 1
- `Could not retrieve the checksums` still visible with `--skip-plugins=<plugin-name>` HOT 5
- Add `--version` param to `wp plugin verify-checksums` HOT 2
- wp-cli core verify-checksums does not check extra themes HOT 2
- During plugin verify-checksum, failed plugins should be listed HOT 2
- --include-root does not work HOT 1
- Adding an exclusion option to `wp core verify-checksums` ? HOT 1
- Add command to check themes integrity in WP-CLI HOT 1
- Verification checks skipped when plugin missing main PHP file HOT 1
- Plugin
- WordPress installation doesn't verify against checksums HOT 4
- Flag presence of unexpected files HOT 11
- Add an option to skip additional files check HOT 2
- Core verify-checksums command doesn't catch added files at ABSPATH directory HOT 3
- Flag to turn warnings into errors HOT 1
- Random messages: Could not retrieve the checksums for version x.y.z of plugin-name HOT 7
- Warning: Could not retrieve the checksums HOT 1
- Error: RuntimeException: Failed to get url when using `wp core verify-checksums` HOT 6
- Add --format argument to `wp core verify-checksums` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from checksum-command.