/** * Create a folder in the WordPress upload directory where the plugin will * store all the temporal or dynamic information. * * @return void */ public static function createStorageFolder() { $directory = SucuriScan::datastore_folder_path(); if (!file_exists($directory)) { @mkdir($directory, 0755, true); } if (file_exists($directory)) { // Create last-logins datastore file. sucuriscan_lastlogins_datastore_exists(); // Create a htaccess file to deny access from all. if (!SucuriScanHardening::is_hardened($directory)) { SucuriScanHardening::harden_directory($directory); } // Create an index.html to avoid directory listing. @file_put_contents($directory . '/index.html', '<!-- Prevent the directory listing. -->', LOCK_EX); } }
function sucuriscan_settings_general_resetoptions($nonce) { // Reset all the plugin's options. if ($nonce && SucuriScanRequest::post(':reset_options') !== false) { $process = SucuriScanRequest::post(':process_form'); if (intval($process) === 1) { // Notify the event before the API key is removed. $message = 'Sucuri plugin options were reset'; SucuriScanEvent::report_critical_event($message); SucuriScanEvent::notify_event('plugin_change', $message); // Remove all plugin options from the database. SucuriScanOption::delete_plugin_options(); // Remove the scheduled tasks. wp_clear_scheduled_hook('sucuriscan_scheduled_scan'); // Remove all the local security logs. @unlink(SucuriScan::datastore_folder_path('.htaccess')); @unlink(SucuriScan::datastore_folder_path('index.html')); @unlink(SucuriScan::datastore_folder_path('sucuri-failedlogins.php')); @unlink(SucuriScan::datastore_folder_path('sucuri-integrity.php')); @unlink(SucuriScan::datastore_folder_path('sucuri-lastlogins.php')); @unlink(SucuriScan::datastore_folder_path('sucuri-oldfailedlogins.php')); @unlink(SucuriScan::datastore_folder_path('sucuri-plugindata.php')); @unlink(SucuriScan::datastore_folder_path('sucuri-sitecheck.php')); @unlink(SucuriScan::datastore_folder_path('sucuri-trustip.php')); @rmdir(SucuriScan::datastore_folder_path()); // Revert hardening of core directories (includes, content, uploads). SucuriScanHardening::dewhitelist('ms-files.php', 'wp-includes'); SucuriScanHardening::dewhitelist('wp-tinymce.php', 'wp-includes'); SucuriScanHardening::unharden_directory(ABSPATH . '/wp-includes'); SucuriScanHardening::unharden_directory(WP_CONTENT_DIR . '/uploads'); SucuriScanHardening::unharden_directory(WP_CONTENT_DIR); SucuriScanInterface::info('Plugin options, core directory hardening, and security logs were reset'); } else { SucuriScanInterface::error('You need to confirm that you understand the risk of this operation.'); } } return SucuriScanTemplate::get_section('settings-general-resetoptions'); }
/** * Check whether the WordPress includes folder is protected or not. * * A htaccess file is placed in the includes folder denying the access to any php * file that could be uploaded through a vulnerability in a Plugin, Theme or * WordPress itself, there are some exceptions for some specific files that must * be available publicly. * * @return void */ function sucuriscan_harden_wpincludes() { $dpath = ABSPATH . '/wp-includes'; if (SucuriScanRequest::post(':run_hardening')) { if (SucuriScanRequest::post(':harden_wpincludes')) { $result = SucuriScanHardening::harden_directory($dpath); if ($result === true) { $message = 'Hardening applied to the library directory'; SucuriScanEvent::report_notice_event($message); SucuriScanInterface::info($message); } else { SucuriScanInterface::error('Error hardening directory, check the permissions.'); } } elseif (SucuriScanRequest::post(':harden_wpincludes_unharden')) { $result = SucuriScanHardening::unharden_directory($dpath); if ($result === true) { $message = 'Hardening reverted in the library directory'; SucuriScanEvent::report_error_event($message); SucuriScanInterface::info($message); } else { SucuriScanInterface::info('Access file is not writable, check the permissions.'); } } } // Check whether the directory is already hardened or not. $is_hardened = SucuriScanHardening::is_hardened($dpath); $cp = $is_hardened === true ? 1 : 0; return sucuriscan_harden_status('Restrict wp-includes access', $cp, 'sucuriscan_harden_wpincludes', 'WP-Includes directory properly hardened', 'WP-Includes directory not hardened', 'This option blocks direct PHP access to any file inside <code>wp-includes</code>.', null); }