Sucuri Security – Auditing, Malware Scanner and Security Hardening - Version 1.4.3

Version Description

  • Fixing a few PHP warnings.
Download this release

Release Info

Developer dd@sucuri.net
Plugin Icon 128x128 Sucuri Security – Auditing, Malware Scanner and Security Hardening
Version 1.4.3
Comparing to
See all releases

Code changes from version 1.4.2 to 1.4.3

Files changed (3) hide show
  1. lib/hardening.php +6 -6
  2. readme.txt +4 -1
  3. sucuri.php +51 -44
lib/hardening.php CHANGED
@@ -183,12 +183,12 @@ function sucuriscan_harden_upload()
183
$htaccess_content = str_replace("<Files *.php>\ndeny from all\n</Files>", '', $htaccess_content);
184
file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
185
}
186
- sucuri_admin_notice('updated', '<strong>OK.</strong> WP-Content Uploads directory protection reverted.');
187
}else{
188
$harden_process = '<strong>Error.</strong> The <code>wp-content/uploads/.htaccess</code> does
189
not exists or is not writable, you will need to remove the following code manually there:
190
<code>&lt;Files *.php&gt;deny from all&lt;/Files&gt;</code>';
191
- sucuri_admin_notice('error', $harden_process);
192
}
193
}
194
}
@@ -251,12 +251,12 @@ function sucuriscan_harden_wpcontent()
251
$htaccess_content = str_replace("<Files *.php>\ndeny from all\n</Files>", '', $htaccess_content);
252
file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
253
}
254
- sucuri_admin_notice('updated', '<strong>OK.</strong> WP-Content directory protection reverted.');
255
}else{
256
$harden_process = '<strong>Error.</strong> The <code>wp-content/.htaccess</code> does
257
not exists or is not writable, you will need to remove the following code manually there:
258
<code>&lt;Files *.php&gt;deny from all&lt;/Files&gt;</code>';
259
- sucuri_admin_notice('error', $harden_process);
260
}
261
}
262
}
@@ -321,12 +321,12 @@ function sucuriscan_harden_wpincludes()
321
}
322
file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
323
}
324
- sucuri_admin_notice('updated', '<strong>OK.</strong> WP-Includes directory protection reverted.');
325
}else{
326
$harden_process = '<strong>Error.</strong> The <code>wp-includes/.htaccess</code> does
327
not exists or is not writable, you will need to remove the following code manually there:
328
<code>&lt;Files *.php&gt;deny from all&lt;/Files&gt;</code>';
329
- sucuri_admin_notice('error', $harden_process);
330
}
331
}
332
}
183
$htaccess_content = str_replace("<Files *.php>\ndeny from all\n</Files>", '', $htaccess_content);
184
file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
185
}
186
+ sucuriscan_admin_notice('updated', '<strong>OK.</strong> WP-Content Uploads directory protection reverted.');
187
}else{
188
$harden_process = '<strong>Error.</strong> The <code>wp-content/uploads/.htaccess</code> does
189
not exists or is not writable, you will need to remove the following code manually there:
190
<code>&lt;Files *.php&gt;deny from all&lt;/Files&gt;</code>';
191
+ sucuriscan_admin_notice('error', $harden_process);
192
}
193
}
194
}
251
$htaccess_content = str_replace("<Files *.php>\ndeny from all\n</Files>", '', $htaccess_content);
252
file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
253
}
254
+ sucuriscan_admin_notice('updated', '<strong>OK.</strong> WP-Content directory protection reverted.');
255
}else{
256
$harden_process = '<strong>Error.</strong> The <code>wp-content/.htaccess</code> does
257
not exists or is not writable, you will need to remove the following code manually there:
258
<code>&lt;Files *.php&gt;deny from all&lt;/Files&gt;</code>';
259
+ sucuriscan_admin_notice('error', $harden_process);
260
}
261
}
262
}
321
}
322
file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
323
}
324
+ sucuriscan_admin_notice('updated', '<strong>OK.</strong> WP-Includes directory protection reverted.');
325
}else{
326
$harden_process = '<strong>Error.</strong> The <code>wp-includes/.htaccess</code> does
327
not exists or is not writable, you will need to remove the following code manually there:
328
<code>&lt;Files *.php&gt;deny from all&lt;/Files&gt;</code>';
329
+ sucuriscan_admin_notice('error', $harden_process);
330
}
331
}
332
}
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: dd@sucuri.net, dremeda
3
Donate Link: http://sitecheck.sucuri.net
4
Tags: malware, security, scan, spam, virus, sucuri, WordPress,
5
Requires at least:3.2
6
- Stable tag:1.4.2
7
Tested up to: 3.6
8
9
The Sucuri Security - SiteCheck Malware Scanner plugin enables you to scan your WordPress site using Sucuri SiteCheck and verify the integrity of your core files right in your dashboard. It also includes post-hack options to help you reset passwords and secret keys in case it has been already hacked.
@@ -67,6 +67,9 @@ the compromise on your site).
67
68
== Changelog ==
69
70
= 1.4.2 =
71
* Fixing a few PHP warnings.
72
3
Donate Link: http://sitecheck.sucuri.net
4
Tags: malware, security, scan, spam, virus, sucuri, WordPress,
5
Requires at least:3.2
6
+ Stable tag:1.4.3
7
Tested up to: 3.6
8
9
The Sucuri Security - SiteCheck Malware Scanner plugin enables you to scan your WordPress site using Sucuri SiteCheck and verify the integrity of your core files right in your dashboard. It also includes post-hack options to help you reset passwords and secret keys in case it has been already hacked.
67
68
== Changelog ==
69
70
+ = 1.4.3 =
71
+ * Fixing a few PHP warnings.
72
+
73
= 1.4.2 =
74
* Fixing a few PHP warnings.
75
sucuri.php CHANGED
@@ -7,7 +7,7 @@ Description: The <a href="http://sucuri.net">Sucuri Security</a> - SiteCheck Mal
7
You can also scan your site at <a href="http://sitecheck.sucuri.net">SiteCheck.Sucuri.net</a>.
8
9
Author: Sucuri Security
10
- Version: 1.4.2
11
Author URI: http://sucuri.net
12
*/
13
@@ -18,7 +18,7 @@ if(!function_exists('add_action'))
18
}
19
20
define('SUCURISCAN','sucuriscan');
21
- define('SUCURISCAN_VERSION','1.4.2');
22
define( 'SUCURI_URL',plugin_dir_url( __FILE__ ));
23
define('SUCURISCAN_PLUGIN_FOLDER', 'sucuri-scanner');
24
/* Sucuri Free/Paid Plugin will use the same tablename, check: sucuriscan_lastlogins_table_exists() */
@@ -429,41 +429,44 @@ function sucuriscan_set_new_config_keys()
429
{
430
$new_wpconfig = '';
431
$wp_config_path = ABSPATH.'wp-config.php';
432
- $wp_config_lines = file($wp_config_path);
433
- $new_keys = sucuriscan_get_new_config_keys();
434
- $old_keys = array();
435
- $old_keys_string = $new_keys_string = '';
436
-
437
- foreach($wp_config_lines as $wp_config_line){
438
- $wp_config_line = str_replace("\n", '', $wp_config_line);
439
-
440
- if( preg_match("/define\('([A-Z_]+)',([ ]+)'(.*)'\);/", $wp_config_line, $match) ){
441
- $key_name = $match[1];
442
- if( array_key_exists($key_name, $new_keys) ){
443
- $white_spaces = $match[2];
444
- $old_keys[$key_name] = $match[3];
445
- $wp_config_line = "define('{$key_name}',{$white_spaces}'{$new_keys[$key_name]}');";
446
-
447
- $old_keys_string .= "define('{$key_name}',{$white_spaces}'{$old_keys[$key_name]}');\n";
448
- $new_keys_string .= "{$wp_config_line}\n";
449
}
450
- }
451
452
- $new_wpconfig .= "{$wp_config_line}\n";
453
- }
454
455
- $response = array(
456
- 'updated'=>is_writable($wp_config_path),
457
- 'old_keys'=>$old_keys,
458
- 'old_keys_string'=>$old_keys_string,
459
- 'new_keys'=>$new_keys,
460
- 'new_keys_string'=>$new_keys_string,
461
- 'new_wpconfig'=>$new_wpconfig
462
- );
463
- if( $response['updated'] ){
464
- file_put_contents($wp_config_path, $new_wpconfig, LOCK_EX);
465
}
466
- return $response;
467
}
468
469
function sucuriscan_new_password($user_id=0)
@@ -521,16 +524,20 @@ function sucuriscan_posthack_page()
521
$wpconfig_process = sucuriscan_set_new_config_keys();
522
$template_variables['WPConfigUpdate.Display'] = 'display:block';
523
524
- if( $wpconfig_process['updated']===TRUE ){
525
- sucuriscan_admin_notice('updated', '<strong>OK.</strong> WP-Config keys updated successfully. In the textarea bellow you will see the old-keys and the new-keys updated.');
526
- $template_variables['WPConfigUpdate.NewConfig'] .= "// Old Keys\n";
527
- $template_variables['WPConfigUpdate.NewConfig'] .= $wpconfig_process['old_keys_string'];
528
- $template_variables['WPConfigUpdate.NewConfig'] .= "//\n";
529
- $template_variables['WPConfigUpdate.NewConfig'] .= "// New Keys\n";
530
- $template_variables['WPConfigUpdate.NewConfig'] .= $wpconfig_process['new_keys_string'];
531
}else{
532
- sucuriscan_admin_notice('error', '<strong>Error.</strong> The wp-config.php file is not writable, please copy and paste the code shown bellow in the textarea into that file manually.');
533
- $template_variables['WPConfigUpdate.NewConfig'] = $wpconfig_process['new_wpconfig'];
534
}
535
}else{
536
sucuriscan_admin_notice('error', '<strong>Error.</strong> You need to confirm that you understand the risk of this operation');
@@ -616,7 +623,7 @@ function sucuriscan_lastlogins_page()
616
echo sucuriscan_get_template('sucuri-wp-lastlogins.html.tpl', $template_variables);
617
}
618
619
- function sucuri_login_redirect($redirect_to, $request, $user){
620
return admin_url('?sucuri_lastlogin_message=1');
621
}
622
add_filter('login_redirect', 'sucuri_login_redirect');
@@ -704,7 +711,7 @@ function sucuriscan_get_logins($limit=10, $user_id=0)
704
if( defined('SUCURISCAN_LASTLOGINS_TABLENAME') ){
705
$table_name = SUCURISCAN_LASTLOGINS_TABLENAME;
706
707
- $sql = "SELECT * FROM {$table_name} RIGHT JOIN {$wpdb->prefix}users ON {$table_name}.user_id = {$wpdb->prefix}users.ID";
708
if( !is_admin() ){
709
$current_user = wp_get_current_user();
710
$sql .= chr(32)."WHERE {$wpdb->prefix}users.user_login = '{$current_user->user_login}'";
7
You can also scan your site at <a href="http://sitecheck.sucuri.net">SiteCheck.Sucuri.net</a>.
8
9
Author: Sucuri Security
10
+ Version: 1.4.3
11
Author URI: http://sucuri.net
12
*/
13
18
}
19
20
define('SUCURISCAN','sucuriscan');
21
+ define('SUCURISCAN_VERSION','1.4.3');
22
define( 'SUCURI_URL',plugin_dir_url( __FILE__ ));
23
define('SUCURISCAN_PLUGIN_FOLDER', 'sucuri-scanner');
24
/* Sucuri Free/Paid Plugin will use the same tablename, check: sucuriscan_lastlogins_table_exists() */
429
{
430
$new_wpconfig = '';
431
$wp_config_path = ABSPATH.'wp-config.php';
432
+ if( file_exists($wp_config_path) ){
433
+ $wp_config_lines = file($wp_config_path);
434
+ $new_keys = sucuriscan_get_new_config_keys();
435
+ $old_keys = array();
436
+ $old_keys_string = $new_keys_string = '';
437
+
438
+ foreach($wp_config_lines as $wp_config_line){
439
+ $wp_config_line = str_replace("\n", '', $wp_config_line);
440
+
441
+ if( preg_match("/define\('([A-Z_]+)',([ ]+)'(.*)'\);/", $wp_config_line, $match) ){
442
+ $key_name = $match[1];
443
+ if( array_key_exists($key_name, $new_keys) ){
444
+ $white_spaces = $match[2];
445
+ $old_keys[$key_name] = $match[3];
446
+ $wp_config_line = "define('{$key_name}',{$white_spaces}'{$new_keys[$key_name]}');";
447
+
448
+ $old_keys_string .= "define('{$key_name}',{$white_spaces}'{$old_keys[$key_name]}');\n";
449
+ $new_keys_string .= "{$wp_config_line}\n";
450
+ }
451
}
452
453
+ $new_wpconfig .= "{$wp_config_line}\n";
454
+ }
455
456
+ $response = array(
457
+ 'updated'=>is_writable($wp_config_path),
458
+ 'old_keys'=>$old_keys,
459
+ 'old_keys_string'=>$old_keys_string,
460
+ 'new_keys'=>$new_keys,
461
+ 'new_keys_string'=>$new_keys_string,
462
+ 'new_wpconfig'=>$new_wpconfig
463
+ );
464
+ if( $response['updated'] ){
465
+ file_put_contents($wp_config_path, $new_wpconfig, LOCK_EX);
466
+ }
467
+ return $response;
468
}
469
+ return FALSE;
470
}
471
472
function sucuriscan_new_password($user_id=0)
524
$wpconfig_process = sucuriscan_set_new_config_keys();
525
$template_variables['WPConfigUpdate.Display'] = 'display:block';
526
527
+ if($wpconfig_process){
528
+ if( $wpconfig_process['updated']===TRUE ){
529
+ sucuriscan_admin_notice('updated', '<strong>OK.</strong> WP-Config keys updated successfully. In the textarea bellow you will see the old-keys and the new-keys updated.');
530
+ $template_variables['WPConfigUpdate.NewConfig'] .= "// Old Keys\n";
531
+ $template_variables['WPConfigUpdate.NewConfig'] .= $wpconfig_process['old_keys_string'];
532
+ $template_variables['WPConfigUpdate.NewConfig'] .= "//\n";
533
+ $template_variables['WPConfigUpdate.NewConfig'] .= "// New Keys\n";
534
+ $template_variables['WPConfigUpdate.NewConfig'] .= $wpconfig_process['new_keys_string'];
535
+ }else{
536
+ sucuriscan_admin_notice('error', '<strong>Error.</strong> The wp-config.php file is not writable, please copy and paste the code shown bellow in the textarea into that file manually.');
537
+ $template_variables['WPConfigUpdate.NewConfig'] = $wpconfig_process['new_wpconfig'];
538
+ }
539
}else{
540
+ sucuriscan_admin_notice('error', '<strong>Error.</strong> The wp-config.php file was not found in the default location.');
541
}
542
}else{
543
sucuriscan_admin_notice('error', '<strong>Error.</strong> You need to confirm that you understand the risk of this operation');
623
echo sucuriscan_get_template('sucuri-wp-lastlogins.html.tpl', $template_variables);
624
}
625
626
+ function sucuri_login_redirect(){
627
return admin_url('?sucuri_lastlogin_message=1');
628
}
629
add_filter('login_redirect', 'sucuri_login_redirect');
711
if( defined('SUCURISCAN_LASTLOGINS_TABLENAME') ){
712
$table_name = SUCURISCAN_LASTLOGINS_TABLENAME;
713
714
+ $sql = "SELECT * FROM {$table_name} LEFT JOIN {$wpdb->prefix}users ON {$table_name}.user_id = {$wpdb->prefix}users.ID";
715
if( !is_admin() ){
716
$current_user = wp_get_current_user();
717
$sql .= chr(32)."WHERE {$wpdb->prefix}users.user_login = '{$current_user->user_login}'";