Sucuri Security – Auditing, Malware Scanner and Security Hardening

Version Description

Fixing a few PHP warnings.

Release Info

Developer	dd@sucuri.net
Plugin	Sucuri Security – Auditing, Malware Scanner and Security Hardening
Version	1.4.3
Comparing to
See all releases

Code changes from version 1.4.2 to 1.4.3

Files changed (3) hide show

lib/hardening.php +6 -6
readme.txt +4 -1
sucuri.php +51 -44

lib/hardening.php CHANGED Viewed

	@@ -183,12 +183,12 @@ function sucuriscan_harden_upload()
183	$htaccess_content = str_replace("<Files *.php>\ndeny from all\n</Files>", '', $htaccess_content);
184	file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
185	}
186	- ~~sucuri_admin_notice~~('updated', '<strong>OK.</strong> WP-Content Uploads directory protection reverted.');
187	}else{
188	$harden_process = '<strong>Error.</strong> The <code>wp-content/uploads/.htaccess</code> does
189	not exists or is not writable, you will need to remove the following code manually there:
190	<code><Files *.php>deny from all</Files></code>';
191	- ~~sucuri_admin_notice~~('error', $harden_process);
192	}
193	}
194	}
	@@ -251,12 +251,12 @@ function sucuriscan_harden_wpcontent()
251	$htaccess_content = str_replace("<Files *.php>\ndeny from all\n</Files>", '', $htaccess_content);
252	file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
253	}
254	- ~~sucuri_admin_notice~~('updated', '<strong>OK.</strong> WP-Content directory protection reverted.');
255	}else{
256	$harden_process = '<strong>Error.</strong> The <code>wp-content/.htaccess</code> does
257	not exists or is not writable, you will need to remove the following code manually there:
258	<code><Files *.php>deny from all</Files></code>';
259	- ~~sucuri_admin_notice~~('error', $harden_process);
260	}
261	}
262	}
	@@ -321,12 +321,12 @@ function sucuriscan_harden_wpincludes()
321	}
322	file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
323	}
324	- ~~sucuri_admin_notice~~('updated', '<strong>OK.</strong> WP-Includes directory protection reverted.');
325	}else{
326	$harden_process = '<strong>Error.</strong> The <code>wp-includes/.htaccess</code> does
327	not exists or is not writable, you will need to remove the following code manually there:
328	<code><Files *.php>deny from all</Files></code>';
329	- ~~sucuri_admin_notice~~('error', $harden_process);
330	}
331	}
332	}


183	$htaccess_content = str_replace("<Files *.php>\ndeny from all\n</Files>", '', $htaccess_content);
184	file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
185	}
186	+ sucuriscan_admin_notice('updated', '<strong>OK.</strong> WP-Content Uploads directory protection reverted.');
187	}else{
188	$harden_process = '<strong>Error.</strong> The <code>wp-content/uploads/.htaccess</code> does
189	not exists or is not writable, you will need to remove the following code manually there:
190	<code><Files *.php>deny from all</Files></code>';
191	+ sucuriscan_admin_notice('error', $harden_process);
192	}
193	}
194	}

251	$htaccess_content = str_replace("<Files *.php>\ndeny from all\n</Files>", '', $htaccess_content);
252	file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
253	}
254	+ sucuriscan_admin_notice('updated', '<strong>OK.</strong> WP-Content directory protection reverted.');
255	}else{
256	$harden_process = '<strong>Error.</strong> The <code>wp-content/.htaccess</code> does
257	not exists or is not writable, you will need to remove the following code manually there:
258	<code><Files *.php>deny from all</Files></code>';
259	+ sucuriscan_admin_notice('error', $harden_process);
260	}
261	}
262	}

321	}
322	file_put_contents($htaccess_upload, $htaccess_content, LOCK_EX);
323	}
324	+ sucuriscan_admin_notice('updated', '<strong>OK.</strong> WP-Includes directory protection reverted.');
325	}else{
326	$harden_process = '<strong>Error.</strong> The <code>wp-includes/.htaccess</code> does
327	not exists or is not writable, you will need to remove the following code manually there:
328	<code><Files *.php>deny from all</Files></code>';
329	+ sucuriscan_admin_notice('error', $harden_process);
330	}
331	}
332	}

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: dd@sucuri.net, dremeda
3	Donate Link: http://sitecheck.sucuri.net
4	Tags: malware, security, scan, spam, virus, sucuri, WordPress,
5	Requires at least:3.2
6	- Stable tag:1.4.2
7	Tested up to: 3.6
8
9	The Sucuri Security - SiteCheck Malware Scanner plugin enables you to scan your WordPress site using Sucuri SiteCheck and verify the integrity of your core files right in your dashboard. It also includes post-hack options to help you reset passwords and secret keys in case it has been already hacked.
	@@ -67,6 +67,9 @@ the compromise on your site).
67
68	== Changelog ==
69



70	= 1.4.2 =
71	* Fixing a few PHP warnings.
72


3	Donate Link: http://sitecheck.sucuri.net
4	Tags: malware, security, scan, spam, virus, sucuri, WordPress,
5	Requires at least:3.2
6	+ Stable tag:1.4.3
7	Tested up to: 3.6
8
9	The Sucuri Security - SiteCheck Malware Scanner plugin enables you to scan your WordPress site using Sucuri SiteCheck and verify the integrity of your core files right in your dashboard. It also includes post-hack options to help you reset passwords and secret keys in case it has been already hacked.

67
68	== Changelog ==
69
70	+ = 1.4.3 =
71	+ * Fixing a few PHP warnings.
72	+
73	= 1.4.2 =
74	* Fixing a few PHP warnings.
75

sucuri.php CHANGED Viewed

	@@ -7,7 +7,7 @@ Description: The <a href="http://sucuri.net">Sucuri Security</a> - SiteCheck Mal
7	You can also scan your site at <a href="http://sitecheck.sucuri.net">SiteCheck.Sucuri.net</a>.
8
9	Author: Sucuri Security
10	- Version: 1.4.2
11	Author URI: http://sucuri.net
12	*/
13
	@@ -18,7 +18,7 @@ if(!function_exists('add_action'))
18	}
19
20	define('SUCURISCAN','sucuriscan');
21	- define('SUCURISCAN_VERSION','1.4.2');
22	define( 'SUCURI_URL',plugin_dir_url( __FILE__ ));
23	define('SUCURISCAN_PLUGIN_FOLDER', 'sucuri-scanner');
24	/* Sucuri Free/Paid Plugin will use the same tablename, check: sucuriscan_lastlogins_table_exists() */
	@@ -429,41 +429,44 @@ function sucuriscan_set_new_config_keys()
429	{
430	$new_wpconfig = '';
431	$wp_config_path = ABSPATH.'wp-config.php';
432	- ~~$wp_config_lines~~ ~~= file~~($wp_config_path);
433	- $~~new_keys~~ = ~~sucuriscan_get_new_config_keys~~();
434	- $~~old_keys~~ = ~~array~~();
435	- $~~old_keys_string~~ = ~~$new_keys_string = ''~~;
436	-
437	- ~~foreach($wp_config_lines as $wp_config_line){~~
438	- $~~wp_config_line~~ = ~~str_replace("\n", '',~~ $wp_config_line);
439	-
440	- ~~if( preg_match("/define$'([A-Z_]+)',([ ]+)'(.*)'$;/", $wp_config_line, $match) ){~~
441	- ~~$key_name~~ = $match~~[1];~~
442	- ~~if( array_key_exists(~~$key_name, $~~new_keys) ){~~
443	- $~~white_spaces~~ = ~~$match[2];~~
444	- $~~old_keys[$key_name]~~ = $match[3];
445	- $~~wp_config_line~~ = ~~"define('{~~$~~key_name}',{$white_spaces}'{$new_keys~~[~~$key_name~~]~~}')~~;";
446	-
447	- ~~$old_keys_string .= "define('{$key_name}',{$white_spaces}'{$old_keys[$key_name]}');\n";~~
448	- $~~new_keys_string~~ .= "{$~~wp_config_line~~}\n";


449	}
450	- }
451
452	- $new_wpconfig .= "{$wp_config_line}\n";
453	- }
454
455	- $response = array(
456	- 'updated'=>is_writable($wp_config_path),
457	- 'old_keys'=>$old_keys,
458	- 'old_keys_string'=>$old_keys_string,
459	- 'new_keys'=>$new_keys,
460	- 'new_keys_string'=>$new_keys_string,
461	- 'new_wpconfig'=>$new_wpconfig
462	- );
463	- if( $response['updated'] ){
464	- file_put_contents($wp_config_path, $new_wpconfig, LOCK_EX);


465	}
466	- return ~~$response~~;
467	}
468
469	function sucuriscan_new_password($user_id=0)
	@@ -521,16 +524,20 @@ function sucuriscan_posthack_page()
521	$wpconfig_process = sucuriscan_set_new_config_keys();
522	$template_variables['WPConfigUpdate.Display'] = 'display:block';
523
524	- if( $wpconfig_process~~['updated']===TRUE~~ ){
525	- ~~sucuriscan_admin_notice~~('updated', ~~'<strong>OK.</strong> WP-Config keys updated successfully. In the textarea bellow you will see the old-keys and the new-keys updated.'~~);
526	- ~~$template_variables[~~'~~WPConfigUpdate.NewConfig~~'] .= ~~"//~~ ~~Old~~ ~~Keys\n"~~;
527	- $template_variables['WPConfigUpdate.NewConfig'] .= ~~$wpconfig_process['old_keys_string']~~;
528	- $template_variables['WPConfigUpdate.NewConfig'] .= ~~"//\n"~~;
529	- $template_variables['WPConfigUpdate.NewConfig'] .= "~~// New Keys\~~n";
530	- $template_variables['WPConfigUpdate.NewConfig'] .= ~~$wpconfig_process['new_keys_string']~~;





531	}else{
532	- sucuriscan_admin_notice('error', '<strong>Error.</strong> The wp-config.php file is not ~~writable,~~ ~~please copy and paste the code shown bellow~~ in the ~~textarea~~ ~~into that file manually~~.');
533	- $template_variables['WPConfigUpdate.NewConfig'] = $wpconfig_process['new_wpconfig'];
534	}
535	}else{
536	sucuriscan_admin_notice('error', '<strong>Error.</strong> You need to confirm that you understand the risk of this operation');
	@@ -616,7 +623,7 @@ function sucuriscan_lastlogins_page()
616	echo sucuriscan_get_template('sucuri-wp-lastlogins.html.tpl', $template_variables);
617	}
618
619	- function sucuri_login_redirect(~~$redirect_to, $request, $user~~){
620	return admin_url('?sucuri_lastlogin_message=1');
621	}
622	add_filter('login_redirect', 'sucuri_login_redirect');
	@@ -704,7 +711,7 @@ function sucuriscan_get_logins($limit=10, $user_id=0)
704	if( defined('SUCURISCAN_LASTLOGINS_TABLENAME') ){
705	$table_name = SUCURISCAN_LASTLOGINS_TABLENAME;
706
707	- $sql = "SELECT * FROM {$table_name} ~~RIGHT~~ JOIN {$wpdb->prefix}users ON {$table_name}.user_id = {$wpdb->prefix}users.ID";
708	if( !is_admin() ){
709	$current_user = wp_get_current_user();
710	$sql .= chr(32)."WHERE {$wpdb->prefix}users.user_login = '{$current_user->user_login}'";


7	You can also scan your site at <a href="http://sitecheck.sucuri.net">SiteCheck.Sucuri.net</a>.
8
9	Author: Sucuri Security
10	+ Version: 1.4.3
11	Author URI: http://sucuri.net
12	*/
13

18	}
19
20	define('SUCURISCAN','sucuriscan');
21	+ define('SUCURISCAN_VERSION','1.4.3');
22	define( 'SUCURI_URL',plugin_dir_url( __FILE__ ));
23	define('SUCURISCAN_PLUGIN_FOLDER', 'sucuri-scanner');
24	/* Sucuri Free/Paid Plugin will use the same tablename, check: sucuriscan_lastlogins_table_exists() */

429	{
430	$new_wpconfig = '';
431	$wp_config_path = ABSPATH.'wp-config.php';
432	+ if( file_exists($wp_config_path) ){
433	+ $wp_config_lines = file($wp_config_path);
434	+ $new_keys = sucuriscan_get_new_config_keys();
435	+ $old_keys = array();
436	+ $old_keys_string = $new_keys_string = '';
437	+
438	+ foreach($wp_config_lines as $wp_config_line){
439	+ $wp_config_line = str_replace("\n", '', $wp_config_line);
440	+
441	+ if( preg_match("/define$'([A-Z_]+)',([ ]+)'(.*)'$;/", $wp_config_line, $match) ){
442	+ $key_name = $match[1];
443	+ if( array_key_exists($key_name, $new_keys) ){
444	+ $white_spaces = $match[2];
445	+ $old_keys[$key_name] = $match[3];
446	+ $wp_config_line = "define('{$key_name}',{$white_spaces}'{$new_keys[$key_name]}');";
447	+
448	+ $old_keys_string .= "define('{$key_name}',{$white_spaces}'{$old_keys[$key_name]}');\n";
449	+ $new_keys_string .= "{$wp_config_line}\n";
450	+ }
451	}

452
453	+ $new_wpconfig .= "{$wp_config_line}\n";
454	+ }
455
456	+ $response = array(
457	+ 'updated'=>is_writable($wp_config_path),
458	+ 'old_keys'=>$old_keys,
459	+ 'old_keys_string'=>$old_keys_string,
460	+ 'new_keys'=>$new_keys,
461	+ 'new_keys_string'=>$new_keys_string,
462	+ 'new_wpconfig'=>$new_wpconfig
463	+ );
464	+ if( $response['updated'] ){
465	+ file_put_contents($wp_config_path, $new_wpconfig, LOCK_EX);
466	+ }
467	+ return $response;
468	}
469	+ return FALSE;
470	}
471
472	function sucuriscan_new_password($user_id=0)

524	$wpconfig_process = sucuriscan_set_new_config_keys();
525	$template_variables['WPConfigUpdate.Display'] = 'display:block';
526
527	+ if($wpconfig_process){
528	+ if( $wpconfig_process['updated']===TRUE ){
529	+ sucuriscan_admin_notice('updated', '<strong>OK.</strong> WP-Config keys updated successfully. In the textarea bellow you will see the old-keys and the new-keys updated.');
530	+ $template_variables['WPConfigUpdate.NewConfig'] .= "// Old Keys\n";
531	+ $template_variables['WPConfigUpdate.NewConfig'] .= $wpconfig_process['old_keys_string'];
532	+ $template_variables['WPConfigUpdate.NewConfig'] .= "//\n";
533	+ $template_variables['WPConfigUpdate.NewConfig'] .= "// New Keys\n";
534	+ $template_variables['WPConfigUpdate.NewConfig'] .= $wpconfig_process['new_keys_string'];
535	+ }else{
536	+ sucuriscan_admin_notice('error', '<strong>Error.</strong> The wp-config.php file is not writable, please copy and paste the code shown bellow in the textarea into that file manually.');
537	+ $template_variables['WPConfigUpdate.NewConfig'] = $wpconfig_process['new_wpconfig'];
538	+ }
539	}else{
540	+ sucuriscan_admin_notice('error', '<strong>Error.</strong> The wp-config.php file was not found in the default location.');

541	}
542	}else{
543	sucuriscan_admin_notice('error', '<strong>Error.</strong> You need to confirm that you understand the risk of this operation');

623	echo sucuriscan_get_template('sucuri-wp-lastlogins.html.tpl', $template_variables);
624	}
625
626	+ function sucuri_login_redirect(){
627	return admin_url('?sucuri_lastlogin_message=1');
628	}
629	add_filter('login_redirect', 'sucuri_login_redirect');

711	if( defined('SUCURISCAN_LASTLOGINS_TABLENAME') ){
712	$table_name = SUCURISCAN_LASTLOGINS_TABLENAME;
713
714	+ $sql = "SELECT * FROM {$table_name} LEFT JOIN {$wpdb->prefix}users ON {$table_name}.user_id = {$wpdb->prefix}users.ID";
715	if( !is_admin() ){
716	$current_user = wp_get_current_user();
717	$sql .= chr(32)."WHERE {$wpdb->prefix}users.user_login = '{$current_user->user_login}'";

Sucuri Security – Auditing, Malware Scanner and Security Hardening - Version 1.4.3

Version Description

Release Info

Code changes from version 1.4.2 to 1.4.3