Sucuri Security – Auditing, Malware Scanner and Security Hardening - Version 1.8.21

Version Description

  • Add WordPress Security Recommendations section in the dashboard
  • Add PHP version check
  • Fix goo.gl links
  • Fix post_type pattern match to allow numbers and max of 20 chars
  • Fix Audit Logs queue timezone issue
  • Fix regex in template string replacement
  • Update translation file to include WordPress Security Recommendations section fields
  • Make the menu icon use the menu color styling
  • Remove block button from failed logins page
Download this release

Release Info

Developer imgersonr
Plugin Icon 128x128 Sucuri Security – Auditing, Malware Scanner and Security Hardening
Version 1.8.21
Comparing to
See all releases

Code changes from version 1.8.20 to 1.8.21

inc/images/menuicon.svg ADDED
@@ -0,0 +1,3 @@
1
+ <?xml version="1.0" encoding="UTF-8" standalone="no"?>
2
+ <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
3
+ <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid meet" viewBox="0 0 16 16" width="16" height="16"><defs><path d="M8.98 0.87L9.6 0.94L10.29 1.03L11.04 1.16L11.86 1.31L12.74 1.49L13.69 1.7L13.93 2.24L14.12 2.85L14.27 3.53L14.37 4.27L14.41 5.08L14.41 5.95L14.36 6.89L14.27 7.9L14.06 8.93L13.71 9.93L13.19 10.91L12.51 11.86L11.68 12.78L10.69 13.68L9.54 14.55L8.23 15.4L6.91 14.56L5.75 13.69L4.74 12.8L3.9 11.87L3.21 10.92L2.68 9.94L2.31 8.93L2.09 7.9L1.98 6.89L1.92 5.94L1.91 5.06L1.95 4.25L2.04 3.51L2.17 2.84L2.36 2.23L2.59 1.7L3.44 1.5L4.23 1.32L4.97 1.17L5.66 1.05L6.3 0.95L6.89 0.88L7.43 0.84L7.92 0.82L8.42 0.83L8.98 0.87ZM10.8 10.72L10.53 11.03L10.31 11.24L10.06 11.46L9.69 11.79L9.2 12.21L8.59 12.73L9.14 12.4L9.64 12.07L10.09 11.77L10.5 11.48L10.85 11.17L11.13 10.8L11.34 10.35L11.48 9.84L11.12 10.32L10.8 10.72ZM7.68 3.96L7.38 4.07L7.07 4.23L6.79 4.48L6.57 4.85L6.43 5.35L6.42 5.88L6.52 6.31L6.7 6.65L6.94 6.92L7.21 7.13L7.56 7.32L7.98 7.54L8.4 7.76L8.72 8L8.84 8.24L8.81 8.43L8.71 8.56L8.56 8.62L8.38 8.66L8.17 8.68L7.98 8.66L7.71 8.6L7.34 8.5L6.89 8.34L6.36 8.14L6.33 9.63L6.72 9.77L7.1 9.89L7.48 9.96L7.84 10L8.2 10.01L8.76 9.94L9.35 9.76L9.86 9.43L10.24 8.92L10.38 8.2L10.23 7.46L9.84 6.93L9.37 6.56L8.96 6.35L8.76 6.27L8.62 6.21L8.36 6.08L8.09 5.9L7.93 5.67L7.96 5.41L8.13 5.27L8.4 5.21L8.78 5.24L9.26 5.35L9.85 5.55L10.38 4.33L10.22 4.25L10.07 4.19L9.91 4.13L9.77 4.07L9.62 4.02L9.33 3.96L8.92 3.91L8.46 3.89L8.03 3.9L7.68 3.96Z" id="d1ogaCizF3"></path></defs><g><g><g><use xlink:href="#d1ogaCizF3" opacity="1" fill="black" fill-opacity="1"></use></g></g></g></svg>
inc/tpl/base.html.tpl CHANGED
@@ -17,7 +17,7 @@
17
18
<div class="sucuriscan-pull-right sucuriscan-navbar">
19
<ul>
20
- <li><a href="https://goo.gl/aByqP5" target="_blank" rel="noopener" class="button button-secondary">{{Review}}</a></li>
21
22
<li class="sucuriscan-%%SUCURI.GenerateAPIKey.Visibility%%">
23
<a href="#" class="button button-primary sucuriscan-modal-button sucuriscan-register-site-button"
17
18
<div class="sucuriscan-pull-right sucuriscan-navbar">
19
<ul>
20
+ <li><a href="https://wordpress.org/support/plugin/sucuri-scanner/reviews/" target="_blank" rel="noopener" class="button button-secondary">{{Review}}</a></li>
21
22
<li class="sucuriscan-%%SUCURI.GenerateAPIKey.Visibility%%">
23
<a href="#" class="button button-primary sucuriscan-modal-button sucuriscan-register-site-button"
inc/tpl/dashboard.html.tpl CHANGED
@@ -84,5 +84,7 @@ jQuery(document).ready(function ($) {
84
%%%SUCURI.SiteCheck.Blacklist%%%
85
86
%%%SUCURI.SiteCheck.Recommendations%%%
87
</div>
88
</div>
84
%%%SUCURI.SiteCheck.Blacklist%%%
85
86
%%%SUCURI.SiteCheck.Recommendations%%%
87
+
88
+ %%%SUCURI.WordPress.Recommendations%%%
89
</div>
90
</div>
inc/tpl/lastlogins-failedlogins.html.tpl CHANGED
@@ -36,8 +36,7 @@
36
</tr>
37
</tbody>
38
</table>
39
-
40
- <button type="submit" class="button button-primary">{{Block}}</button>
41
</form>
42
</div>
43
</div>
36
</tr>
37
</tbody>
38
</table>
39
+
40
</form>
41
</div>
42
</div>
inc/tpl/settings-general-timezone.html.tpl CHANGED
@@ -1,6 +1,6 @@
1
2
<div class="sucuriscan-panel">
3
- <h3 class="sucuriscan-title">{{Timezone}}</h3>
4
5
<div class="inside">
6
<p>{{This option defines the timezone that will be used through out the entire plugin to print the dates and times whenever is necessary. This option also affects the date and time of the logs visible in the audit logs panel which is data that comes from a remote server configured to use Eastern Daylight Time (EDT). WordPress offers an option in the general settings page to allow you to configure the timezone for the entire website, however, if you are experiencing problems with the time in the audit logs, this option will help you fix them.}}</p>
1
2
<div class="sucuriscan-panel">
3
+ <h3 class="sucuriscan-title">{{Timezone Override}}</h3>
4
5
<div class="inside">
6
<p>{{This option defines the timezone that will be used through out the entire plugin to print the dates and times whenever is necessary. This option also affects the date and time of the logs visible in the audit logs panel which is data that comes from a remote server configured to use Eastern Daylight Time (EDT). WordPress offers an option in the general settings page to allow you to configure the timezone for the entire website, however, if you are experiencing problems with the time in the audit logs, this option will help you fix them.}}</p>
inc/tpl/wordpress-recommendations.html.tpl ADDED
@@ -0,0 +1,8 @@
1
+
2
+ <div class="sucuriscan-panel sucuriscan-sitecheck-list sucuriscan-sitecheck-recommendations sucuriscan-wordpress-recommendations">
3
+ <h3 class="sucuriscan-tag-title sucuriscan-tag-%%SUCURI.WordPress.Recommendations.Color%%">{{WordPress Security Recommendations}}</h3>
4
+
5
+ <ul>
6
+ %%%SUCURI.WordPress.Recommendations.Content%%%
7
+ </ul>
8
+ </div>
inc/tpl/wordpress-recommendations.snippet.tpl ADDED
@@ -0,0 +1,5 @@
1
+
2
+ <li class="sucuriscan-sitecheck-list-NOTICE">
3
+ <b>%%SUCURI.WordPress.Recommendations.Title%%</b><br>
4
+ <span>%%SUCURI.WordPress.Recommendations.Value%%</span>
5
+ </li>
lang/sucuri-scanner.pot CHANGED
@@ -59,12 +59,12 @@ msgstr ""
59
msgid "API key recovery for domain: %s"
60
msgstr ""
61
62
- #: src/api.lib.php:609
63
#, php-format
64
msgid "WP Engine PHP Compatibility Checker: %s (created post #%d as cache)"
65
msgstr ""
66
67
- #: src/api.lib.php:952 src/api.lib.php:957
68
msgid "WordPress version is not supported anymore"
69
msgstr ""
70
@@ -1080,7 +1080,7 @@ msgid "The alert settings have been updated"
1080
msgstr ""
1081
1082
#: src/settings-alerts.php:542
1083
- msgid "Only lowercase letters, underscores and hyphens are allowed."
1084
msgstr ""
1085
1086
#: src/settings-alerts.php:544
@@ -1373,7 +1373,7 @@ msgstr ""
1373
#: src/settings-hardening.php:102
1374
msgid ""
1375
"The firewall is a premium service that you need purchase at - <a href="
1376
- "\"https://goo.gl/qfNkMq\" target=\"_blank\">Sucuri Firewall</a>"
1377
msgstr ""
1378
1379
#: src/settings-hardening.php:107
@@ -2799,7 +2799,7 @@ msgid "File Path:"
2799
msgstr ""
2800
2801
#: src/strings.php:366
2802
- msgid "Timezone"
2803
msgstr ""
2804
2805
#: src/strings.php:367
@@ -3203,10 +3203,28 @@ msgstr ""
3203
msgid "Malware Scan Target:"
3204
msgstr ""
3205
3206
#: src/template.lib.php:277
3207
msgid "Invalid template type"
3208
msgstr ""
3209
3210
#: sucuri.php:316
3211
msgid "Sucuri plugin has been uninstalled"
3212
msgstr ""
59
msgid "API key recovery for domain: %s"
60
msgstr ""
61
62
+ #: src/api.lib.php:648
63
#, php-format
64
msgid "WP Engine PHP Compatibility Checker: %s (created post #%d as cache)"
65
msgstr ""
66
67
+ #: src/api.lib.php:991 src/api.lib.php:994
68
msgid "WordPress version is not supported anymore"
69
msgstr ""
70
1080
msgstr ""
1081
1082
#: src/settings-alerts.php:542
1083
+ msgid "Only lowercase letters, numbers, underscores and hyphens are allowed. Post Types cannot exceed 20 characters as well."
1084
msgstr ""
1085
1086
#: src/settings-alerts.php:544
1373
#: src/settings-hardening.php:102
1374
msgid ""
1375
"The firewall is a premium service that you need purchase at - <a href="
1376
+ "\"https://sucuri.net/website-firewall/signup\" target=\"_blank\">Sucuri Firewall</a>"
1377
msgstr ""
1378
1379
#: src/settings-hardening.php:107
2799
msgstr ""
2800
2801
#: src/strings.php:366
2802
+ msgid "Timezone Override"
2803
msgstr ""
2804
2805
#: src/strings.php:367
3203
msgid "Malware Scan Target:"
3204
msgstr ""
3205
3206
+ #: src/strings.php:526
3207
+ msgid "WordPress Security Recommendations"
3208
+ msgstr ""
3209
+
3210
#: src/template.lib.php:277
3211
msgid "Invalid template type"
3212
msgstr ""
3213
3214
+ #: src/wordpress-recommendations.php:62
3215
+ msgid "Upgrade PHP to a supported version"
3216
+ msgstr ""
3217
+
3218
+ #: src/wordpress-recommendations.php:63
3219
+ msgid "The PHP version you are using no longer receives security support and could be exposed to unpatched security vulnerabilities."
3220
+ msgstr ""
3221
+
3222
+ #: src/wordpress-recommendations.php:76
3223
+ msgid ""
3224
+ "Your WordPress install is following <a href=\"https://sucuri.net/guides/wordpress-security\" target=\"_blank\" rel=\"noopener\">"
3225
+ "the security best practices</a>."
3226
+ msgstr ""
3227
+
3228
#: sucuri.php:316
3229
msgid "Sucuri plugin has been uninstalled"
3230
msgstr ""
readme.txt CHANGED
@@ -3,8 +3,8 @@ Contributors: dd@sucuri.net
3
Donate Link: https://sucuri.net/
4
Tags: malware, security, firewall, scan, spam, virus, sucuri, protection, blacklist, detection, hardening, file integrity
5
Requires at least: 3.6
6
- Tested up to: 5.0.3
7
- Stable tag: 1.8.20
8
9
The Sucuri WordPress Security plugin is a security toolset for security integrity monitoring, malware detection and security hardening.
10
@@ -190,6 +190,17 @@ This version adds an option to refresh the malware scan results on demand, as we
190
191
== Changelog ==
192
193
= 1.8.20 =
194
* Add dynamic core directories in the hardening whitelist options
195
* Modify scheduled tasks panel to load the table via Ajax
3
Donate Link: https://sucuri.net/
4
Tags: malware, security, firewall, scan, spam, virus, sucuri, protection, blacklist, detection, hardening, file integrity
5
Requires at least: 3.6
6
+ Tested up to: 5.2
7
+ Stable tag: 1.8.21
8
9
The Sucuri WordPress Security plugin is a security toolset for security integrity monitoring, malware detection and security hardening.
10
190
191
== Changelog ==
192
193
+ = 1.8.21 =
194
+ * Add WordPress Security Recommendations section in the dashboard
195
+ * Add PHP version check
196
+ * Fix goo.gl links
197
+ * Fix post_type pattern match to allow numbers and max of 20 chars
198
+ * Fix Audit Logs queue timezone issue
199
+ * Fix regex in template string replacement
200
+ * Update translation file to include WordPress Security Recommendations section fields
201
+ * Make the menu icon use the menu color styling
202
+ * Remove block button from failed logins page
203
+
204
= 1.8.20 =
205
* Add dynamic core directories in the hardening whitelist options
206
* Modify scheduled tasks panel to load the table via Ajax
src/api.lib.php CHANGED
@@ -407,7 +407,9 @@ class SucuriScanAPI extends SucuriScanOption
407
408
/**
409
* Returns the security logs from the system queue.
410
- *
411
* @return array The data structure with the logs.
412
*/
413
public static function getAuditLogsFromQueue()
@@ -443,6 +445,7 @@ class SucuriScanAPI extends SucuriScanOption
443
'verbose' => 0,
444
'output' => array_reverse($auditlogs),
445
'total_entries' => count($auditlogs),
446
);
447
448
return self::parseAuditLogs($res);
@@ -489,8 +492,44 @@ class SucuriScanAPI extends SucuriScanOption
489
$log_data['message'] = $right;
490
$log_data['account'] = $dateAndEmail[2];
491
492
- /* extract and fix the date and time using the Eastern time zone */
493
- $datetime = sprintf('%s %s EDT', $dateAndEmail[0], $dateAndEmail[1]);
494
$log_data['timestamp'] = strtotime($datetime);
495
$log_data['datetime'] = SucuriScan::datetime($log_data['timestamp'], 'Y-m-d H:i:s');
496
$log_data['date'] = SucuriScan::datetime($log_data['timestamp'], 'Y-m-d');
407
408
/**
409
* Returns the security logs from the system queue.
410
+ * In case the logs comes from the queue, set key "from_queue" to true,
411
+ * as the parse function later will need to prevent timezone conflicts.
412
+ *
413
* @return array The data structure with the logs.
414
*/
415
public static function getAuditLogsFromQueue()
445
'verbose' => 0,
446
'output' => array_reverse($auditlogs),
447
'total_entries' => count($auditlogs),
448
+ 'from_queue' => '1',
449
);
450
451
return self::parseAuditLogs($res);
492
$log_data['message'] = $right;
493
$log_data['account'] = $dateAndEmail[2];
494
495
+ /**
496
+ * When the audit logs comes from the queue, it's necessary to convert
497
+ * the logs using the correct timezone before parsing to avoid issues.
498
+ * First, use timezone override feature if set on the plugin settings,
499
+ * convert it properly as the syntax must be compatible with php strtotime,
500
+ * otherwise use WordPress timezone or offset with a quick fix only for UTC
501
+ * as by default it would be set as "0" instead of "UTC".
502
+ */
503
+ $tz_override = SucuriScanOption::getOption(':timezone');
504
+ if (empty($tz_override)) {
505
+ $wpTimezone = get_option('timezone_string');
506
+ if (empty($wpTimezone)) {
507
+ $wpTimezone = get_option('gmt_offset');
508
+ }
509
+
510
+ /* set wpTimezone to UTC if was previously unset */
511
+ if ($wpTimezone == "0") {
512
+ $wpTimezone = "UTC";
513
+ }
514
+ } else {
515
+ $tz_override_replace_from = array(".", "UTC");
516
+ $tz_override_replace_to = array(":", "");
517
+ $wpTimezone = str_replace($tz_override_replace_from, $tz_override_replace_to, $tz_override);
518
+ }
519
+
520
+ /**
521
+ * When the audit logs comes from the audit logs server, it will
522
+ * be using EDT timezone, however due to the seasonal nature of the
523
+ * EDT timzeone, here we will be using America/New_York when and only
524
+ * when the audit logs comes from the audit logs server, cause when
525
+ * it comes from the queue, wpTimezone var will be used.
526
+ */
527
+ if (array_key_exists('from_queue', $res)) {
528
+ $datetime = sprintf('%s %s %s', $dateAndEmail[0], $dateAndEmail[1], $wpTimezone);
529
+ } else {
530
+ $datetime = sprintf('%s %s America/New_York', $dateAndEmail[0], $dateAndEmail[1]);
531
+ }
532
+
533
$log_data['timestamp'] = strtotime($datetime);
534
$log_data['datetime'] = SucuriScan::datetime($log_data['timestamp'], 'Y-m-d H:i:s');
535
$log_data['date'] = SucuriScan::datetime($log_data['timestamp'], 'Y-m-d');
src/globals.php CHANGED
@@ -106,7 +106,7 @@ if (defined('SUCURISCAN')) {
106
'manage_options',
107
'sucuriscan',
108
'sucuriscan_page',
109
- SUCURISCAN_URL . '/inc/images/menuicon.png'
110
);
111
112
foreach ($pages as $sub_page_func => $sub_page_title) {
106
'manage_options',
107
'sucuriscan',
108
'sucuriscan_page',
109
+ 'data:image/svg+xml;base64,' . base64_encode('<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid meet" viewBox="0 0 16 16" width="16" height="16"><defs><path d="M8.98 0.87L9.6 0.94L10.29 1.03L11.04 1.16L11.86 1.31L12.74 1.49L13.69 1.7L13.93 2.24L14.12 2.85L14.27 3.53L14.37 4.27L14.41 5.08L14.41 5.95L14.36 6.89L14.27 7.9L14.06 8.93L13.71 9.93L13.19 10.91L12.51 11.86L11.68 12.78L10.69 13.68L9.54 14.55L8.23 15.4L6.91 14.56L5.75 13.69L4.74 12.8L3.9 11.87L3.21 10.92L2.68 9.94L2.31 8.93L2.09 7.9L1.98 6.89L1.92 5.94L1.91 5.06L1.95 4.25L2.04 3.51L2.17 2.84L2.36 2.23L2.59 1.7L3.44 1.5L4.23 1.32L4.97 1.17L5.66 1.05L6.3 0.95L6.89 0.88L7.43 0.84L7.92 0.82L8.42 0.83L8.98 0.87ZM10.8 10.72L10.53 11.03L10.31 11.24L10.06 11.46L9.69 11.79L9.2 12.21L8.59 12.73L9.14 12.4L9.64 12.07L10.09 11.77L10.5 11.48L10.85 11.17L11.13 10.8L11.34 10.35L11.48 9.84L11.12 10.32L10.8 10.72ZM7.68 3.96L7.38 4.07L7.07 4.23L6.79 4.48L6.57 4.85L6.43 5.35L6.42 5.88L6.52 6.31L6.7 6.65L6.94 6.92L7.21 7.13L7.56 7.32L7.98 7.54L8.4 7.76L8.72 8L8.84 8.24L8.81 8.43L8.71 8.56L8.56 8.62L8.38 8.66L8.17 8.68L7.98 8.66L7.71 8.6L7.34 8.5L6.89 8.34L6.36 8.14L6.33 9.63L6.72 9.77L7.1 9.89L7.48 9.96L7.84 10L8.2 10.01L8.76 9.94L9.35 9.76L9.86 9.43L10.24 8.92L10.38 8.2L10.23 7.46L9.84 6.93L9.37 6.56L8.96 6.35L8.76 6.27L8.62 6.21L8.36 6.08L8.09 5.9L7.93 5.67L7.96 5.41L8.13 5.27L8.4 5.21L8.78 5.24L9.26 5.35L9.85 5.55L10.38 4.33L10.22 4.25L10.07 4.19L9.91 4.13L9.77 4.07L9.62 4.02L9.33 3.96L8.92 3.91L8.46 3.89L8.03 3.9L7.68 3.96Z" id="d1ogaCizF3"></path></defs><g><g><g><use xlink:href="#d1ogaCizF3" opacity="1" fill="black" fill-opacity="1"></use></g></g></g></svg>')
110
);
111
112
foreach ($pages as $sub_page_func => $sub_page_title) {
src/pagehandler.php CHANGED
@@ -50,6 +50,9 @@ function sucuriscan_page()
50
$params['SiteCheck.Malware'] = '<div id="sucuriscan-malware"></div>';
51
$params['SiteCheck.Blacklist'] = '<div id="sucuriscan-blacklist"></div>';
52
$params['SiteCheck.Recommendations'] = '<div id="sucuriscan-recommendations"></div>';
53
54
if (SucuriScanRequest::get(':sitecheck_refresh') !== false) {
55
$params['SiteCheck.Refresh'] = 'true';
50
$params['SiteCheck.Malware'] = '<div id="sucuriscan-malware"></div>';
51
$params['SiteCheck.Blacklist'] = '<div id="sucuriscan-blacklist"></div>';
52
$params['SiteCheck.Recommendations'] = '<div id="sucuriscan-recommendations"></div>';
53
+
54
+ /* load data for the WordPress best practices section */
55
+ $params['WordPress.Recommendations'] = SucuriWordPressRecomendations::pageWordPressRecommendations();
56
57
if (SucuriScanRequest::get(':sitecheck_refresh') !== false) {
58
$params['SiteCheck.Refresh'] = 'true';
src/settings-alerts.php CHANGED
@@ -538,8 +538,8 @@ function sucuriscan_settings_alerts_ignore_posts()
538
$selected = SucuriScanRequest::post(':posttypes', '_array');
539
540
if ($action === 'add') {
541
- if (!preg_match('/^[a-z_\-]+#x2F;', $ignore_rule)) {
542
- SucuriScanInterface::error(__('Only lowercase letters, underscores and hyphens are allowed.', 'sucuri-scanner'));
543
} elseif (array_key_exists($ignore_rule, $ignored_events)) {
544
SucuriScanInterface::error(__('The post-type is already being ignored (duplicate).', 'sucuri-scanner'));
545
} else {
538
$selected = SucuriScanRequest::post(':posttypes', '_array');
539
540
if ($action === 'add') {
541
+ if (!preg_match('/^[a-z0-9_\-]{1,20}+#x2F;', $ignore_rule)) {
542
+ SucuriScanInterface::error(__('Only lowercase letters, numbers, underscores and hyphens are allowed. Post Types cannot exceed 20 characters as well.', 'sucuri-scanner'));
543
} elseif (array_key_exists($ignore_rule, $ignored_events)) {
544
SucuriScanInterface::error(__('The post-type is already being ignored (duplicate).', 'sucuri-scanner'));
545
} else {
src/settings-general.php CHANGED
@@ -638,7 +638,7 @@ function sucuriscan_settings_general_timezone($nonce)
638
$fill = (abs($hour) < 10) ? '0' : '';
639
$keyname = sprintf('UTC%s%s%.2f', $sign, $fill, abs($hour));
640
$label = date('d M, Y H:i:s', $current + ($hour * 3600));
641
- $options[$keyname] = $label;
642
}
643
644
if ($nonce) {
638
$fill = (abs($hour) < 10) ? '0' : '';
639
$keyname = sprintf('UTC%s%s%.2f', $sign, $fill, abs($hour));
640
$label = date('d M, Y H:i:s', $current + ($hour * 3600));
641
+ $options[$keyname] = $keyname . ' (' . $label . ')';
642
}
643
644
if ($nonce) {
src/settings-hardening.php CHANGED
@@ -77,10 +77,8 @@ class SucuriScanHardeningPage extends SucuriScan
77
*/
78
private static function processRequest($function)
79
{
80
- return (bool) (
81
- SucuriScanInterface::checkNonce() /* CSRF protection */
82
- && SucuriScanRequest::post(':hardening_' . $function)
83
- );
84
}
85
86
/**
@@ -99,7 +97,7 @@ class SucuriScanHardeningPage extends SucuriScan
99
100
if (self::processRequest(__FUNCTION__)) {
101
SucuriScanInterface::error(
102
- __('The firewall is a premium service that you need purchase at - <a href="https://goo.gl/qfNkMq" target="_blank">Sucuri Firewall</a>', 'sucuri-scanner')
103
);
104
}
105
@@ -184,7 +182,7 @@ class SucuriScanHardeningPage extends SucuriScan
184
$params['Hardening.Title'] = __('Verify PHP Version', 'sucuri-scanner');
185
$params['Hardening.Description'] = sprintf(__('PHP %s is installed.', 'sucuri-scanner'), PHP_VERSION);
186
187
- if (intval(version_compare(PHP_VERSION, '5.6.0') >= 0)) {
188
$params['Hardening.Status'] = 1;
189
$params['Hardening.FieldAttrs'] = 'disabled';
190
$params['Hardening.FieldText'] = __('Revert Hardening', 'sucuri-scanner');
@@ -512,7 +510,7 @@ class SucuriScanHardeningPage extends SucuriScan
512
public static function fileeditor()
513
{
514
$params = array();
515
- $fileEditorWasDisabled = (bool) (defined('DISALLOW_FILE_EDIT') && DISALLOW_FILE_EDIT);
516
517
if (self::processRequest(__FUNCTION__)) {
518
$config = SucuriScan::getConfigPath();
77
*/
78
private static function processRequest($function)
79
{
80
+ return (bool)(SucuriScanInterface::checkNonce() /* CSRF protection */
81
+ && SucuriScanRequest::post(':hardening_' . $function));
82
}
83
84
/**
97
98
if (self::processRequest(__FUNCTION__)) {
99
SucuriScanInterface::error(
100
+ __('The firewall is a premium service that you need purchase at - <a href="https://sucuri.net/website-firewall/signup" target="_blank">Sucuri Firewall</a>', 'sucuri-scanner')
101
);
102
}
103
182
$params['Hardening.Title'] = __('Verify PHP Version', 'sucuri-scanner');
183
$params['Hardening.Description'] = sprintf(__('PHP %s is installed.', 'sucuri-scanner'), PHP_VERSION);
184
185
+ if (intval(version_compare(PHP_VERSION, '7.1.0') >= 0)) {
186
$params['Hardening.Status'] = 1;
187
$params['Hardening.FieldAttrs'] = 'disabled';
188
$params['Hardening.FieldText'] = __('Revert Hardening', 'sucuri-scanner');
510
public static function fileeditor()
511
{
512
$params = array();
513
+ $fileEditorWasDisabled = (bool)(defined('DISALLOW_FILE_EDIT') && DISALLOW_FILE_EDIT);
514
515
if (self::processRequest(__FUNCTION__)) {
516
$config = SucuriScan::getConfigPath();
src/strings.php CHANGED
@@ -306,7 +306,7 @@ __('HTTP Proxy Password', 'sucuri-scanner');
306
__('API Service Communication', 'sucuri-scanner');
307
__('Once the API key is generate the plugin will communicate with a remote API service that will act as a safe data storage for the audit logs generated when the website triggers certain events that the plugin monitors. If the website is hacked the attacker will not have access to these logs and that way you can investigate what was modified <em>(for malware infaction)</em> and/or how the malicious person was able to gain access to the website.', 'sucuri-scanner');
308
__('Disabling the API service communication will stop the event monitoring, consider to enable the <a href="%%SUCURI.URL.Settings%%#general">Log Exporter</a> to keep the monitoring working while the HTTP requests are ignored, otherwise an attacker may execute an action that will not be registered in the security logs and you will not have a way to investigate the attack in the future.', 'sucuri-scanner');
309
- __('<strong>Are you a developer?</strong> You may be interested in our API. Feel free to use the URL shown below to access the latest 50 entries in your security log, change the value for the parameter <code>l=N</code> if you need more. Be aware that the API doesn’t provides an offset parameter, so if you have the intension to query specific sections of the log you will need to wrap the HTTP request around your own cache mechanism. We <strong>DO NOT</strong> take feature requests for the API, this is a semi-private service tailored for the specific needs of the plugin and not intended to be used by 3rd-party apps, we may change the behavior of each API endpoint without previous notice, use it at your own risk.', 'sucuri-scanner');
310
311
// settings-general-apikey.html.tpl
312
__('API Key', 'sucuri-scanner');
@@ -363,7 +363,7 @@ __('File Path:', 'sucuri-scanner');
363
__('Submit', 'sucuri-scanner');
364
365
// settings-general-timezone.html.tpl
366
- __('Timezone', 'sucuri-scanner');
367
__('This option defines the timezone that will be used through out the entire plugin to print the dates and times whenever is necessary. This option also affects the date and time of the logs visible in the audit logs panel which is data that comes from a remote server configured to use Eastern Daylight Time (EDT). WordPress offers an option in the general settings page to allow you to configure the timezone for the entire website, however, if you are experiencing problems with the time in the audit logs, this option will help you fix them.', 'sucuri-scanner');
368
__('Timezone:', 'sucuri-scanner');
369
__('Submit', 'sucuri-scanner');
@@ -521,3 +521,6 @@ __('The remote malware scanner provided by the plugin is powered by <a href="htt
521
__('Malware Scan Target', 'sucuri-scanner');
522
__('Malware Scan Target:', 'sucuri-scanner');
523
__('Submit', 'sucuri-scanner');
306
__('API Service Communication', 'sucuri-scanner');
307
__('Once the API key is generate the plugin will communicate with a remote API service that will act as a safe data storage for the audit logs generated when the website triggers certain events that the plugin monitors. If the website is hacked the attacker will not have access to these logs and that way you can investigate what was modified <em>(for malware infaction)</em> and/or how the malicious person was able to gain access to the website.', 'sucuri-scanner');
308
__('Disabling the API service communication will stop the event monitoring, consider to enable the <a href="%%SUCURI.URL.Settings%%#general">Log Exporter</a> to keep the monitoring working while the HTTP requests are ignored, otherwise an attacker may execute an action that will not be registered in the security logs and you will not have a way to investigate the attack in the future.', 'sucuri-scanner');
309
+ __('<strong>Are you a developer?</strong> You may be interested in our API. Feel free to use the URL shown below to access the latest 50 entries in your security log, change the value for the parameter <code>l=N</code> if you need more. Be aware that the API doesn’t provides an offset parameter, so if you have the intention to query specific sections of the log you will need to wrap the HTTP request around your own cache mechanism. We <strong>DO NOT</strong> take feature requests for the API, this is a semi-private service tailored for the specific needs of the plugin and not intended to be used by 3rd-party apps, we may change the behavior of each API endpoint without previous notice, use it at your own risk.', 'sucuri-scanner');
310
311
// settings-general-apikey.html.tpl
312
__('API Key', 'sucuri-scanner');
363
__('Submit', 'sucuri-scanner');
364
365
// settings-general-timezone.html.tpl
366
+ __('Timezone Override', 'sucuri-scanner');
367
__('This option defines the timezone that will be used through out the entire plugin to print the dates and times whenever is necessary. This option also affects the date and time of the logs visible in the audit logs panel which is data that comes from a remote server configured to use Eastern Daylight Time (EDT). WordPress offers an option in the general settings page to allow you to configure the timezone for the entire website, however, if you are experiencing problems with the time in the audit logs, this option will help you fix them.', 'sucuri-scanner');
368
__('Timezone:', 'sucuri-scanner');
369
__('Submit', 'sucuri-scanner');
521
__('Malware Scan Target', 'sucuri-scanner');
522
__('Malware Scan Target:', 'sucuri-scanner');
523
__('Submit', 'sucuri-scanner');
524
+
525
+ // wordpress-recommendations.html.tpl
526
+ __('WordPress Security Recommendations', 'sucuri-scanner');
src/template.lib.php CHANGED
@@ -83,13 +83,13 @@ class SucuriScanTemplate extends SucuriScanRequest
83
84
global $locale;
85
86
- preg_match_all('~{{(.+)}}~', $content, $matches);
87
88
if ( ! empty( $matches[1] ) ) {
89
- foreach($matches[1] as $string) {
90
- $pattern = sprintf('~{{%s}}~', preg_quote($string, '~'));
91
- $replacement = ('en_US' !== $locale) ? translate($string, 'sucuri-scanner') : $string;
92
- $content = preg_replace($pattern, $replacement, $content);
93
}
94
}
95
83
84
global $locale;
85
86
+ preg_match_all('~{{(.+?)}}~', $content, $matches);
87
88
if ( ! empty( $matches[1] ) ) {
89
+ foreach($matches[1] as $index => $string) {
90
+ $search = $matches[0][$index];
91
+ $replace = ('en_US' !== $locale) ? translate($string, 'sucuri-scanner') : $string;
92
+ $content = str_replace($search, $replace, $content);
93
}
94
}
95
src/wordpress-recommendations.lib.php ADDED
@@ -0,0 +1,101 @@
1
+ <?php
2
+
3
+ /**
4
+ * Code related to the wprecommendations.lib.php checks.
5
+ *
6
+ * PHP version 5
7
+ *
8
+ * @category Library
9
+ * @package Sucuri
10
+ * @subpackage SucuriScanner
11
+ * @author Northon Torga <northon.torga@sucuri.net>
12
+ * @copyright 2010-2019 Sucuri Inc.
13
+ * @license https://www.gnu.org/licenses/gpl-2.0.txt GPL2
14
+ * @link https://wordpress.org/plugins/sucuri-scanner
15
+ */
16
+
17
+ if (!defined('SUCURISCAN_INIT') || SUCURISCAN_INIT !== true) {
18
+ if (!headers_sent()) {
19
+ /* Report invalid access if possible. */
20
+ header('HTTP/1.1 403 Forbidden');
21
+ }
22
+ exit(1);
23
+ }
24
+
25
+ /**
26
+ * Make sure the WordPress install follows security best practices.
27
+ *
28
+ * @category Library
29
+ * @package Sucuri
30
+ * @subpackage SucuriScanner
31
+ * @author Northon Torga <northon.torga@sucuri.net>
32
+ * @copyright 2010-2019 Sucuri Inc.
33
+ * @license https://www.gnu.org/licenses/gpl-2.0.txt GPL2
34
+ * @link https://wordpress.org/plugins/sucuri-scanner
35
+ * @see https://sitecheck.sucuri.net/
36
+ */
37
+ class SucuriWordPressRecomendations
38
+ {
39
+
40
+ /**
41
+ * Generates the HTML section for the WordPress recommendations section.
42
+ *
43
+ * @return string HTML code to render the recommendations section.
44
+ */
45
+ public static function pageWordPressRecommendations()
46
+ {
47
+
48
+ $params = array();
49
+ $recommendations = array();
50
+ $params['WordPress.Recommendations.Content'] = '';
51
+
52
+ /**
53
+ * BEGIN security checks.
54
+ *
55
+ * Each check must register a second array inside $recommendations,
56
+ * containing the title and description of the recommendation.
57
+ */
58
+
59
+ // Check if php version needs to be upgraded.
60
+ if (version_compare(phpversion(), '7.1', '<')) {
61
+ $recommendations['PHPVersionCheck'] = array(
62
+ __('Upgrade PHP to a supported version', 'sucuri-scanner') =>
63
+ __('The PHP version you are using no longer receives security support and could be exposed to unpatched security vulnerabilities.', 'sucuri-scanner')
64
+ );
65
+ }
66
+
67
+ /**
68
+ * BEGIN delivery of results.
69
+ *
70
+ * When recommendations array is empty, delivery an "all is good" message,
71
+ * otherwise display each item that needs fixing individually.
72
+ */
73
+ if (count($recommendations) == 0) {
74
+
75
+ $params['WordPress.Recommendations.Color'] = 'green';
76
+ $params['WordPress.Recommendations.Content'] = __('Your WordPress install is following <a href="https://sucuri.net/guides/wordpress-security" target="_blank" rel="noopener">the security best practices</a>.', 'sucuri-scanner');
77
+ } else {
78
+
79
+ /* set title to blue as not all recommendations have been fullfilled */
80
+ $params['WordPress.Recommendations.Color'] = 'blue';
81
+
82
+ /* delivery the recommendations using the getSnippet function */
83
+ $recommendation = array_keys($recommendations);
84
+ foreach ($recommendation as $checkid) {
85
+
86
+ foreach ($recommendations[$checkid] as $title => $description) {
87
+
88
+ $params['WordPress.Recommendations.Content'] .= SucuriScanTemplate::getSnippet(
89
+ 'wordpress-recommendations',
90
+ array(
91
+ 'WordPress.Recommendations.Title' => $title,
92
+ 'WordPress.Recommendations.Value' => $description
93
+ )
94
+ );
95
+ }
96
+ }
97
+ }
98
+
99
+ return SucuriScanTemplate::getSection('wordpress-recommendations', $params);
100
+ }
101
+ }
sucuri.php CHANGED
@@ -8,7 +8,7 @@
8
* Author: Sucuri Inc.
9
* Text Domain: sucuri-scanner
10
* Domain Path: /lang
11
- * Version: 1.8.20
12
*
13
* PHP version 5
14
*
@@ -85,7 +85,7 @@ define('SUCURISCAN', 'sucuriscan');
85
/**
86
* Current version of the plugin's code.
87
*/
88
- define('SUCURISCAN_VERSION', '1.8.20');
89
90
/**
91
* Defines the human readable name of the plugin.
@@ -218,6 +218,7 @@ require_once 'src/hardening.lib.php';
218
require_once 'src/interface.lib.php';
219
require_once 'src/auditlogs.lib.php';
220
require_once 'src/sitecheck.lib.php';
221
require_once 'src/integrity.lib.php';
222
require_once 'src/firewall.lib.php';
223
require_once 'src/installer-skin.lib.php';
8
* Author: Sucuri Inc.
9
* Text Domain: sucuri-scanner
10
* Domain Path: /lang
11
+ * Version: 1.8.21
12
*
13
* PHP version 5
14
*
85
/**
86
* Current version of the plugin's code.
87
*/
88
+ define('SUCURISCAN_VERSION', '1.8.21');
89
90
/**
91
* Defines the human readable name of the plugin.
218
require_once 'src/interface.lib.php';
219
require_once 'src/auditlogs.lib.php';
220
require_once 'src/sitecheck.lib.php';
221
+ require_once 'src/wordpress-recommendations.lib.php';
222
require_once 'src/integrity.lib.php';
223
require_once 'src/firewall.lib.php';
224
require_once 'src/installer-skin.lib.php';