Merge branch 'master' into issue-4.3

README.md

@@ -4,132 +4,184 @@ Manages common security aspects of WordPress. Supports nginx and Apache.
 ## Basic Usage
 This package implements the following commands:
 
-**wp secure block_access_to_htaccess**
+### Deploy All Security rules
 
-Blocks access to `.htaccess` and `nginx.conf` files.
+Deploys all above-mentioned rules at once.
 
-```
-wp secure block_access_to_htaccess [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+```bash
+wp secure all
 ```
 
-**wp secure block_access_to_sensitive_directories**
+### Remove All Security Rules
 
-Blocks direct access to sensitive directories - `.git`, `svn`, `cache` and `vendors`
+Removes all security rules.
 
+```bash
+wp secure flush
 ```
-wp secure block_access_to_sensitive_directories [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+
+### Block the access to sensitive files and directories
+```bash
+wp secure block-access <what-to-block>
 ```
 
-**wp secure block_access_to_sensitive_files**
+By default, this command blocks the direct access to sensitive files and directories:
+`readme.txt`, `readme.html`, `xmlrpc.php`, `wp-config.php`, `wp-admin/install.php`, `wp-admin/upgrade.php`, `.git`, `svn`, `cache` and `vendors`
 
-Blocks direct access to sensitive files - `readme.txt`, `readme.html`, `wp-config.php`, `wp-admin/install.php` and `wp-admin/upgrade.php`
+Possible options are:
+- sensitive-files
+- sensitive-directories
+- xmlrpc
+- htaccess
+- custom
+- all (does all the above)
 
-```
-wp secure block_access_to_sensitive_files [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+Examples:
+
+```bash
+wp secure block-access sensitive-files
+wp secure block-access sensitive-directories
+wp secure block-access xmlrpc
+wp secure block-access htaccess
+wp secure block-access all
 ```
 
-**wp secure block_access_to_xmlrpc**
+However, you can also block custom files and/or folders of your choice. To do that you should use `custom` argument
+and pass one of two additional options `--files` and/or `--directories`.
 
-Blocks direct access XML-RPC
+If you want to block custom files, make sure that you pass only file names, not a full file paths. 
 
-```
-wp secure block_access_to_xmlrpc [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
-```
+Examples:
 
-### wp secure block_author_scanning
+````bash
+wp secure block-access custom --files=dump.sql,phpinfo.php,adminer.php
+wp secure block-access custom --directories=wp-content/mu-plugins
+````
 
-Blocks author scanning. Author scanning is a common technique of brute force attacks on WordPress. It is used to crack passwords for the known usernames and to gather additional information about the WordPress itself.
+### Block Author Scanning
 
-```
-wp secure block_author_scanning [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+```bash
+wp secure block-author-scanning
 ```
 
-### wp secure block_php_execution_in_plugins
+Blocks author scanning. Author scanning is a common technique of brute force attacks on WordPress. It is used to crack passwords for the known usernames and to gather additional information about the WordPress itself.
 
-Blocks direct access and execution of PHP files in `wp-content/plugins` directory.
+Examples:
 
+```bash
+wp secure block-author-scanning
 ```
-wp secure block_php_execution_in_plugins [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+
+### Block Direct Access and Execution in certain directories
+
+```bash
+wp secure block-php-execution <where>
 ```
 
-### wp secure block_php_execution_in_uploads
+Blocks direct access and execution of PHP files in `wp-content/plugins`, `wp-content/uploads`, `wp-content/themes` and `wp-includes` directories.
+
+You need to specify where you want to prevent direct access to PHP files. Possible options are:
+- all
+- plugins
+- uploads
+- themes
+- wp-includes
 
-Blocks direct access and execution of PHP files in `wp-content/uploads` directory.
+Examples:
 
+```bash
+wp secure block-php-execution all
+wp secure block-php-execution plugins
+wp secure block-php-execution uploads
+wp secure block-php-execution themes
+wp secure block-php-execution wp-includes
 ```
-wp secure block_php_execution_in_uploads [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+
+### Disable Directory Browsing
+```bash
+wp secure disable-directory-browsing
 ```
 
-### wp secure block_php_execution_in_themes
+Disables directory browsing.
 
-Blocks direct access and execution of PHP files in `wp-content/themes` directory.
+By default, when your web server does not find an index file (i.e. a file like index.php or index.html), it
+automatically displays an index page showing the contents of the directory.
+This could make your site vulnerable to hack attacks by revealing important information needed to exploit a vulnerability in a WordPress plugin, theme, or your server in general.
 
+Examples:
+
+```bash
+wp secure disable-directory-browsing
 ```
-wp secure block_php_execution_in_themes [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
-```
 
-### wp secure block_php_execution_in_wp_includes
-Blocks direct access and execution of PHP files in include directories - `wp-admin/includes`, `wp-includes/*.php`, `wp-includes/js/tinymce/langs/*.php`, `wp-includes/theme-compat`
+### Disable WordPress File Editor
+
+Disables the WordPress file editor. It could be used to edit arbitrary files using the web interface.
+This makes it easier for attackers to change files on the server using a web browser.
 
+```bash
+wp secure disable-file-editor
 ```
-wp secure block_php_execution_in_wp_includes [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+
+### Fix file and directory permissions
+
+```bash
+wp secure fix-permissions
 ```
 
-### wp secure disable_directory_browsing
+Use this command to verify that the permissions of all files and directories are set according the WordPress recommendations.
+This command will set **0666** to all files and **0755** to all folders inside WordPress installation.
 
-Disables directory browsing.
+**IMPORTANT: Don't use this command if you don't know what you are doing here!**
 
-By default when your web server does not find an index file (i.e. a file like index.php or index.html), it
-automatically displays an index page showing the contents of the directory.
-This could make your site vulnerable to hack attacks by revealing important information needed to exploit a vulnerability in a WordPress plugin, theme, or your server in general.
+### Check the integrity of WordPress files
 
-```
-wp secure disable_directory_browsing [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
-```
+Downloads MD5 checksums for the current version from WordPress.org, and compares those checksums against the currently
+installed files.
 
-### wp secure flush
+It also returns a list of files that shouldn't be part of default WordPress installation, which can be very useful when you are
+looking for a possible injected files.
 
-Removes all security rules.
+Examples:
 
-```
-wp secure flush
+```bash
+wp secure integrity-scan
 ```
 
 ## Global options
 
 ### Remove single security rule
 Using `--remove` with any rule command, you can remove it from configuration.
 
-```
-wp secure block_php_execution_in_wp_includes --remove
+```bash
+wp secure block-access xmlrpc --remove
 ```
 
 ### Get the output instead of writing in configuration files
 Using `--output` option with any rule command, you can see actual rule code which you can inspect or manually copy to any file of your choice.
 
-```
-wp secure block_php_execution_in_wp_includes --output
-wp secure block_php_execution_in_wp_includes --output --server=nginx
+```bash
+wp secure block-access htaccess --output
+wp secure block-access htaccess --output --server=nginx
 ```
 
 ### Specify server type
 By default, all rules are generated for Apache or LiteSpeed web servers that utilize `.htaccess` file. However, you can use `--server` to specify nginx if you want.
 
-```
-wp secure block_php_execution_in_wp_includes --server=nginx
-wp secure block_php_execution_in_wp_includes --server=--file-path=/home/user/mysite.com/nginx.conf
+```bash
+wp secure block-access htaccess --server=nginx
 ```
 
 ### Specify custom file path
 By default, all commands assume that rules should be written in the root of WordPress installation in `.htaccess` and `nginx.conf`, depending on which server you choose.
 However, you can specify a custom file path that is going to be used for storing security rules.
 
 ```
-wp secure block_php_execution_in_plugins --file-path=/home/user/mysite.com/.htaccess
+wp secure block-access htaccess --file-path=/home/user/mysite.com/.htaccess
 ```
 
 ## Important Note for nginx users
-nginx rules are stored in the `nginx.conf` file. However, for rules to actually work, you need to manually include this file in your vhost configuration and then restart nginx server:
+The nginx rules are stored in the `nginx.conf` file. However, for rules to actually work, you need to manually include this file in your vhost configuration and then restart nginx server:
 ```
 systemctl restart nginx
 ```
@@ -159,5 +211,4 @@ These paths and URLs are going to be used during tests, so make sure that they a
 ## Contributing
 We appreciate you taking the initiative to contribute to this project.
 
-Contributing isn’t limited to just code. We encourage you to contribute in the way that best fits your abilities, by writing tutorials, giving a demo at your local meetup, helping other users with their support questions, or revising our documentation.
-
+Contributing isn’t limited to just code. We encourage you to contribute in the way that best fits your abilities, by writing tutorials, giving a demo at your local meetup, helping other users with their support questions, or revising our documentation.

src/FileManager.php

@@ -82,7 +82,7 @@ private function setFileContent() : array {
         }
 
         if(!$this->isReadable()) {
-            throw new (FileIsNotReadable::class);
+            throw new FileIsNotReadable();
         }
 
         return $this->read();
@@ -156,7 +156,7 @@ private function fileExist() : bool {
      *
      * @return array|string
      */
-    private static function removeZeroSpace($content): array|string
+    private static function removeZeroSpace($content)
     {
         if(is_array($content)) {
             return array_map([static::class, 'removeZeroSpace'], $content);
@@ -203,9 +203,9 @@ public function extractRuleBlock(string $marker) : array {
      *
      * @param string $needle
      *
-     * @return int|bool
+     * @return bool|int|string
      */
-    private function findInFile(string $needle) : int|bool {
+    private function findInFile(string $needle) {
         return array_search($needle, $this->file);
     }
 
@@ -214,7 +214,7 @@ private function findInFile(string $needle) : int|bool {
      *
      * @return array|bool
      */
-    public function extractSecureBlock(): bool|array {
+    public function extractSecureBlock() {
         $start = $this->findInFile(self::MARKER_GLOBAL_START . self::SPACE_DELIMITER . self::MARKER_WP_CLI_SECURE);
         $end = $this->findInFile(self::MARKER_GLOBAL_END . self::SPACE_DELIMITER . self::MARKER_WP_CLI_SECURE);
 
@@ -330,7 +330,7 @@ private function backup() : bool
     public function add(array $content, string $marker = ''): bool {
         //If the rule block already exist, there is no reason to add it again
         if($this->hasRuleBlock($marker)) {
-            throw new(RuleAlreadyExist::class);
+            throw new RuleAlreadyExist();
         }
 
         //Check if file exist?
@@ -339,7 +339,7 @@ public function add(array $content, string $marker = ''): bool {
         }
 
         if(!$this->isWritable()) {
-            throw new(FileIsNotWritable::class);
+            throw new FileIsNotWritable();
         }
 
         //Wrap the rule block with markers
@@ -450,4 +450,4 @@ private function flattenArray(array $array, int $depth = 1) : array {
 
         return $result;
     }
-}
+}