Get WordPress

Plugin Directory

Changeset 3115542

Timestamp:
07/10/2024 11:18:49 AM (2 weeks ago)
Author:
johndarrel
Message:

Update the Security Check to Fix basic security issues

Location:
hide-my-wp/tags/5.2.04
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • hide-my-wp/tags/5.2.04/controllers/SecurityCheck.php

    r3104347 r3115542  
    227227                'message' => __("Every good developer should turn on debugging before getting started on a new plugin or theme. In fact, the WordPress Codex 'highly recommends' that developers use WP_DEBUG. <br /><br />Unfortunately, many developers forget the debug mode, even when the website is live. Showing debug logs in the frontend will let hackers know a lot about your WordPress website.", 'hide-my-wp'),
    228228                'solution' => __("Disable WP_DEBUG for live websites in wp-config.php <code>define('WP_DEBUG', false);</code>", 'hide-my-wp'),
    229                 'javascript' => "pro",
     229                'javascript' => "",
    230230            ),
    231231            'checkDBDebug' => array(
     
    245245                'message' => __("Every good developer should turn on debugging before getting started on a new plugin or theme. In fact, the WordPress Codex 'highly recommends' that developers use SCRIPT_DEBUG. Unfortunately, many developers forget the debug mode even when the website is live. Showing debug logs in the frontend will let hackers know a lot about your WordPress website.", 'hide-my-wp'),
    246246                'solution' => __("Disable SCRIPT_DEBUG for live websites in wp-config.php <code>define('SCRIPT_DEBUG', false);</code>", 'hide-my-wp'),
    247                 'javascript' => "pro",
     247                'javascript' => "",
    248248            ),
    249249            'checkDisplayErrors' => array(
     
    423423                'message' => __( "The most common way to hack a website is by accessing the domain and adding harmful queries in order to reveal information from files and database.<br /> These attacks are made on any website, WordPress or not, and if a call succeeds … it will probably be too late to save the website.", 'hide-my-wp' ),
    424424                'solution' => sprintf( esc_html__( "Activate the firewall and select the firewall strength that works for your website %s %s > Change Paths > Firewall & Headers %s", 'hide-my-wp' ), '<a href="'.HMWP_Classes_Tools::getSettingsUrl('hmwp_permalinks#tab=firewall').'" >',  HMWP_Classes_Tools::getOption('hmwp_plugin_menu') , '</a>'),
    425                 'javascript' => "pro",
     425                'javascript' => "",
    426426            ),
    427427            'checkVersionDisplayed' => array(
     
    432432                'message' => __("WordPress, plugins and themes add their version info to the source code, so anyone can see it. <br /><br />Hackers can easily find a website with vulnerable version plugins or themes, and target these with Zero-Day Exploits.", 'hide-my-wp'),
    433433                'solution' => sprintf(esc_html__("Switch on %s %s > Tweaks > %s %s", 'hide-my-wp'), '<a href="'.HMWP_Classes_Tools::getSettingsUrl('hmwp_tweaks#tab=hide').'" >', HMWP_Classes_Tools::getOption('hmwp_plugin_menu'),  esc_html__('Hide Versions from Images, CSS and JS', 'hide-my-wp'), '</a>'),
    434                 'javascript' => "pro",
     434                'javascript' => "",
    435435            ),
    436436            'checkRegisterGlobals' => array(
     
    473473                'message' => __("The plugins and themes file editor is a very convenient tool because it enables you to make quick changes without the need to use FTP. <br /><br />Unfortunately, it's also a security issue because it not only shows the PHP source code, it also enables attackers to inject malicious code into your site if they manage to gain access to admin.", 'hide-my-wp'),
    474474                'solution' => __("Disable DISALLOW_FILE_EDIT for live websites in wp-config.php <code>define('DISALLOW_FILE_EDIT', true);</code>", 'hide-my-wp'),
    475                 'javascript' => "pro",
     475                'javascript' => "",
    476476            ),
    477477            'checkUploadsBrowsable' => array(
     
    491491                'message' => esc_html__("If you're not using Windows Live Writer there's really no valid reason to have its link in the page header, because this tells the whole world you're using WordPress.", 'hide-my-wp'),
    492492                'solution' => sprintf(esc_html__("Switch on %s %s > Tweaks > Hide WLW Manifest scripts%s", 'hide-my-wp'), '<a href="'.HMWP_Classes_Tools::getSettingsUrl('hmwp_tweaks#tab=hide').'" >', HMWP_Classes_Tools::getOption('hmwp_plugin_menu'), '</a>'),
    493                 'javascript' => "pro",
     493                'javascript' => "",
    494494            ),
    495495            'checkXmlrpc' => array(
     
    500500                'message' => __("WordPress XML-RPC is a specification that aims to standardize communications between different systems. It uses HTTP as the transport mechanism and XML as encoding mechanism to enable a wide range of data to be transmitted. <br /><br />The two biggest assets of the API are its extendibility and its security. XML-RPC authenticates using basic authentication. It sends the username and password with each request, which is a big no-no in security circles.", 'hide-my-wp'),
    501501                'solution' => sprintf(esc_html__("Switch on %s %s > Change Paths > Disable XML-RPC access%s", 'hide-my-wp'), '<a href="'.HMWP_Classes_Tools::getSettingsUrl('hmwp_permalinks#tab=api').'" >', HMWP_Classes_Tools::getOption('hmwp_plugin_menu'), '</a>'),
    502                 'javascript' => "pro",
     502                'javascript' => "",
    503503            ),
    504504            'checkRDS' => array(
     
    509509                'message' => __("If you're not using any Really Simple Discovery services such as pingbacks, there's no need to advertise that endpoint (link) in the header. Please note that for most sites this is not a security issue because they \"want to be discovered\", but if you want to hide the fact that you're using WP, this is the way to go.", 'hide-my-wp'),
    510510                'solution' => sprintf(esc_html__("Switch on %s %s > Change Paths > Hide RSD Endpoint%s", 'hide-my-wp'), '<a href="'.HMWP_Classes_Tools::getSettingsUrl('hmwp_permalinks#tab=api').'" >', HMWP_Classes_Tools::getOption('hmwp_plugin_menu'), '</a>'),
    511                 'javascript' => "pro",
     511                'javascript' => "",
    512512            ),
    513513//            'checkMysqlPermissions' => array(
     
    526526                'message' => __("Usernames (unlike passwords) are not secret. By knowing someone's username, you can't log in to their account. You also need the password. <br /><br />However, by knowing the username, you are one step closer to logging in using the username to brute-force the password, or to gain access in a similar way. <br /><br />That's why it's advisable to keep the list of usernames private, at least to some degree. By default, by accessing siteurl.com/?author={id} and looping through IDs from 1 you can get a list of usernames, because WP will redirect you to siteurl.com/author/user/ if the ID exists in the system.", 'hide-my-wp'),
    527527                'solution' => sprintf(esc_html__("Switch on %s %s > Change Paths > Hide Author ID URL%s", 'hide-my-wp'), '<a href="'.HMWP_Classes_Tools::getSettingsUrl('hmwp_permalinks#tab=author').'" >', HMWP_Classes_Tools::getOption('hmwp_plugin_menu'), '</a>'),
    528                 'javascript' => "pro",
     528                'javascript' => "",
    529529            ),
    530530            'checkBlogDescription' => array(
     
    670670                    $message[] = esc_html__('Great! The new paths are loading correctly.', 'hide-my-wp');
    671671                    if(HMWP_Classes_Tools::getOption('prevent_slow_loading')){
    672                         $message[] = '<a href="' . esc_url(HMWP_Classes_Tools::getSettingsUrl('hmwp_advanced#tab=rollback', true) ) . '" target="_blank" style="word-break: break-word;line-height: 35px;font-weight: 700;">' . sprintf(esc_html__("You can now turn off '%s' option.", 'hide-my-wp'), __('Prevent Broken Website Layout', 'hide-my-wp')) . '</a>';
     672                        $message[] =  '<form id="hmwp_fixsettings_form" method="POST">
     673                                         '.wp_nonce_field('hmwp_fixsettings', 'hmwp_nonce', false, false).'
     674                                         <input type="hidden" name="action" value="hmwp_fixsettings"/>
     675                                         
     676                                         <div class="col-sm-12 p-0 my-2 switch switch-xxs" style="font-size: 0.9rem;">
     677                                            <input type="checkbox" id="prevent_slow_loading" name="prevent_slow_loading" onChange="jQuery(this).hmwp_fixSettings(\'prevent_slow_loading\',0);" class="switch" '. (HMWP_Classes_Tools::getOption('prevent_slow_loading') ? 'checked="checked"' : '') .' value="1"/>
     678                                            <label for="prevent_slow_loading">'.sprintf(esc_html__("You can now turn off '%s' option.", 'hide-my-wp'), __('Prevent Broken Website Layout', 'hide-my-wp')).'</label>
     679                                         </div>
     680                                       </form>';
    673681                    }
    674682                    wp_send_json_success(join('<br />', $message));
     
    678686
    679687            case 'hmwp_fixsettings':
     688
     689
     690
     691
     692
     693
     694
     695
     696
     697
     698
     699
     700
     701
     702
     703
     704
     705
     706
     707
     708
     709
     710
     711
     712
     713
     714
     715
     716
     717
     718
     719
     720
     721
     722
     723
     724
    680725            case 'hmwp_fixconfig':
    681726
    682                 wp_send_json_error(esc_html__('Could not fix it. You need to change it manually.', 'hide-my-wp'));
     727                $name = HMWP_Classes_Tools::getValue('name');
     728                $value = HMWP_Classes_Tools::getValue('value', null);
     729
     730                if (!in_array($name, array('WP_DEBUG', 'SCRIPT_DEBUG', 'DISALLOW_FILE_EDIT')) || !in_array($value, array('true', 'false')) ) {
     731
     732                    if(HMWP_Classes_Tools::isAjax()) {
     733                        wp_send_json_error(esc_html__('Could not fix it. You need to change it manually.', 'hide-my-wp'));
     734                    }
    683735                    break;
     736
     737
     738
     739
     740
     741
     742
     743
     744
     745
     746
     747
     748
     749
     750
     751
     752
     753
     754
     755
     756
     757
     758
     759
     760
     761
     762
     763
     764
     765
     766
     767
     768
     769
     770
     771
     772
     773
     774
    684775
    685776            case 'hmwp_securityexclude':
     
    860951                return array(
    861952                    'value' => $wp_version,
    862                     'valid' => version_compare($wp_version, $wp_lastversion, '=='),
     953                    'valid' => version_compare($wp_version, $wp_lastversion, '='),
    863954                    'version' => $wp_lastversion,
    864955                );

  • hide-my-wp/tags/5.2.04/models/Settings.php

    r3104347 r3115542  
    277277            return;
    278278        }
    279 
    280279
    281280        //INSERT SEURITY RULES

  • hide-my-wp/tags/5.2.04/view/SecurityCheck.php

    r3097017 r3115542  
    134134                                                <button class="btn btn-default rounded-0 px-3 float-right m-1" type="button" onclick="jQuery('#hmwp_securitydetail<?php echo esc_attr($index) ?>').modal('show');" ><?php echo esc_html__('Info', 'hide-my-wp') ?></button>
    135135                                                <?php
    136                                                 if (!$row['valid'] && isset($row['javascript']) && $row['javascript'] <> '' ){
    137                                                     ?> <button type="button" class="btn btn-warning mx-0 my-1 rounded-0 float-right  m-1" onclick="jQuery('#hmwp_ghost_mode_modal').modal('show')"><?php echo esc_html__('PRO', 'hide-my-wp') ?></button> <?php
     136                                                if (!$row['valid'] && isset($row['javascript'])){
     137                                                    if($row['javascript'] <> 'pro'){
     138                                                        ?> <button type="button" id="fix<?php echo esc_attr($index) ?>" class="btn btn-success mx-0 my-1 rounded-0 float-right  m-1" onclick="<?php echo esc_attr($row['javascript']) ?>"><?php echo esc_html__('Fix it', 'hide-my-wp') ?></button> <?php
     139                                                    }else{
     140                                                        ?> <button type="button" class="btn btn-warning mx-0 my-1 rounded-0 float-right  m-1" onclick="jQuery('#hmwp_ghost_mode_modal').modal('show')"><?php echo esc_html__('PRO', 'hide-my-wp') ?></button> <?php
     141                                                    }
    138142                                                }
    139143                                                ?>
     
    156160                            <?php } ?>
    157161                        </div>
     162
     163
     164
     165
     166
     167
     168
     169
    158170                        <div class="col-sm-12 text-right">
    159171                            <form id="hmwp_resetexclude" method="POST">
Note: See TracChangeset for help on using the changeset viewer.